f3dacbcea7
1. Add license for python file 2. Update the policy for all services Change-Id: I4bc6a68874afe1cc51da1a24d278165356d5dec3
1172 lines
51 KiB
Python
1172 lines
51 KiB
Python
# Copyright 2022 99cloud
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# flake8: noqa
|
|
# fmt: off
|
|
|
|
from . import base
|
|
|
|
list_rules = (
|
|
base.Rule(
|
|
name="admin_or_owner",
|
|
check_str=("is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"),
|
|
description="DEPRECATED: This rule will be removed in the Yoga release. Default rule for most non-Admin APIs.",
|
|
),
|
|
base.Rule(
|
|
name="system_or_domain_or_project_admin",
|
|
check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)"),
|
|
description="DEPRECATED: This rule will be removed in the Yoga release. Default rule for admins of cloud, domain or a project.",
|
|
),
|
|
base.Rule(
|
|
name="context_is_admin",
|
|
check_str=("role:admin"),
|
|
description="Decides what is required for the 'is_admin:True' check to succeed.",
|
|
),
|
|
base.Rule(
|
|
name="admin_api",
|
|
check_str=("is_admin:True or (role:admin and is_admin_project:True)"),
|
|
description="Default rule for most Admin APIs.",
|
|
),
|
|
base.Rule(
|
|
name="xena_system_admin_or_project_reader",
|
|
check_str=("(role:admin) or (role:reader and project_id:%(project_id)s)"),
|
|
description="NOTE: this purely role-based rule recognizes only project scope",
|
|
),
|
|
base.Rule(
|
|
name="xena_system_admin_or_project_member",
|
|
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
|
|
description="NOTE: this purely role-based rule recognizes only project scope",
|
|
),
|
|
base.Rule(
|
|
name="volume_extension:volume_type_encryption",
|
|
check_str=("rule:admin_api"),
|
|
description="DEPRECATED: This rule will be removed in the Yoga release.",
|
|
),
|
|
base.APIRule(
|
|
name="volume:attachment_create",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Create attachment.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/attachments"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:attachment_update",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Update attachment.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/attachments/{attachment_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:attachment_delete",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Delete attachment.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/attachments/{attachment_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:attachment_complete",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Mark a volume attachment process as completed (in-use)",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/attachments/{attachment_id}/action (os-complete)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:multiattach_bootable_volume",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Allow multiattach of bootable volumes.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/attachments"}],
|
|
),
|
|
base.APIRule(
|
|
name="message:get_all",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="List messages.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/messages"}],
|
|
),
|
|
base.APIRule(
|
|
name="message:get",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Show message.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/messages/{message_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="message:delete",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Delete message.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/messages/{message_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="clusters:get_all",
|
|
check_str=("rule:admin_api"),
|
|
description="List clusters.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/clusters"}, {"method": "GET", "path": "/clusters/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="clusters:get",
|
|
check_str=("rule:admin_api"),
|
|
description="Show cluster.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/clusters/{cluster_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="clusters:update",
|
|
check_str=("rule:admin_api"),
|
|
description="Update cluster.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/clusters/{cluster_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="workers:cleanup",
|
|
check_str=("rule:admin_api"),
|
|
description="Clean up workers.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/workers/cleanup"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:get_snapshot_metadata",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Show snapshot's metadata or one specified metadata with a given key.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}/metadata"}, {"method": "GET", "path": "/snapshots/{snapshot_id}/metadata/{key}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:update_snapshot_metadata",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Update snapshot's metadata or one specified metadata with a given key.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/metadata"}, {"method": "PUT", "path": "/snapshots/{snapshot_id}/metadata/{key}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:delete_snapshot_metadata",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Delete snapshot's specified metadata with a given key.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/snapshots/{snapshot_id}/metadata/{key}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:get_all_snapshots",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="List snapshots.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/snapshots"}, {"method": "GET", "path": "/snapshots/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:extended_snapshot_attributes",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="List or show snapshots with extended attributes.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}"}, {"method": "GET", "path": "/snapshots/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:create_snapshot",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Create snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/snapshots"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:get_snapshot",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Show snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:update_snapshot",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Update snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/snapshots/{snapshot_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:delete_snapshot",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Delete snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/snapshots/{snapshot_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:snapshot_admin_actions:reset_status",
|
|
check_str=("rule:admin_api"),
|
|
description="Reset status of a snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-reset_status)"}],
|
|
),
|
|
base.APIRule(
|
|
