Merge "Set prometheus-relay,telegraf images tags to mcp version"

commit: 3ef968e850765a22db99deca16be01626c2371cb [log] [tgz]
author: mcp-jenkins <mcp-jenkins@mirantis.com> Wed Apr 01 08:04:03 2020 +0000
committer: Gerrit Code Review <mail@domain.com> Wed Apr 01 08:04:03 2020 +0000
tree: b113598ca58c8893b078659b2132d6b5d9395769
parent: e9bc9ee9c527b911c4fd37e450456b50796c38de [diff]
parent: 540ca28807ed8fede382c247c33c2d7dd5966199 [diff]
diff --git a/defaults/openstack/policy/all.yml b/defaults/openstack/policy/all.yml
index 39d7c40..3e0975a 100644
--- a/defaults/openstack/policy/all.yml
+++ b/defaults/openstack/policy/all.yml

@@ -440,6 +440,46 @@
       "tasks_api_access": "role:admin"
       "upload_image": ""
     glance_default_policy_queens: ${_param:glance_default_policy_pike}
+    gnocchi_default_policy_ocata: {}
+    gnocchi_default_policy_pike: &gnocchi_default_policy_pike
+      "admin_or_creator": "role:admin or user:%(creator)s or project_id:%(created_by_project_id)s"
+      "create archive policy rule": "role:admin"
+      "create archive policy": "role:admin"
+      "create metric": ""
+      "create resource type": "role:admin"
+      "create resource": ""
+      "delete archive policy rule": "role:admin"
+      "delete archive policy": "role:admin"
+      "delete metric": "rule:admin_or_creator"
+      "delete resource type": "role:admin"
+      "delete resource": "rule:admin_or_creator"
+      "delete resources": "rule:admin_or_creator"
+      "get archive policy rule": ""
+      "get archive policy": ""
+      "get measures":  "rule:admin_or_creator or rule:metric_owner"
+      "get metric": "rule:admin_or_creator or rule:metric_owner"
+      "get resource type": ""
+      "get resource": "rule:admin_or_creator or rule:resource_owner"
+      "get status": "role:admin"
+      "list all metric": "role:admin"
+      "list archive policy rule": ""
+      "list archive policy": ""
+      "list metric": ""
+      "list resource type": ""
+      "list resource": "rule:admin_or_creator or rule:resource_owner"
+      "metric_owner": "project_id:%(resource.project_id)s"
+      "post measures":  "rule:admin_or_creator"
+      "resource_owner": "project_id:%(project_id)s"
+      "search metric": "rule:admin_or_creator or rule:metric_owner"
+      "search resource": "rule:admin_or_creator or rule:resource_owner"
+      "update archive policy": "role:admin"
+      "update resource type": "role:admin"
+      "update resource": "rule:admin_or_creator"
+    gnocchi_default_policy_queens:
+      << : *gnocchi_default_policy_pike
+      "list all metric":
+      "list metric": "rule:admin_or_creator or rule:metric_owner"
+      "update archive policy rule": "role:admin"
     heat_default_policy_ocata: {}
     heat_default_policy_pike:
       "actions:action": "rule:deny_stack_user"
@@ -537,6 +577,62 @@
       "stacks:update_patch": "rule:deny_stack_user"
       "stacks:validate_template": "rule:deny_stack_user"
     heat_default_policy_queens: ${_param:heat_default_policy_pike}
+    ironic_default_policy_ocata: {}
+    ironic_default_policy_pike: &ironic_default_policy_pike
+      "admin_api": "role:admin or role:administrator"
+      "baremetal:chassis:create": "rule:is_admin"
+      "baremetal:chassis:delete": "rule:is_admin"
+      "baremetal:chassis:get": "rule:is_admin or rule:is_observer"
+      "baremetal:chassis:update": "rule:is_admin"
+      "baremetal:driver:get": "rule:is_admin or rule:is_observer"
+      "baremetal:driver:get_properties": "rule:is_admin or rule:is_observer"
+      "baremetal:driver:get_raid_logical_disk_properties": "rule:is_admin or rule:is_observer"
+      "baremetal:driver:ipa_lookup": "rule:public_api"
+      "baremetal:driver:vendor_passthru": "rule:is_admin"
+      "baremetal:node:clear_maintenance": "rule:is_admin"
+      "baremetal:node:create": "rule:is_admin"
+      "baremetal:node:delete": "rule:is_admin"
+      "baremetal:node:get": "rule:is_admin or rule:is_observer"
+      "baremetal:node:get_boot_device": "rule:is_admin or rule:is_observer"
+      "baremetal:node:get_console": "rule:is_admin"
+      "baremetal:node:get_states": "rule:is_admin or rule:is_observer"
+      "baremetal:node:inject_nmi": "rule:is_admin"
+      "baremetal:node:ipa_heartbeat": "rule:public_api"
+      "baremetal:node:set_boot_device": "rule:is_admin"
+      "baremetal:node:set_console_state": "rule:is_admin"
+      "baremetal:node:set_maintenance": "rule:is_admin"
+      "baremetal:node:set_power_state": "rule:is_admin"
+      "baremetal:node:set_provision_state": "rule:is_admin"
+      "baremetal:node:set_raid_state": "rule:is_admin"
+      "baremetal:node:update": "rule:is_admin"
+      "baremetal:node:validate": "rule:is_admin"
+      "baremetal:node:vendor_passthru": "rule:is_admin"
+      "baremetal:node:vif:attach": "rule:is_admin"
+      "baremetal:node:vif:detach": "rule:is_admin"
+      "baremetal:node:vif:list": "rule:is_admin"
+      "baremetal:port:create": "rule:is_admin"
+      "baremetal:port:delete": "rule:is_admin"
+      "baremetal:port:get": "rule:is_admin or rule:is_observer"
+      "baremetal:port:update": "rule:is_admin"
+      "baremetal:portgroup:create": "rule:is_admin"
+      "baremetal:portgroup:delete": "rule:is_admin"
+      "baremetal:portgroup:get": "rule:is_admin or rule:is_observer"
+      "baremetal:portgroup:update": "rule:is_admin"
+      "baremetal:volume:create": "rule:is_admin"
+      "baremetal:volume:delete": "rule:is_admin"
+      "baremetal:volume:get": "rule:is_admin or rule:is_observer"
+      "baremetal:volume:update": "rule:is_admin"
+      "is_admin": "rule:admin_api or (rule:is_member and role:baremetal_admin)"
+      "is_member": "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
+      "is_observer": "rule:is_member and (role:observer or role:baremetal_observer)"
+      "public_api": "is_public_api:True"
+      "show_instance_secrets": "!"
+      "show_password": "!"
+    ironic_default_policy_queens:
+      << : *ironic_default_policy_pike
+      "baremetal:node:traits:delete": "rule:is_admin"
+      "baremetal:node:traits:list": "rule:is_admin or rule:is_observer"
+      "baremetal:node:traits:set": "rule:is_admin"
     keystone_default_policy_ocata: {}
     keystone_default_policy_pike: &keystone_default_policy_pike
       "admin_or_owner": "rule:admin_required or rule:owner"

