Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-models / reclass-system / 4c64b830068608f396f441d88cc66806a4cc033f / . / defaults / openstack / policy / all.yml
blob: ccb81a48c569d6ea3cbe32b2e004f3832f8f4250 [file] [log] [blame]
Ivan Berezovskiye7ea8e62020-01-16 16:47:02 +0400[diff] [blame]1parameters:
2 _param:
3 barbican_default_policy_ocata: {}
4 barbican_default_policy_pike:
5 "admin": "role:admin"
6 "admin_or_creator": "rule:admin or rule:creator"
7 "admin_or_user": "rule:admin or project_id:%(project_id)s"
8 "admin_or_user_does_not_work": "project_id:%(project_id)s"
9 "all_but_audit": "rule:admin or rule:observer or rule:creator"
10 "all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"
11 "audit": "role:audit"
12 "certificate_authorities:get_all": "rule:admin"
13 "certificate_authorities:get_global_preferred_ca": "rule:service_admin"
14 "certificate_authorities:get_limited": "rule:all_users"
15 "certificate_authorities:get_preferred_ca": "rule:all_users"
16 "certificate_authorities:post": "rule:admin"
17 "certificate_authorities:unset_global_preferred": "rule:service_admin"
18 "certificate_authority:add_to_project": "rule:admin"
19 "certificate_authority:delete": "rule:admin"
20 "certificate_authority:get": "rule:all_users"
21 "certificate_authority:get_ca_cert_chain": "rule:all_users"
22 "certificate_authority:get_cacert": "rule:all_users"
23 "certificate_authority:get_projects": "rule:service_admin"
24 "certificate_authority:remove_from_project": "rule:admin"
25 "certificate_authority:set_global_preferred": "rule:service_admin"
26 "certificate_authority:set_preferred": "rule:admin"
27 "consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
28 "consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
29 "consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
30 "consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
31 "container:delete": "rule:container_project_admin or rule:container_project_creator"
32 "container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
33 "container_acl_read": "'read':%(target.container.read)s"
34 "container_acls:delete": "rule:container_project_admin or rule:container_project_creator"
35 "container_acls:get": "rule:all_but_audit and rule:container_project_match"
36 "container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator"
37 "container_creator_user": "user:%(target.container.creator_id)s"
38 "container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read"
39 "container_private_read": "'False':%(target.container.read_project_access)s"
40 "container_project_admin": "rule:admin and rule:container_project_match"
41 "container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user"
42 "container_project_match": "project:%(target.container.project_id)s"
43 "container_secret:delete": "rule:admin"
44 "container_secret:post": "rule:admin"
45 "containers:get": "rule:all_but_audit"
46 "containers:post": "rule:admin_or_creator"
47 "creator": "role:creator"
48 "observer": "role:observer"
49 "order:delete": "rule:admin"
50 "order:get": "rule:all_users"
51 "order:put": "rule:admin_or_creator"
52 "orders:get": "rule:all_but_audit"
53 "orders:post": "rule:admin_or_creator"
54 "project_quotas:delete": "rule:service_admin"
55 "project_quotas:get": "rule:service_admin"
56 "project_quotas:put": "rule:service_admin"
57 "quotas:get": "rule:all_users"
58 "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read"
59 "secret:delete": "rule:secret_project_admin or rule:secret_project_creator"
60 "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read"