name="snapshot_extension:snapshot_actions:update_snapshot_status",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Update database fields of snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action (update_snapshot_status)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:snapshot_admin_actions:force_delete",
|
|
check_str=("rule:admin_api"),
|
|
description="Force delete a snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-force_delete)"}],
|
|
),
|
|
base.APIRule(
|
|
name="snapshot_extension:list_manageable",
|
|
check_str=("rule:admin_api"),
|
|
description="List (in detail) of snapshots which are available to manage.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/manageable_snapshots"}, {"method": "GET", "path": "/manageable_snapshots/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="snapshot_extension:snapshot_manage",
|
|
check_str=("rule:admin_api"),
|
|
description="Manage an existing snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/manageable_snapshots"}],
|
|
),
|
|
base.APIRule(
|
|
name="snapshot_extension:snapshot_unmanage",
|
|
check_str=("rule:admin_api"),
|
|
description="Stop managing a snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-unmanage)"}],
|
|
),
|
|
base.APIRule(
|
|
name="backup:get_all",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="List backups.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/backups"}, {"method": "GET", "path": "/backups/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="backup:backup_project_attribute",
|
|
check_str=("rule:admin_api"),
|
|
description="List backups or show backup with project attributes.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/backups/{backup_id}"}, {"method": "GET", "path": "/backups/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="backup:create",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Create backup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/backups"}],
|
|
),
|
|
base.APIRule(
|
|
name="backup:get",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Show backup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/backups/{backup_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="backup:update",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Update backup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/backups/{backup_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="backup:delete",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Delete backup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/backups/{backup_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="backup:restore",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Restore backup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/backups/{backup_id}/restore"}],
|
|
),
|
|
base.APIRule(
|
|
name="backup:backup-import",
|
|
check_str=("rule:admin_api"),
|
|
description="Import backup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/backups/{backup_id}/import_record"}],
|
|
),
|
|
base.APIRule(
|
|
name="backup:export-import",
|
|
check_str=("rule:admin_api"),
|
|
description="Export backup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/backups/{backup_id}/export_record"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:backup_admin_actions:reset_status",
|
|
check_str=("rule:admin_api"),
|
|
description="Reset status of a backup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/backups/{backup_id}/action (os-reset_status)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:backup_admin_actions:force_delete",
|
|
check_str=("rule:admin_api"),
|
|
description="Force delete a backup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/backups/{backup_id}/action (os-force_delete)"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:get_all",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="List groups.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/groups"}, {"method": "GET", "path": "/groups/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:create",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Create group.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/groups"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:get",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Show group.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/groups/{group_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:update",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Update group.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/groups/{group_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:group_project_attribute",
|
|
check_str=("rule:admin_api"),
|
|
description="List groups or show group with project attributes.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/groups/{group_id}"}, {"method": "GET", "path": "/groups/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:group_types:create",
|
|
check_str=("rule:admin_api"),
|
|
description="Create a group type.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/group_types/"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:group_types:update",
|
|
check_str=("rule:admin_api"),
|
|
description="Update a group type.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/group_types/{group_type_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:group_types:delete",
|
|
check_str=("rule:admin_api"),
|
|
description="Delete a group type.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/group_types/{group_type_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:access_group_types_specs",
|
|
check_str=("rule:admin_api"),
|
|
description="Show group type with type specs attributes.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/group_types/{group_type_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:group_types_specs:get",
|
|
check_str=("rule:admin_api"),
|
|
description="Show a group type spec.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/group_types/{group_type_id}/group_specs/{g_spec_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:group_types_specs:get_all",
|
|
check_str=("rule:admin_api"),
|
|
description="List group type specs.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/group_types/{group_type_id}/group_specs"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:group_types_specs:create",
|
|
check_str=("rule:admin_api"),
|
|
description="Create a group type spec.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/group_types/{group_type_id}/group_specs"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:group_types_specs:update",
|
|
check_str=("rule:admin_api"),
|
|
description="Update a group type spec.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/group_types/{group_type_id}/group_specs/{g_spec_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:group_types_specs:delete",
|
|
check_str=("rule:admin_api"),
|
|