diff --git a/defaults/openstack/policy/gnocchi.yml b/defaults/openstack/policy/gnocchi.yml
new file mode 100644
index 0000000..a56e91b
--- /dev/null
+++ b/defaults/openstack/policy/gnocchi.yml

@@ -0,0 +1,6 @@
+classes:
+- system.defaults.openstack.policy.all
+parameters:
+  gnocchi:
+    server:
+      policy: ${_param:gnocchi_default_policy_${_param:openstack_version}}

diff --git a/defaults/openstack/policy/ironic.yml b/defaults/openstack/policy/ironic.yml
new file mode 100644
index 0000000..f6addcb
--- /dev/null
+++ b/defaults/openstack/policy/ironic.yml

@@ -0,0 +1,6 @@
+classes:
+- system.defaults.openstack.policy.all
+parameters:
+  ironic:
+    api:
+      policy: ${_param:ironic_default_policy_${_param:openstack_version}}
commit	3ef968e850765a22db99deca16be01626c2371cb	[log] [tgz]
author	mcp-jenkins <mcp-jenkins@mirantis.com>	Wed Apr 01 08:04:03 2020 +0000
committer	Gerrit Code Review <mail@domain.com>	Wed Apr 01 08:04:03 2020 +0000
tree	b113598ca58c8893b078659b2132d6b5d9395769
parent	e9bc9ee9c527b911c4fd37e450456b50796c38de [diff]
parent	540ca28807ed8fede382c247c33c2d7dd5966199 [diff]