61 "secret:put": "rule:admin_or_creator and rule:secret_project_match"
62 "secret_acl_read": "'read':%(target.secret.read)s"
63 "secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator"
64 "secret_acls:get": "rule:all_but_audit and rule:secret_project_match"
65 "secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator"
66 "secret_creator_user": "user:%(target.secret.creator_id)s"
67 "secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"
68 "secret_meta:delete": "rule:admin_or_creator"
69 "secret_meta:get": "rule:all_but_audit"
70 "secret_meta:post": "rule:admin_or_creator"
71 "secret_meta:put": "rule:admin_or_creator"
72 "secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read"
73 "secret_private_read": "'False':%(target.secret.read_project_access)s"
74 "secret_project_admin": "rule:admin and rule:secret_project_match"
75 "secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user"
76 "secret_project_match": "project:%(target.secret.project_id)s"
77 "secrets:get": "rule:all_but_audit"
78 "secrets:post": "rule:admin_or_creator"
79 "secretstore:get": "rule:admin"
80 "secretstore_preferred:delete": "rule:admin"
81 "secretstore_preferred:post": "rule:admin"
82 "secretstores:get": "rule:admin"
83 "secretstores:get_global_default": "rule:admin"
84 "secretstores:get_preferred": "rule:admin"
85 "service_admin": "role:key-manager:service-admin"
86 "transport_key:delete": "rule:admin"
87 "transport_key:get": "rule:all_users"
88 "transport_keys:get": "rule:all_users"
89 "transport_keys:post": "rule:admin"
90 "version:get": "@"
91 barbican_default_policy_queens: ${_param:barbican_default_policy_pike}
92 bgppvn_default_policy_ocata: {}
93 bgppvn_default_policy_pike:
94 "create_bgpvpn": "rule:admin_only"
95 "create_bgpvpn_network_association": "rule:admin_or_owner"
96 "create_bgpvpn_port_association": "rule:admin_or_owner"
97 "create_bgpvpn_router_association": "rule:admin_or_owner"
98 "delete_bgpvpn": "rule:admin_only"
99 "delete_bgpvpn_network_association": "rule:admin_or_owner"
100 "delete_bgpvpn_port_association": "rule:admin_or_owner"
101 "delete_bgpvpn_router_association": "rule:admin_or_owner"
102 "get_bgpvpn": "rule:admin_or_owner"
103 "get_bgpvpn:export_targets": "rule:admin_only"
104 "get_bgpvpn:import_targets": "rule:admin_only"
105 "get_bgpvpn:route_distinguishers": "rule:admin_only"
106 "get_bgpvpn:route_targets": "rule:admin_only"
107 "get_bgpvpn:tenant_id": "rule:admin_only"
108 "get_bgpvpn_network_association": "rule:admin_or_owner"
109 "get_bgpvpn_network_association:tenant_id": "rule:admin_only"
110 "get_bgpvpn_network_associations": "rule:admin_or_owner"
111 "get_bgpvpn_port_association": "rule:admin_or_owner"
112 "get_bgpvpn_port_association:tenant_id": "rule:admin_only"
113 "get_bgpvpn_port_associations": "rule:admin_or_owner"
114 "get_bgpvpn_router_association": "rule:admin_or_owner"
115 "get_bgpvpn_router_association:tenant_id": "rule:admin_only"
116 "get_bgpvpn_router_associations": "rule:admin_or_owner"
117 "update_bgpvpn": "rule:admin_or_owner"
118 "update_bgpvpn:export_targets": "rule:admin_only"
119 "update_bgpvpn:import_targets": "rule:admin_only"
120 "update_bgpvpn:route_distinguishers": "rule:admin_only"
121 "update_bgpvpn:route_targets": "rule:admin_only"
122 "update_bgpvpn:tenant_id": "rule:admin_only"
123 "update_bgpvpn_network_association": "rule:admin_or_owner"
124 "update_bgpvpn_port_association": "rule:admin_or_owner"
125 "update_bgpvpn_router_association": "rule:admin_or_owner"
126 bgpvpn_default_policy_queens: ${_param:bgppvn_default_policy_pike}