description="Delete a group type spec.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/group_types/{group_type_id}/group_specs/{g_spec_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:get_all_group_snapshots",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="List group snapshots.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/group_snapshots"}, {"method": "GET", "path": "/group_snapshots/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:create_group_snapshot",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Create group snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/group_snapshots"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:get_group_snapshot",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Show group snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/group_snapshots/{group_snapshot_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:delete_group_snapshot",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Delete group snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/group_snapshots/{group_snapshot_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:update_group_snapshot",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Update group snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/group_snapshots/{group_snapshot_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:group_snapshot_project_attribute",
|
|
check_str=("rule:admin_api"),
|
|
description="List group snapshots or show group snapshot with project attributes.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/group_snapshots/{group_snapshot_id}"}, {"method": "GET", "path": "/group_snapshots/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:reset_group_snapshot_status",
|
|
check_str=("rule:admin_api"),
|
|
description="Reset status of group snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/group_snapshots/{g_snapshot_id}/action (reset_status)"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:delete",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Delete group.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/groups/{group_id}/action (delete)"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:reset_status",
|
|
check_str=("rule:admin_api"),
|
|
description="Reset status of group.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/groups/{group_id}/action (reset_status)"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:enable_replication",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Enable replication.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/groups/{group_id}/action (enable_replication)"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:disable_replication",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Disable replication.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/groups/{group_id}/action (disable_replication)"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:failover_replication",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Fail over replication.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/groups/{group_id}/action (failover_replication)"}],
|
|
),
|
|
base.APIRule(
|
|
name="group:list_replication_targets",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="List failover replication.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/groups/{group_id}/action (list_replication_targets)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:qos_specs_manage:get_all",
|
|
check_str=("rule:admin_api"),
|
|
description="List qos specs or list all associations.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/qos-specs"}, {"method": "GET", "path": "/qos-specs/{qos_id}/associations"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:qos_specs_manage:get",
|
|
check_str=("rule:admin_api"),
|
|
description="Show qos specs.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/qos-specs/{qos_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:qos_specs_manage:create",
|
|
check_str=("rule:admin_api"),
|
|
description="Create qos specs.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/qos-specs"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:qos_specs_manage:update",
|
|
check_str=("rule:admin_api"),
|
|
description="Update qos specs (including updating association).",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/qos-specs/{qos_id}"}, {"method": "GET", "path": "/qos-specs/{qos_id}/disassociate_all"}, {"method": "GET", "path": "/qos-specs/{qos_id}/associate"}, {"method": "GET", "path": "/qos-specs/{qos_id}/disassociate"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:qos_specs_manage:delete",
|
|
check_str=("rule:admin_api"),
|
|
description="delete qos specs or unset one specified qos key.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/qos-specs/{qos_id}"}, {"method": "PUT", "path": "/qos-specs/{qos_id}/delete_keys"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:quota_classes:get",
|
|
check_str=("rule:admin_api"),
|
|
description="Show project quota class.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/os-quota-class-sets/{project_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:quota_classes:update",
|
|
check_str=("rule:admin_api"),
|
|
description="Update project quota class.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/os-quota-class-sets/{project_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:quotas:show",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Show project quota (including usage and default).",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/os-quota-sets/{project_id}"}, {"method": "GET", "path": "/os-quota-sets/{project_id}/default"}, {"method": "GET", "path": "/os-quota-sets/{project_id}?usage=True"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:quotas:update",
|
|
check_str=("rule:admin_api"),
|
|
description="Update project quota.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/os-quota-sets/{project_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:quotas:delete",
|
|
check_str=("rule:admin_api"),
|
|
description="Delete project quota.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/os-quota-sets/{project_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:capabilities",
|
|
check_str=("rule:admin_api"),
|
|
description="Show backend capabilities.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/capabilities/{host_name}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:services:index",
|
|
check_str=("rule:admin_api"),
|
|
description="List all services.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/os-services"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:services:update",
|
|
check_str=("rule:admin_api"),
|
|
description="Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/os-services/{action}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:freeze_host",
|
|
check_str=("rule:admin_api"),
|
|
