baha/skyline-apiserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
eb59b2614d
skyline-apiserver/skyline_apiserver/policy/manager/ironic.py
Boxiang Zhu eb59b2614d fix: Remove invalid panko policy 
1. remove invalid panko policy
2. remove install panko from post_install.sh
3. update policy

Change-Id: Icb23e4ff34ff47952294f711ddabd36cc9df706e
2022-08-17 14:05:06 +08:00

718 lines
38 KiB
Python
Raw Blame History

# flake8: noqa
# fmt: off
from . import base
list_rules = (
base.Rule(
name="admin_api",
check_str=("role:admin or role:administrator"),
description="Legacy rule for cloud admin access",
),
base.Rule(
name="public_api",
check_str=("is_public_api:True"),
description="Internal flag for public API routes",
),
base.Rule(
name="show_password",
check_str=("!"),
description="Show or mask secrets within node driver information in API responses",
),
base.Rule(
name="show_instance_secrets",
check_str=("!"),
description="Show or mask secrets within instance information in API responses",
),
base.Rule(
name="is_member",
check_str=("(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"),
description="May be used to restrict access to specific projects",
),
base.Rule(
name="is_observer",
check_str=("rule:is_member and (role:observer or role:baremetal_observer)"),
description="Read-only API access",
),
base.Rule(
name="is_admin",
check_str=("rule:admin_api or (rule:is_member and role:baremetal_admin)"),
description="Full read/write API access",
),
base.Rule(
name="is_node_owner",
check_str=("project_id:%(node.owner)s"),
description="Owner of node",
),
base.Rule(
name="is_node_lessee",
check_str=("project_id:%(node.lessee)s"),
description="Lessee of node",
),
base.Rule(
name="is_allocation_owner",
check_str=("project_id:%(allocation.owner)s"),
description="Owner of allocation",
),
base.APIRule(
name="baremetal:node:create",
check_str=("role:admin and system_scope:all"),
description="Create Node records",
scope_types=["system"],
operations=[{"method": "POST", "path": "/nodes"}],
),
base.APIRule(
name="baremetal:node:list",
check_str=("role:reader"),
description="Retrieve multiple Node records, filtered by an explicit owner or the client project_id",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes"}, {"method": "GET", "path": "/nodes/detail"}],
),
base.APIRule(
name="baremetal:node:list_all",
check_str=("role:reader and system_scope:all"),
description="Retrieve multiple Node records",
scope_types=["system"],
operations=[{"method": "GET", "path": "/nodes"}, {"method": "GET", "path": "/nodes/detail"}],
),
base.APIRule(
name="baremetal:node:get",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Retrieve a single Node record",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:get:filter_threshold",
check_str=("role:reader and system_scope:all"),
description="Filter to allow operators to govern the threshold where information should be filtered. Non-authorized users will be subjected to additional API policy checks for API content response bodies.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:get:last_error",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Governs if the node last_error field is masked from API clients with insufficient privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:get:reservation",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Governs if the node reservation field is masked from API clients with insufficient privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:get:driver_internal_info",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Governs if the node driver_internal_info field is masked from API clients with insufficient privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:get:driver_info",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Governs if the driver_info field is masked from API clients with insufficient privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:driver_info",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
description="Governs if node driver_info field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:properties",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
description="Governs if node properties field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:chassis_uuid",
check_str=("role:admin and system_scope:all"),
description="Governs if node chassis_uuid field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:instance_uuid",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
description="Governs if node instance_uuid field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:lessee",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
description="Governs if node lessee field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:owner",
check_str=("role:member and system_scope:all"),
description="Governs if node owner field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:driver_interfaces",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Governs if node driver and driver interfaces field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:network_data",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
description="Governs if node driver_info field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:conductor_group",
check_str=("role:member and system_scope:all"),
description="Governs if node conductor_group field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:name",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
description="Governs if node name field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:retired",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
description="Governs if node retired and retired reason can be updated by API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update",
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Generalized update of node records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update_extra",
