commit a9ee233abdb7507c0e1ba0185f93df4a52605d98
author Ivan Berezovskiy <iberezovskiy@mirantis.com> Fri Mar 27 14:20:40 2020 +0400
committer Ivan Berezovskiy <iberezovskiy@mirantis.com> Mon Mar 30 10:05:26 2020 +0000
tree eba0b67f9abf3fe0642c97c9aaf802b80a38f190
parent dd785b10e06d7ee15d77799ada4d5f9c411c434f

Add default policy for Gnocchi

PROD-34861

Change-Id: Iedc4605bfa1e3c87909fd1c4731fac77650c861f

defaults/openstack/policy/all.yml

diff --git a/defaults/openstack/policy/all.yml b/defaults/openstack/policy/all.yml
index 39d7c40..e488fca 100644
--- a/defaults/openstack/policy/all.yml
+++ b/defaults/openstack/policy/all.yml
@@ -440,6 +440,46 @@
       "tasks_api_access": "role:admin"
       "upload_image": ""
     glance_default_policy_queens: ${_param:glance_default_policy_pike}
+    gnocchi_default_policy_ocata: {}
+    gnocchi_default_policy_pike: &gnocchi_default_policy_pike
+      "admin_or_creator": "role:admin or user:%(creator)s or project_id:%(created_by_project_id)s"
+      "create archive policy rule": "role:admin"
+      "create archive policy": "role:admin"
+      "create metric": ""
+      "create resource type": "role:admin"
+      "create resource": ""
+      "delete archive policy rule": "role:admin"
+      "delete archive policy": "role:admin"
+      "delete metric": "rule:admin_or_creator"
+      "delete resource type": "role:admin"
+      "delete resource": "rule:admin_or_creator"
+      "delete resources": "rule:admin_or_creator"
+      "get archive policy rule": ""
+      "get archive policy": ""
+      "get measures":  "rule:admin_or_creator or rule:metric_owner"
+      "get metric": "rule:admin_or_creator or rule:metric_owner"
+      "get resource type": ""
+      "get resource": "rule:admin_or_creator or rule:resource_owner"
+      "get status": "role:admin"
+      "list all metric": "role:admin"
+      "list archive policy rule": ""
+      "list archive policy": ""
+      "list metric": ""
+      "list resource type": ""
+      "list resource": "rule:admin_or_creator or rule:resource_owner"
+      "metric_owner": "project_id:%(resource.project_id)s"
+      "post measures":  "rule:admin_or_creator"
+      "resource_owner": "project_id:%(project_id)s"
+      "search metric": "rule:admin_or_creator or rule:metric_owner"
+      "search resource": "rule:admin_or_creator or rule:resource_owner"
+      "update archive policy": "role:admin"
+      "update resource type": "role:admin"
+      "update resource": "rule:admin_or_creator"
+    gnocchi_default_policy_queens:
+      << : *gnocchi_default_policy_pike
+      "list all metric":
+      "list metric": "rule:admin_or_creator or rule:metric_owner"
+      "update archive policy rule": "role:admin"
     heat_default_policy_ocata: {}
     heat_default_policy_pike:
       "actions:action": "rule:deny_stack_user"

defaults/openstack/policy/gnocchi.yml

diff --git a/defaults/openstack/policy/gnocchi.yml b/defaults/openstack/policy/gnocchi.yml
new file mode 100644
index 0000000..a56e91b
--- /dev/null
+++ b/defaults/openstack/policy/gnocchi.yml
@@ -0,0 +1,6 @@
+classes:
+- system.defaults.openstack.policy.all
+parameters:
+  gnocchi:
+    server:
+      policy: ${_param:gnocchi_default_policy_${_param:openstack_version}}