description="Freeze a backend host.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/os-services/freeze"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:thaw_host",
|
|
check_str=("rule:admin_api"),
|
|
description="Thaw a backend host.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/os-services/thaw"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:failover_host",
|
|
check_str=("rule:admin_api"),
|
|
description="Failover a backend host.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/os-services/failover_host"}],
|
|
),
|
|
base.APIRule(
|
|
name="scheduler_extension:scheduler_stats:get_pools",
|
|
check_str=("rule:admin_api"),
|
|
description="List all backend pools.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/scheduler-stats/get_pools"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:hosts",
|
|
check_str=("rule:admin_api"),
|
|
description="List, update or show hosts for a project.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/os-hosts"}, {"method": "PUT", "path": "/os-hosts/{host_name}"}, {"method": "GET", "path": "/os-hosts/{host_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="limits_extension:used_limits",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Show limits with used limit attributes.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/limits"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:list_manageable",
|
|
check_str=("rule:admin_api"),
|
|
description="List (in detail) of volumes which are available to manage.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/manageable_volumes"}, {"method": "GET", "path": "/manageable_volumes/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_manage",
|
|
check_str=("rule:admin_api"),
|
|
description="Manage existing volumes.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/manageable_volumes"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_unmanage",
|
|
check_str=("rule:admin_api"),
|
|
description="Stop managing a volume.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-unmanage)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:type_create",
|
|
check_str=("rule:admin_api"),
|
|
description="Create volume type.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/types"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:type_update",
|
|
check_str=("rule:admin_api"),
|
|
description="Update volume type.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/types"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:type_delete",
|
|
check_str=("rule:admin_api"),
|
|
description="Delete volume type.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/types"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:type_get",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Get one specific volume type.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/types/{type_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:type_get_all",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="List volume types.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/types/"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:access_types_extra_specs",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Include the volume type's extra_specs attribute in the volume type list or show requests. The ability to make these calls is governed by other policies.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/types/{type_id}"}, {"method": "GET", "path": "/types"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:access_types_qos_specs_id",
|
|
check_str=("rule:admin_api"),
|
|
description="Include the volume type's QoS specifications ID attribute in the volume type list or show requests. The ability to make these calls is governed by other policies.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/types/{type_id}"}, {"method": "GET", "path": "/types"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_type_encryption:create",
|
|
check_str=("rule:admin_api"),
|
|
description="Create volume type encryption.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/types/{type_id}/encryption"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_type_encryption:get",
|
|
check_str=("rule:admin_api"),
|
|
description="Show a volume type's encryption type, show an encryption specs item.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/types/{type_id}/encryption"}, {"method": "GET", "path": "/types/{type_id}/encryption/{key}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_type_encryption:update",
|
|
check_str=("rule:admin_api"),
|
|
description="Update volume type encryption.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/types/{type_id}/encryption/{encryption_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_type_encryption:delete",
|
|
check_str=("rule:admin_api"),
|
|
description="Delete volume type encryption.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/types/{type_id}/encryption/{encryption_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_type_access",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Adds the boolean field 'os-volume-type-access:is_public' to the responses for these API calls. The ability to make these calls is governed by other policies.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/types"}, {"method": "GET", "path": "/types/{type_id}"}, {"method": "POST", "path": "/types"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_type_access:addProjectAccess",
|
|
check_str=("rule:admin_api"),
|
|
description="Add volume type access for project.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/types/{type_id}/action (addProjectAccess)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_type_access:removeProjectAccess",
|
|
check_str=("rule:admin_api"),
|
|
description="Remove volume type access for project.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/types/{type_id}/action (removeProjectAccess)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_type_access:get_all_for_type",
|
|
check_str=("rule:admin_api"),
|
|
description="List private volume type access detail, that is, list the projects that have access to this volume type.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/types/{type_id}/os-volume-type-access"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:extend",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Extend a volume.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-extend)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:extend_attached_volume",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Extend a attached volume.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-extend)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:revert_to_snapshot",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Revert a volume to a snapshot.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (revert)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_admin_actions:reset_status",
|
|
check_str=("rule:admin_api"),
|
|