127 cinder_default_policy_ocata: {}
128 cinder_default_policy_pike:
129 "admin_api": "is_admin:True or (role:admin and is_admin_project:True)"
130 "admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
131 "backup:backup-export": "rule:admin_api"
132 "backup:backup-import": "rule:admin_api"
133 "backup:backup_project_attribute": "rule:admin_api"
134 "backup:create": ""
135 "backup:delete": "rule:admin_or_owner"
136 "backup:get_all": "rule:admin_or_owner"
137 "backup:get": "rule:admin_or_owner"
138 "backup:restore": "rule:admin_or_owner"
139 "backup:update": "rule:admin_or_owner"
140 "clusters:get_all": "rule:admin_api"
141 "clusters:get": "rule:admin_api"
142 "clusters:update": "rule:admin_api"
143 "consistencygroup:create_cgsnapshot": "group:nobody"
144 "consistencygroup:create": "group:nobody"
145 "consistencygroup:delete_cgsnapshot": "group:nobody"
146 "consistencygroup:delete": "group:nobody"
147 "consistencygroup:get_all_cgsnapshots": "group:nobody"
148 "consistencygroup:get_all": "group:nobody"
149 "consistencygroup:get_cgsnapshot": "group:nobody"
150 "consistencygroup:get": "group:nobody"
151 "consistencygroup:update": "group:nobody"
152 "default": "rule:admin_or_owner"
153 "group:access_group_types_specs": "rule:admin_api"
154 "group:create": ""
155 "group:create_group_snapshot": ""
156 "group:delete_group_snapshot": "rule:admin_or_owner"
157 "group:delete": "rule:admin_or_owner"
158 "group:disable_replication": "rule:admin_or_owner"
159 "group:enable_replication": "rule:admin_or_owner"
160 "group:failover_replication": "rule:admin_or_owner"
161 "group:get_all_group_snapshots": "rule:admin_or_owner"
162 "group:get_all": "rule:admin_or_owner"
163 "group:get_group_snapshot": "rule:admin_or_owner"
164 "group:get": "rule:admin_or_owner"
165 "group:group_type_access": "rule:admin_or_owner"
166 "group:group_types_manage": "rule:admin_api"
167 "group:group_types_specs": "rule:admin_api"
168 "group:list_replication_targets": "rule:admin_or_owner"
169 "group:reset_group_snapshot_status": "rule:admin_api"
170 "group:reset_status": "rule:admin_api"
171 "group:update_group_snapshot": "rule:admin_or_owner"
172 "group:update": "rule:admin_or_owner"
173 "message:delete": "rule:admin_or_owner"
174 "message:get_all": "rule:admin_or_owner"
175 "message:get": "rule:admin_or_owner"
176 "scheduler_extension:scheduler_stats:get_pools": "rule:admin_api"
177 "snapshot_extension:list_manageable": "rule:admin_api"
178 "snapshot_extension:snapshot_actions:update_snapshot_status": ""
179 "snapshot_extension:snapshot_manage": "rule:admin_api"
180 "snapshot_extension:snapshot_unmanage": "rule:admin_api"
181 "volume:accept_transfer": ""
182 "volume:attachment_create": ""
183 "volume:attachment_delete": "rule:admin_or_owner"
184 "volume:attachment_update": "rule:admin_or_owner"
185 "volume:create": ""
186 "volume:create_from_image": ""
187 "volume:create_snapshot": "rule:admin_or_owner"
188 "volume:create_transfer": "rule:admin_or_owner"
189 "volume:create_volume_metadata": "rule:admin_or_owner"
190 "volume:delete": "rule:admin_or_owner"
191 "volume:delete_snapshot_metadata": "rule:admin_or_owner"
192 "volume:delete_snapshot": "rule:admin_or_owner"
193 "volume:delete_transfer": "rule:admin_or_owner"
194 "volume:delete_volume_metadata": "rule:admin_or_owner"
195 "volume:extend_attached_volume": "rule:admin_or_owner"
196 "volume:extend": "rule:admin_or_owner"
197 "volume_extension:access_types_extra_specs": "rule:admin_api"
198 "volume_extension:access_types_qos_specs_id": "rule:admin_api"
199 "volume_extension:backup_admin_actions:force_delete": "rule:admin_api"