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Update Node extra field",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update_instance_info",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Update Node instance_info field",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update_owner_provisioned",
check_str=("role:admin and system_scope:all"),
description="Update Node owner even when Node is provisioned",
scope_types=["system"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:delete",
check_str=("role:admin and system_scope:all"),
description="Delete Node records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:validate",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Request active validation of Nodes",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/validate"}],
),
base.APIRule(
name="baremetal:node:set_maintenance",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Set maintenance flag, taking a Node out of service",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/maintenance"}],
),
base.APIRule(
name="baremetal:node:clear_maintenance",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Clear maintenance flag, placing the Node into service again",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/maintenance"}],
),
base.APIRule(
name="baremetal:node:get_boot_device",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Retrieve Node boot device metadata",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"}, {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"}],
),
base.APIRule(
name="baremetal:node:set_boot_device",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Change Node boot device",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/boot_device"}],
),
base.APIRule(
name="baremetal:node:get_indicator_state",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Retrieve Node indicators and their states",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}"}, {"method": "GET", "path": "/nodes/{node_ident}/management/indicators"}],
),
base.APIRule(
name="baremetal:node:set_indicator_state",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
description="Change Node indicator state",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}"}],
),
base.APIRule(
name="baremetal:node:inject_nmi",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Inject NMI for a node",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/inject_nmi"}],
),
base.APIRule(
name="baremetal:node:get_states",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="View Node power and provision state",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/states"}],
),
base.APIRule(
name="baremetal:node:set_power_state",
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Change Node power status",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/power"}],
),
base.APIRule(
name="baremetal:node:set_boot_mode",
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Change Node boot mode",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/boot_mode"}],
),
base.APIRule(
name="baremetal:node:set_secure_boot",
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Change Node secure boot state",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/secure_boot"}],
),
base.APIRule(
name="baremetal:node:set_provision_state",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Change Node provision status",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/provision"}],
),
base.APIRule(
name="baremetal:node:set_raid_state",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
description="Change Node RAID status",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/raid"}],
),
base.APIRule(
name="baremetal:node:get_console",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
description="Get Node console connection information",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/states/console"}],
),
base.APIRule(
name="baremetal:node:set_console_state",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
description="Change Node console status",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/console"}],
),
base.APIRule(
name="baremetal:node:vif:list",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="List VIFs attached to node",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/vifs"}],
),
base.APIRule(
name="baremetal:node:vif:attach",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Attach a VIF to a node",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/nodes/{node_ident}/vifs"}],
),
base.APIRule(
name="baremetal:node:vif:detach",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Detach a VIF from a node",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/vifs/{node_vif_ident}"}],
),
base.APIRule(
name="baremetal:node:traits:list",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="List node traits",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/traits"}],
),
base.APIRule(
name="baremetal:node:traits:set",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Add a trait to, or replace all traits of, a node",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/traits"}, {"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"}],
),
base.APIRule(
name="baremetal:node:traits:delete",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Remove one or all traits from a node",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/traits"}, {"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"}],
),
base.APIRule(
name="baremetal:node:bios:get",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Retrieve Node BIOS information",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/bios"}, {"method": "GET", "path": "/nodes/{node_ident}/bios/{setting}"}],
),
base.APIRule(
name="baremetal:node:disable_cleaning",
check_str=("role:admin and system_scope:all"),
description="Disable Node disk cleaning",
scope_types=["system"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:history:get",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Filter to allow operators to retreive history records for a node.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/history"}, {"method": "GET", "path": "/nodes/{node_ident}/history/{event_ident}"}],