description="Reset status of a volume.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-reset_status)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:retype",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Retype a volume.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-retype)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:update_readonly_flag",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Update a volume's readonly flag.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-update_readonly_flag)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_admin_actions:force_delete",
|
|
check_str=("rule:admin_api"),
|
|
description="Force delete a volume.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-force_delete)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_actions:upload_public",
|
|
check_str=("rule:admin_api"),
|
|
description="Upload a volume to image with public visibility.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-volume_upload_image)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_actions:upload_image",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Upload a volume to image.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-volume_upload_image)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_admin_actions:force_detach",
|
|
check_str=("rule:admin_api"),
|
|
description="Force detach a volume.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-force_detach)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_admin_actions:migrate_volume",
|
|
check_str=("rule:admin_api"),
|
|
description="migrate a volume to a specified host.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-migrate_volume)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_admin_actions:migrate_volume_completion",
|
|
check_str=("rule:admin_api"),
|
|
description="Complete a volume migration.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-migrate_volume_completion)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_actions:initialize_connection",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Initialize volume attachment.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-initialize_connection)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_actions:terminate_connection",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Terminate volume attachment.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-terminate_connection)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_actions:roll_detaching",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Roll back volume status to 'in-use'.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-roll_detaching)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_actions:reserve",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Mark volume as reserved.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-reserve)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_actions:unreserve",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Unmark volume as reserved.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-unreserve)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_actions:begin_detaching",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Begin detach volumes.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-begin_detaching)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_actions:attach",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Add attachment metadata.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-attach)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_actions:detach",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Clear attachment metadata.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-detach)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:reimage",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Reimage a volume in 'available' or 'error' status.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-reimage)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:reimage_reserved",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Reimage a volume in 'reserved' status.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-reimage)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:get_all_transfers",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="List volume transfer.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/os-volume-transfer"}, {"method": "GET", "path": "/os-volume-transfer/detail"}, {"method": "GET", "path": "/volume_transfers"}, {"method": "GET", "path": "/volume-transfers/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:create_transfer",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Create a volume transfer.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/os-volume-transfer"}, {"method": "POST", "path": "/volume_transfers"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:get_transfer",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Show one specified volume transfer.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/os-volume-transfer/{transfer_id}"}, {"method": "GET", "path": "/volume-transfers/{transfer_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:accept_transfer",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Accept a volume transfer.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/os-volume-transfer/{transfer_id}/accept"}, {"method": "POST", "path": "/volume-transfers/{transfer_id}/accept"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:delete_transfer",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Delete volume transfer.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/os-volume-transfer/{transfer_id}"}, {"method": "DELETE", "path": "/volume-transfers/{transfer_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:get_volume_metadata",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Show volume's metadata or one specified metadata with a given key.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/volumes/{volume_id}/metadata"}, {"method": "GET", "path": "/volumes/{volume_id}/metadata/{key}"}, {"method": "POST", "path": "/volumes/{volume_id}/action (os-show_image_metadata)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:create_volume_metadata",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Create volume metadata.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/metadata"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:update_volume_metadata",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Replace a volume's metadata dictionary or update a single metadatum with a given key.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/volumes/{volume_id}/metadata"}, {"method": "PUT", "path": "/volumes/{volume_id}/metadata/{key}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:delete_volume_metadata",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Delete a volume's metadatum with the given key.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/volumes/{volume_id}/metadata/{key}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_image_metadata:show",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Include a volume's image metadata in volume detail responses. The ability to make these calls is governed by other policies.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/volumes/detail"}, {"method": "GET", "path": "/volumes/{volume_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_image_metadata:set",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Set image metadata for a volume",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-set_image_metadata)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_image_metadata:remove",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Remove specific image metadata from a volume",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-unset_image_metadata)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:update_volume_admin_metadata",