200 "volume_extension:backup_admin_actions:reset_status": "rule:admin_api"
201 "volume_extension:capabilities": "rule:admin_api"
202 "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner"
203 "volume_extension:hosts": "rule:admin_api"
204 "volume_extension:list_manageable": "rule:admin_api"
205 "volume_extension:qos_specs_manage:create": "rule:admin_api"
206 "volume_extension:qos_specs_manage:delete": "rule:admin_api"
207 "volume_extension:qos_specs_manage:get_all": "rule:admin_api"
208 "volume_extension:qos_specs_manage:get": "rule:admin_api"
209 "volume_extension:qos_specs_manage:update": "rule:admin_api"
210 "volume_extension:quota_classes": "rule:admin_api"
211 "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api"
212 "volume_extension:quotas:delete": "rule:admin_api"
213 "volume_extension:quotas:show": ""
214 "volume_extension:quotas:update": "rule:admin_api"
215 "volume_extension:services:index": "rule:admin_api"
216 "volume_extension:services:update": "rule:admin_api"
217 "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api"
218 "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api"
219 "volume_extension:types_extra_specs:create": "rule:admin_api"
220 "volume_extension:types_extra_specs:delete": "rule:admin_api"
221 "volume_extension:types_extra_specs:index": "rule:admin_api"
222 "volume_extension:types_extra_specs:show": "rule:admin_api"
223 "volume_extension:types_extra_specs:update": "rule:admin_api"
224 "volume_extension:types_manage": "rule:admin_api"
225 "volume_extension:volume_actions:upload_image": "rule:admin_or_owner"
226 "volume_extension:volume_actions:upload_public": "rule:admin_api"
227 "volume_extension:volume_admin_actions:force_delete": "rule:admin_api"
228 "volume_extension:volume_admin_actions:force_detach": "rule:admin_api"
229 "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api"
230 "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api"
231 "volume_extension:volume_admin_actions:reset_status": "rule:admin_api"
232 "volume_extension:volume_encryption_metadata": "rule:admin_or_owner"
233 "volume_extension:volume_host_attribute": "rule:admin_api"
234 "volume_extension:volume_image_metadata": "rule:admin_or_owner"
235 "volume_extension:volume_manage": "rule:admin_api"
236 "volume_extension:volume_mig_status_attribute": "rule:admin_api"
237 "volume_extension:volume_tenant_attribute": "rule:admin_or_owner"
238 "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api"
239 "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api"
240 "volume_extension:volume_type_access": "rule:admin_or_owner"
241 "volume_extension:volume_type_encryption": "rule:admin_api"
242 "volume_extension:volume_unmanage": "rule:admin_api"
243 "volume:failover_host": "rule:admin_api"
244 "volume:force_delete": "rule:admin_api"
245 "volume:freeze_host": "rule:admin_api"
246 "volume:get_all": "rule:admin_or_owner"
247 "volume:get_all_snapshots": "rule:admin_or_owner"
248 "volume:get_all_transfers": "rule:admin_or_owner"
249 "volume:get": "rule:admin_or_owner"
250 "volume:get_snapshot_metadata": "rule:admin_or_owner"
251 "volume:get_snapshot": "rule:admin_or_owner"
252 "volume:get_transfer": "rule:admin_or_owner"
253 "volume:get_volume_admin_metadata": "rule:admin_api"
254 "volume:get_volume_metadata": "rule:admin_or_owner"
255 "volume:retype": "rule:admin_or_owner"
256 "volume:revert_to_snapshot": "rule:admin_or_owner"
257 "volume:thaw_host": "rule:admin_api"
258 "volume:update_readonly_flag": "rule:admin_or_owner"
259 "volume:update": "rule:admin_or_owner"