),
base.APIRule(
name="baremetal:port:get",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Retrieve Port records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/ports/{port_id}"}, {"method": "GET", "path": "/nodes/{node_ident}/ports"}, {"method": "GET", "path": "/nodes/{node_ident}/ports/detail"}, {"method": "GET", "path": "/portgroups/{portgroup_ident}/ports"}, {"method": "GET", "path": "/portgroups/{portgroup_ident}/ports/detail"}],
),
base.APIRule(
name="baremetal:port:list",
check_str=("role:reader"),
description="Retrieve multiple Port records, filtered by owner",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/detail"}],
),
base.APIRule(
name="baremetal:port:list_all",
check_str=("role:reader and system_scope:all"),
description="Retrieve multiple Port records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/detail"}],
),
base.APIRule(
name="baremetal:port:create",
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Create Port records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/ports"}],
),
base.APIRule(
name="baremetal:port:delete",
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Delete Port records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/ports/{port_id}"}],
),
base.APIRule(
name="baremetal:port:update",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Update Port records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/ports/{port_id}"}],
),
base.APIRule(
name="baremetal:portgroup:get",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Retrieve Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/portgroups"}, {"method": "GET", "path": "/portgroups/detail"}, {"method": "GET", "path": "/portgroups/{portgroup_ident}"}, {"method": "GET", "path": "/nodes/{node_ident}/portgroups"}, {"method": "GET", "path": "/nodes/{node_ident}/portgroups/detail"}],
),
base.APIRule(
name="baremetal:portgroup:create",
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Create Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/portgroups"}],
),
base.APIRule(
name="baremetal:portgroup:delete",
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Delete Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/portgroups/{portgroup_ident}"}],
),
base.APIRule(
name="baremetal:portgroup:update",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Update Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/portgroups/{portgroup_ident}"}],
),
base.APIRule(
name="baremetal:portgroup:list",
check_str=("role:reader"),
description="Retrieve multiple Port records, filtered by owner",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/portgroups"}, {"method": "GET", "path": "/portgroups/detail"}],
),
base.APIRule(
name="baremetal:portgroup:list_all",
check_str=("role:reader and system_scope:all"),
description="Retrieve multiple Port records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/portgroups"}, {"method": "GET", "path": "/portgroups/detail"}],
),
base.APIRule(
name="baremetal:chassis:get",
check_str=("role:reader and system_scope:all"),
description="Retrieve Chassis records",
scope_types=["system"],
operations=[{"method": "GET", "path": "/chassis"}, {"method": "GET", "path": "/chassis/detail"}, {"method": "GET", "path": "/chassis/{chassis_id}"}],
),
base.APIRule(
name="baremetal:chassis:create",
check_str=("role:admin and system_scope:all"),
description="Create Chassis records",
scope_types=["system"],
operations=[{"method": "POST", "path": "/chassis"}],
),
base.APIRule(
name="baremetal:chassis:delete",
check_str=("role:admin and system_scope:all"),
description="Delete Chassis records",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/chassis/{chassis_id}"}],
),
base.APIRule(
name="baremetal:chassis:update",
check_str=("role:member and system_scope:all"),
description="Update Chassis records",
scope_types=["system"],
operations=[{"method": "PATCH", "path": "/chassis/{chassis_id}"}],
),
base.APIRule(
name="baremetal:driver:get",
check_str=("role:reader and system_scope:all"),
description="View list of available drivers",
scope_types=["system"],
operations=[{"method": "GET", "path": "/drivers"}, {"method": "GET", "path": "/drivers/{driver_name}"}],
),
base.APIRule(
name="baremetal:driver:get_properties",
check_str=("role:reader and system_scope:all"),
description="View driver-specific properties",
scope_types=["system"],
operations=[{"method": "GET", "path": "/drivers/{driver_name}/properties"}],
),
base.APIRule(
name="baremetal:driver:get_raid_logical_disk_properties",
check_str=("role:reader and system_scope:all"),
description="View driver-specific RAID metadata",
scope_types=["system"],
operations=[{"method": "GET", "path": "/drivers/{driver_name}/raid/logical_disk_properties"}],
),
base.APIRule(
name="baremetal:node:vendor_passthru",
check_str=("role:admin and system_scope:all"),
description="Access vendor-specific Node functions",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "nodes/{node_ident}/vendor_passthru/methods"}, {"method": "GET", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "PUT", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "POST", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "PATCH", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "DELETE", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}],
),
base.APIRule(
name="baremetal:driver:vendor_passthru",
check_str=("role:admin and system_scope:all"),
description="Access vendor-specific Driver functions",
scope_types=["system"],
operations=[{"method": "GET", "path": "drivers/{driver_name}/vendor_passthru/methods"}, {"method": "GET", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "PUT", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "POST", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "PATCH", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "DELETE", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}],
),
base.APIRule(
name="baremetal:node:ipa_heartbeat",
check_str=(""),
description="Receive heartbeats from IPA ramdisk",
scope_types=["project"],