|
|
check_str=("rule:admin_api"),
|
|
description="Update volume admin metadata. This permission is required to complete these API calls, though the ability to make these calls is governed by other policies.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-update_readonly_flag)"}, {"method": "POST", "path": "/volumes/{volume_id}/action (os-attach)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:types_extra_specs:index",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="List type extra specs.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/types/{type_id}/extra_specs"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:types_extra_specs:create",
|
|
check_str=("rule:admin_api"),
|
|
description="Create type extra specs.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/types/{type_id}/extra_specs"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:types_extra_specs:show",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Show one specified type extra specs.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:types_extra_specs:read_sensitive",
|
|
check_str=("rule:admin_api"),
|
|
description="Include extra_specs fields that may reveal sensitive information about the deployment that should not be exposed to end users in various volume-type responses that show extra_specs. The ability to make these calls is governed by other policies.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/types"}, {"method": "GET", "path": "/types/{type_id}"}, {"method": "GET", "path": "/types/{type_id}/extra_specs"}, {"method": "GET", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:types_extra_specs:update",
|
|
check_str=("rule:admin_api"),
|
|
description="Update type extra specs.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:types_extra_specs:delete",
|
|
check_str=("rule:admin_api"),
|
|
description="Delete type extra specs.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:create",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Create volume.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:create_from_image",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Create volume from image.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:get",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Show volume.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/volumes/{volume_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:get_all",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="List volumes or get summary of volumes.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/volumes"}, {"method": "GET", "path": "/volumes/detail"}, {"method": "GET", "path": "/volumes/summary"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:update",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Update volume or update a volume's bootable status.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/volumes"}, {"method": "POST", "path": "/volumes/{volume_id}/action (os-set_bootable)"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:delete",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Delete volume.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/volumes/{volume_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:force_delete",
|
|
check_str=("rule:admin_api"),
|
|
description="Force Delete a volume.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/volumes/{volume_id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_host_attribute",
|
|
check_str=("rule:admin_api"),
|
|
description="List or show volume with host attribute.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/volumes/{volume_id}"}, {"method": "GET", "path": "/volumes/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_tenant_attribute",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="List or show volume with tenant attribute.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/volumes/{volume_id}"}, {"method": "GET", "path": "/volumes/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_mig_status_attribute",
|
|
check_str=("rule:admin_api"),
|
|
description="List or show volume with migration status attribute.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/volumes/{volume_id}"}, {"method": "GET", "path": "/volumes/detail"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:volume_encryption_metadata",
|
|
check_str=("rule:xena_system_admin_or_project_reader"),
|
|
description="Show volume's encryption metadata.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/volumes/{volume_id}/encryption"}, {"method": "GET", "path": "/volumes/{volume_id}/encryption/{encryption_key}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume:multiattach",
|
|
check_str=("rule:xena_system_admin_or_project_member"),
|
|
description="Create multiattach capable volume.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/volumes"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:default_set_or_update",
|
|
check_str=("rule:admin_api"),
|
|
description="Set or update default volume type.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PUT", "path": "/default-types"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:default_get",
|
|
check_str=("rule:admin_api"),
|
|
description="Get default types.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/default-types/{project-id}"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:default_get_all",
|
|
check_str=("rule:admin_api"),
|
|
description="Get all default types. WARNING: Changing this might open up too much information regarding cloud deployment.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/default-types/"}],
|
|
),
|
|
base.APIRule(
|
|
name="volume_extension:default_unset",
|
|
check_str=("rule:admin_api"),
|
|
description="Unset default type.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/default-types/{project-id}"}],
|
|
),
|
|
)
|
|
|
|
__all__ = ("list_rules",)
|