260 "volume:update_snapshot_metadata": "rule:admin_or_owner"
261 "volume:update_snapshot": "rule:admin_or_owner"
262 "volume:update_volume_admin_metadata": "rule:admin_api"
263 "volume:update_volume_metadata": "rule:admin_or_owner"
264 "workers:cleanup": "rule:admin_api"
265 cinder_default_policy_queens: ${_param:cinder_default_policy_pike}
266 designate_default_policy_ocata: {}
267 designate_default_policy_pike: &designate_default_policy_pike
268 "abandon_zone": "rule:admin"
269 "admin": "role:admin or is_admin:True"
270 "admin_or_owner": "rule:admin or rule:owner"
271 "admin_or_owner_or_target": "rule:owner_or_target or rule:admin"
272 "admin_or_target": "rule:admin or rule:target"
273 "all_tenants": "rule:admin"
274 "count_records": "rule:admin_or_owner"
275 "count_recordset": "rule:admin_or_owner"
276 "count_tenants": "rule:admin"
277 "count_zones": "rule:admin_or_owner"
278 "count_zones_pending_notify": "rule:admin_or_owner"
279 "create_blacklist": "rule:admin"
280 "create_pool": "rule:admin"
281 "create_record": "rule:admin_or_owner"
282 "create_recordset": "rule:zone_primary_or_admin"
283 "create_tld": "rule:admin"
284 "create_tsigkey": "rule:admin"
285 "create_zone": "rule:admin_or_owner"
286 "create_zone_export": "rule:admin_or_owner"
287 "create_zone_import": "rule:admin_or_owner"
288 "create_zone_transfer_accept": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s"
289 "create_zone_transfer_request": "rule:admin_or_owner"
290 "default": "rule:admin_or_owner"
291 "delete_blacklist": "rule:admin"
292 "delete_pool": "rule:admin"
293 "delete_record": "rule:admin_or_owner"
294 "delete_recordset": "rule:zone_primary_or_admin"
295 "delete_tld": "rule:admin"
296 "delete_tsigkey": "rule:admin"
297 "delete_zone": "rule:admin_or_owner"
298 "delete_zone_import": "rule:admin_or_owner"
299 "delete_zone_transfer_accept": "rule:admin"
300 "delete_zone_transfer_request": "rule:admin_or_owner"
301 "diagnostics_ping": "rule:admin"
302 "diagnostics_sync_record": "rule:admin"
303 "diagnostics_sync_zone": "rule:admin"
304 "diagnostics_sync_zones": "rule:admin"
305 "edit_managed_records": "rule:admin"
306 "find_blacklist": "rule:admin"
307 "find_blacklists": "rule:admin"
308 "find_pool": "rule:admin"
309 "find_pools": "rule:admin"
310 "find_record": "rule:admin_or_owner"
311 "find_records": "rule:admin_or_owner"
312 "find_recordset": "rule:admin_or_owner"
313 "find_recordsets": "rule:admin_or_owner"
314 "find_service_status": "rule:admin"
315 "find_service_statuses": "rule:admin"
316 "find_tenants": "rule:admin"
317 "find_tlds": "rule:admin"
318 "find_tsigkeys": "rule:admin"
319 "find_zone": "rule:admin_or_owner"
320 "find_zone_exports": "rule:admin_or_owner"
321 "find_zone_imports": "rule:admin_or_owner"
322 "find_zone_transfer_accept": "rule:admin"
323 "find_zone_transfer_accepts": "rule:admin"
324 "find_zone_transfer_request": "@"
325 "find_zone_transfer_requests": "@"
326 "find_zones": "rule:admin_or_owner"
327 "get_blacklist": "rule:admin"
328 "get_pool": "rule:admin"
329 "get_quota": "rule:admin_or_owner"
330 "get_quotas": "rule:admin_or_owner"
331 "get_record": "rule:admin_or_owner"
332 "get_records": "rule:admin_or_owner"
333 "get_recordset": "rule:admin_or_owner"
334 "get_recordsets": "rule:admin_or_owner"
335 "get_tenant": "rule:admin"
336 "get_tld": "rule:admin"
337 "get_tsigkey": "rule:admin"
338 "get_zone": "rule:admin_or_owner"
339 "get_zone_export": "rule:admin_or_owner"
340 "get_zone_import": "rule:admin_or_owner"
341 "get_zone_servers": "rule:admin_or_owner"
342 "get_zone_transfer_accept": "rule:admin_or_owner"