operations=[{"method": "POST", "path": "/heartbeat/{node_ident}"}],
),
base.APIRule(
name="baremetal:driver:ipa_lookup",
check_str=(""),
description="Access IPA ramdisk functions",
scope_types=["project"],
operations=[{"method": "GET", "path": "/lookup"}],
),
base.APIRule(
name="baremetal:volume:list_all",
check_str=("role:reader and system_scope:all"),
description="Retrieve a list of all Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/volume/connectors"}, {"method": "GET", "path": "/volume/targets"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}],
),
base.APIRule(
name="baremetal:volume:list",
check_str=("role:reader"),
description="Retrieve a list of Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/volume/connectors"}, {"method": "GET", "path": "/volume/targets"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}],
),
base.APIRule(
name="baremetal:volume:get",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Retrieve Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/volume"}, {"method": "GET", "path": "/volume/connectors"}, {"method": "GET", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "GET", "path": "/volume/targets"}, {"method": "GET", "path": "/volume/targets/{volume_target_id}"}, {"method": "GET", "path": "/nodes/{node_ident}/volume"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}],
),
base.APIRule(
name="baremetal:volume:create",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Create Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/volume/connectors"}, {"method": "POST", "path": "/volume/targets"}],
),
base.APIRule(
name="baremetal:volume:delete",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Delete Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "DELETE", "path": "/volume/targets/{volume_target_id}"}],
),
base.APIRule(
name="baremetal:volume:update",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Update Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "PATCH", "path": "/volume/targets/{volume_target_id}"}],
),
base.APIRule(
name="baremetal:volume:view_target_properties",
check_str=("(role:reader and system_scope:all) or (role:admin)"),
description="Ability to view volume target properties",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "GET", "path": "/volume/targets/{volume_target_id}"}],
),
base.APIRule(
name="baremetal:conductor:get",
check_str=("role:reader and system_scope:all"),
description="Retrieve Conductor records",
scope_types=["system"],
operations=[{"method": "GET", "path": "/conductors"}, {"method": "GET", "path": "/conductors/{hostname}"}],
),
base.APIRule(
name="baremetal:allocation:get",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(allocation.owner)s)"),
description="Retrieve Allocation records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/allocations/{allocation_id}"}, {"method": "GET", "path": "/nodes/{node_ident}/allocation"}],
),
base.APIRule(
name="baremetal:allocation:list",
check_str=("role:reader"),
description="Retrieve multiple Allocation records, filtered by owner",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/allocations"}],
),
base.APIRule(
name="baremetal:allocation:list_all",
check_str=("role:reader and system_scope:all"),
description="Retrieve multiple Allocation records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/allocations"}],
),
base.APIRule(
name="baremetal:allocation:create",
check_str=("(role:member and system_scope:all) or (role:member)"),
description="Create Allocation records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/allocations"}],
),
base.APIRule(
name="baremetal:allocation:create_restricted",
check_str=("role:member and system_scope:all"),
description="Create Allocation records with a specific owner.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/allocations"}],
),
base.APIRule(
name="baremetal:allocation:delete",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"),
description="Delete Allocation records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/allocations/{allocation_id}"}, {"method": "DELETE", "path": "/nodes/{node_ident}/allocation"}],
),
base.APIRule(
name="baremetal:allocation:update",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"),
description="Change name and extra fields of an allocation",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/allocations/{allocation_id}"}],
),
base.APIRule(
name="baremetal:allocation:create_pre_rbac",
check_str=("(rule:is_member and role:baremetal_admin) or (is_admin_project:True and role:admin)"),
description="Logical restrictor to prevent legacy allocation rule missuse - Requires blank allocations to originate from the legacy baremetal_admin.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/allocations/{allocation_id}"}],
),
base.APIRule(
name="baremetal:events:post",
check_str=("role:admin and system_scope:all"),
description="Post events",
scope_types=["system"],
operations=[{"method": "POST", "path": "/events"}],
),
base.APIRule(
name="baremetal:deploy_template:get",
check_str=("role:reader and system_scope:all"),
description="Retrieve Deploy Template records",
scope_types=["system"],
operations=[{"method": "GET", "path": "/deploy_templates"}, {"method": "GET", "path": "/deploy_templates/{deploy_template_ident}"}],
),
base.APIRule(
name="baremetal:deploy_template:create",
check_str=("role:admin and system_scope:all"),
description="Create Deploy Template records",
scope_types=["system"],
operations=[{"method": "POST", "path": "/deploy_templates"}],
),
base.APIRule(
name="baremetal:deploy_template:delete",
check_str=("role:admin and system_scope:all"),
description="Delete Deploy Template records",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/deploy_templates/{deploy_template_ident}"}],
),
base.APIRule(
name="baremetal:deploy_template:update",
check_str=("role:admin and system_scope:all"),
description="Update Deploy Template records",
scope_types=["system"],
operations=[{"method": "PATCH", "path": "/deploy_templates/{deploy_template_ident}"}],
),
)
__all__ = ("list_rules",)
Reference in New Issue View Git Blame Copy Permalink