Add default policies for Ironic
PROD-34908
Change-Id: I0dc31646deaa67991d334bb0d3f0118ad1104018
diff --git a/defaults/openstack/policy/all.yml b/defaults/openstack/policy/all.yml
index 39d7c40..012a88b 100644
--- a/defaults/openstack/policy/all.yml
+++ b/defaults/openstack/policy/all.yml
@@ -537,6 +537,62 @@
"stacks:update_patch": "rule:deny_stack_user"
"stacks:validate_template": "rule:deny_stack_user"
heat_default_policy_queens: ${_param:heat_default_policy_pike}
+ ironic_default_policy_ocata: {}
+ ironic_default_policy_pike: &ironic_default_policy_pike
+ "admin_api": "role:admin or role:administrator"
+ "baremetal:chassis:create": "rule:is_admin"
+ "baremetal:chassis:delete": "rule:is_admin"
+ "baremetal:chassis:get": "rule:is_admin or rule:is_observer"
+ "baremetal:chassis:update": "rule:is_admin"
+ "baremetal:driver:get": "rule:is_admin or rule:is_observer"
+ "baremetal:driver:get_properties": "rule:is_admin or rule:is_observer"
+ "baremetal:driver:get_raid_logical_disk_properties": "rule:is_admin or rule:is_observer"
+ "baremetal:driver:ipa_lookup": "rule:public_api"
+ "baremetal:driver:vendor_passthru": "rule:is_admin"
+ "baremetal:node:clear_maintenance": "rule:is_admin"
+ "baremetal:node:create": "rule:is_admin"
+ "baremetal:node:delete": "rule:is_admin"
+ "baremetal:node:get": "rule:is_admin or rule:is_observer"
+ "baremetal:node:get_boot_device": "rule:is_admin or rule:is_observer"
+ "baremetal:node:get_console": "rule:is_admin"
+ "baremetal:node:get_states": "rule:is_admin or rule:is_observer"
+ "baremetal:node:inject_nmi": "rule:is_admin"
+ "baremetal:node:ipa_heartbeat": "rule:public_api"
+ "baremetal:node:set_boot_device": "rule:is_admin"
+ "baremetal:node:set_console_state": "rule:is_admin"
+ "baremetal:node:set_maintenance": "rule:is_admin"
+ "baremetal:node:set_power_state": "rule:is_admin"
+ "baremetal:node:set_provision_state": "rule:is_admin"
+ "baremetal:node:set_raid_state": "rule:is_admin"
+ "baremetal:node:update": "rule:is_admin"
+ "baremetal:node:validate": "rule:is_admin"
+ "baremetal:node:vendor_passthru": "rule:is_admin"
+ "baremetal:node:vif:attach": "rule:is_admin"
+ "baremetal:node:vif:detach": "rule:is_admin"
+ "baremetal:node:vif:list": "rule:is_admin"
+ "baremetal:port:create": "rule:is_admin"
+ "baremetal:port:delete": "rule:is_admin"
+ "baremetal:port:get": "rule:is_admin or rule:is_observer"
+ "baremetal:port:update": "rule:is_admin"
+ "baremetal:portgroup:create": "rule:is_admin"
+ "baremetal:portgroup:delete": "rule:is_admin"
+ "baremetal:portgroup:get": "rule:is_admin or rule:is_observer"
+ "baremetal:portgroup:update": "rule:is_admin"
+ "baremetal:volume:create": "rule:is_admin"
+ "baremetal:volume:delete": "rule:is_admin"
+ "baremetal:volume:get": "rule:is_admin or rule:is_observer"
+ "baremetal:volume:update": "rule:is_admin"
+ "is_admin": "rule:admin_api or (rule:is_member and role:baremetal_admin)"
+ "is_member": "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
+ "is_observer": "rule:is_member and (role:observer or role:baremetal_observer)"
+ "public_api": "is_public_api:True"
+ "show_instance_secrets": "!"
+ "show_password": "!"
+ ironic_default_policy_queens:
+ << : *ironic_default_policy_pike
+ "baremetal:node:traits:delete": "rule:is_admin"
+ "baremetal:node:traits:list": "rule:is_admin or rule:is_observer"
+ "baremetal:node:traits:set": "rule:is_admin"
keystone_default_policy_ocata: {}
keystone_default_policy_pike: &keystone_default_policy_pike
"admin_or_owner": "rule:admin_required or rule:owner"