343 "get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s"
344 "get_zone_transfer_request_detailed": "rule:admin_or_owner"
345 "get_zones": "rule:admin_or_owner"
346 "owner": "tenant:%(tenant_id)s"
347 "owner_or_target": "rule:target or rule:owner"
348 "primary_zone": "target.zone_type:SECONDARY"
349 "purge_zones": "rule:admin"
350 "reset_quotas": "rule:admin"
351 "set_quota": "rule:admin"
352 "target": "tenant:%(target_tenant_id)s"
353 "touch_zone": "rule:admin_or_owner"
354 "update_blacklist": "rule:admin"
355 "update_pool": "rule:admin"
356 "update_record": "rule:admin_or_owner"
357 "update_recordset": "rule:zone_primary_or_admin"
358 "update_service_service_status": "rule:admin"
359 "update_tld": "rule:admin"
360 "update_tsigkey": "rule:admin"
361 "update_zone": "rule:admin_or_owner"
362 "update_zone_export": "rule:admin_or_owner"
363 "update_zone_import": "rule:admin_or_owner"
364 "update_zone_transfer_accept": "rule:admin"
365 "update_zone_transfer_request": "rule:admin_or_owner"
366 "use_blacklisted_zone": "rule:admin"
367 "use_low_ttl": "rule:admin"
368 "use_sudo": "rule:admin"
369 "xfr_zone": "rule:admin_or_owner"
370 "zone_create_forced_pool": "rule:admin"
371 "zone_export": "rule:admin_or_owner"
372 "zone_primary_or_admin": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
373 designate_default_policy_queens:
374 << : *designate_default_policy_pike
375 "create_record":
376 "create_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
377 "create_zone_transfer_accept": "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s"
378 "delete_record":
379 "delete_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
380 "find_record":
381 "find_records": "rule:admin_or_owner"
382 "find_recordset":
383 "find_recordsets":
384 "find_zone":
385 "get_record":
386 "get_records":
387 "get_zone_transfer_request": "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s"
388 "update_record":
389 "update_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
390 "update_service_status": "rule:admin"
391 "update_service_service_status":
392 glance_default_policy_ocata: {}
393 glance_default_policy_pike:
394 "add_image": ""
395 "add_member": ""
396 "add_metadef_namespace": ""
397 "add_metadef_object": ""
398 "add_metadef_property": ""
399 "add_metadef_resource_type_association": ""
400 "add_metadef_tag": ""
401 "add_metadef_tags": ""
402 "add_task": ""
403 "communitize_image": ""
404 "context_is_admin": "role:admin"
405 "copy_from": ""
406 "deactivate": ""
407 "default": "role:admin"
408 "delete_image": ""
409 "delete_image_location": ""
410 "delete_member": ""
411 "download_image": ""
412 "get_image": ""
413 "get_image_location": ""
414 "get_images": ""
415 "get_member": ""
416 "get_members": ""
417 "get_metadef_namespace": ""
418 "get_metadef_namespaces": ""
419 "get_metadef_object": ""
420 "get_metadef_objects": ""
421 "get_metadef_properties": ""
422 "get_metadef_property": ""
423 "get_metadef_resource_type": ""
424 "get_metadef_tag": ""
425 "get_metadef_tags": ""
426 "get_task": ""
427 "get_tasks": ""
428 "list_metadef_resource_types": ""
429 "manage_image_cache": "role:admin"
430 "modify_image": ""
431 "modify_member": ""
432 "modify_metadef_namespace": ""
433 "modify_metadef_object": ""
434 "modify_metadef_property": ""
435 "modify_metadef_tag": ""
436 "modify_task": ""
437 "publicize_image": "role:admin"
438 "reactivate": ""
439 "set_image_location": ""
440 "tasks_api_access": "role:admin"
441 "upload_image": ""
442 glance_default_policy_queens: ${_param:glance_default_policy_pike}
Ivan Berezovskiy4ee1f612020-03-27 14:20:40 +0400[diff] [blame]443 gnocchi_default_policy_ocata: {}
444 gnocchi_default_policy_pike: &gnocchi_default_policy_pike
445 "admin_or_creator": "role:admin or user:%(creator)s or project_id:%(created_by_project_id)s"
446 "create archive policy rule": "role:admin"
447 "create archive policy": "role:admin"
448 "create metric": ""
449 "create resource type": "role:admin"
450 "create resource": ""
451 "delete archive policy rule": "role:admin"
452 "delete archive policy": "role:admin"
453 "delete metric": "rule:admin_or_creator"
454 "delete resource type": "role:admin"
455 "delete resource": "rule:admin_or_creator"
456 "delete resources": "rule:admin_or_creator"
457 "get archive policy rule": ""
458 "get archive policy": ""
459 "get measures": "rule:admin_or_creator or rule:metric_owner"
460 "get metric": "rule:admin_or_creator or rule:metric_owner"
461 "get resource type": ""
462 "get resource": "rule:admin_or_creator or rule:resource_owner"
463 "get status": "role:admin"
464 "list all metric": "role:admin"
465 "list archive policy rule": ""
466 "list archive policy": ""
467 "list metric": ""
468 "list resource type": ""
469 "list resource": "rule:admin_or_creator or rule:resource_owner"
470 "metric_owner": "project_id:%(resource.project_id)s"
471 "post measures": "rule:admin_or_creator"
472 "resource_owner": "project_id:%(project_id)s"
473 "search metric": "rule:admin_or_creator or rule:metric_owner"
474 "search resource": "rule:admin_or_creator or rule:resource_owner"
475 "update archive policy": "role:admin"
476 "update resource type": "role:admin"
477 "update resource": "rule:admin_or_creator"
478 gnocchi_default_policy_queens:
479 << : *gnocchi_default_policy_pike
480 "list all metric":
481 "list metric": "rule:admin_or_creator or rule:metric_owner"
482 "update archive policy rule": "role:admin"
Ivan Berezovskiye7ea8e62020-01-16 16:47:02 +0400[diff] [blame]483 heat_default_policy_ocata: {}
484 heat_default_policy_pike:
485 "actions:action": "rule:deny_stack_user"
486 "build_info:build_info": "rule:deny_stack_user"
487 "cloudformation:CancelUpdateStack": "rule:deny_stack_user"
488 "cloudformation:CreateStack": "rule:deny_stack_user"
489 "cloudformation:DeleteStack": "rule:deny_stack_user"
490 "cloudformation:DescribeStackEvents": "rule:deny_stack_user"
491 "cloudformation:DescribeStackResource": ""
492 "cloudformation:DescribeStackResources": "rule:deny_stack_user"
493 "cloudformation:DescribeStacks": "rule:deny_stack_user"
494 "cloudformation:EstimateTemplateCost": "rule:deny_stack_user"
495 "cloudformation:GetTemplate": "rule:deny_stack_user"
496 "cloudformation:ListStackResources": "rule:deny_stack_user"
497 "cloudformation:ListStacks": "rule:deny_stack_user"
498 "cloudformation:UpdateStack": "rule:deny_stack_user"
499 "cloudformation:ValidateTemplate": "rule:deny_stack_user"
500 "cloudwatch:DeleteAlarms": "rule:deny_stack_user"
501 "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user"
502 "cloudwatch:DescribeAlarms": "rule:deny_stack_user"
503 "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user"
504 "cloudwatch:DisableAlarmActions": "rule:deny_stack_user"
505 "cloudwatch:EnableAlarmActions": "rule:deny_stack_user"
506 "cloudwatch:GetMetricStatistics": "rule:deny_stack_user"
507 "cloudwatch:ListMetrics": "rule:deny_stack_user"
508 "cloudwatch:PutMetricAlarm": "rule:deny_stack_user"
509 "cloudwatch:PutMetricData": ""
510 "cloudwatch:SetAlarmState": "rule:deny_stack_user"
511 "context_is_admin": "role:admin and is_admin_project:True"
512 "deny_everybody": "!"
513 "deny_stack_user": "not role:heat_stack_user"
514 "events:index": "rule:deny_stack_user"
515 "events:show": "rule:deny_stack_user"
516 "project_admin": "role:admin"
517 "resource:index": "rule:deny_stack_user"
518 "resource:mark_unhealthy": "rule:deny_stack_user"
519 "resource:metadata": ""
520 "resource:show": "rule:deny_stack_user"
521 "resource:signal": ""
522 "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin"
523 "resource_types:OS::Cinder::QoSAssociation": "rule:project_admin"
524 "resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
525 "resource_types:OS::Cinder::Quota": "rule:project_admin"
526 "resource_types:OS::Cinder::VolumeType": "rule:project_admin"
527 "resource_types:OS::Keystone::*": "rule:project_admin"
528 "resource_types:OS::Manila::ShareType": "rule:project_admin"
529 "resource_types:OS::Neutron::ProviderNet": "rule:project_admin"
530 "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin"
531 "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin"
532 "resource_types:OS::Neutron::Quota": "rule:project_admin"
533 "resource_types:OS::Neutron::Segment": "rule:project_admin"
534 "resource_types:OS::Nova::Flavor": "rule:project_admin"
535 "resource_types:OS::Nova::HostAggregate": "rule:project_admin"
536 "resource_types:OS::Nova::Quota": "rule:project_admin"
537 "service:index": "rule:context_is_admin"
538 "software_configs:create": "rule:deny_stack_user"
539 "software_configs:delete": "rule:deny_stack_user"
540 "software_configs:global_index": "rule:deny_everybody"
541 "software_configs:index": "rule:deny_stack_user"
542 "software_configs:show": "rule:deny_stack_user"
543 "software_deployments:create": "rule:deny_stack_user"
544 "software_deployments:delete": "rule:deny_stack_user"
545 "software_deployments:index": "rule:deny_stack_user"
546 "software_deployments:metadata": ""
547 "software_deployments:show": "rule:deny_stack_user"
548 "software_deployments:update": "rule:deny_stack_user"
549 "stacks:abandon": "rule:deny_stack_user"
550 "stacks:create": "rule:deny_stack_user"
551 "stacks:delete": "rule:deny_stack_user"
552 "stacks:delete_snapshot": "rule:deny_stack_user"
553 "stacks:detail": "rule:deny_stack_user"
554 "stacks:environment": "rule:deny_stack_user"
555 "stacks:export": "rule:deny_stack_user"
556 "stacks:files": "rule:deny_stack_user"
557 "stacks:generate_template": "rule:deny_stack_user"
558 "stacks:global_index": "rule:deny_everybody"
559 "stacks:index": "rule:deny_stack_user"
560 "stacks:list_outputs": "rule:deny_stack_user"
561 "stacks:list_resource_types": "rule:deny_stack_user"
562 "stacks:list_snapshots": "rule:deny_stack_user"
563 "stacks:list_template_functions": "rule:deny_stack_user"
564 "stacks:list_template_versions": "rule:deny_stack_user"
565 "stacks:lookup": ""
566 "stacks:preview": "rule:deny_stack_user"
567 "stacks:preview_update": "rule:deny_stack_user"
568 "stacks:preview_update_patch": "rule:deny_stack_user"
569 "stacks:resource_schema": "rule:deny_stack_user"
570 "stacks:restore_snapshot": "rule:deny_stack_user"
571 "stacks:show": "rule:deny_stack_user"
572 "stacks:show_output": "rule:deny_stack_user"
573 "stacks:show_snapshot": "rule:deny_stack_user"
574 "stacks:snapshot": "rule:deny_stack_user"
575 "stacks:template": "rule:deny_stack_user"
576 "stacks:update": "rule:deny_stack_user"
577 "stacks:update_patch": "rule:deny_stack_user"
578 "stacks:validate_template": "rule:deny_stack_user"
579 heat_default_policy_queens: ${_param:heat_default_policy_pike}
Ivan Berezovskiyc1dbd202020-03-26 20:25:52 +0400[diff] [blame]580 ironic_default_policy_ocata: {}
581 ironic_default_policy_pike: &ironic_default_policy_pike
582 "admin_api": "role:admin or role:administrator"
583 "baremetal:chassis:create": "rule:is_admin"
584 "baremetal:chassis:delete": "rule:is_admin"
585 "baremetal:chassis:get": "rule:is_admin or rule:is_observer"
586 "baremetal:chassis:update": "rule:is_admin"
587 "baremetal:driver:get": "rule:is_admin or rule:is_observer"
588 "baremetal:driver:get_properties": "rule:is_admin or rule:is_observer"
589 "baremetal:driver:get_raid_logical_disk_properties": "rule:is_admin or rule:is_observer"
590 "baremetal:driver:ipa_lookup": "rule:public_api"
591 "baremetal:driver:vendor_passthru": "rule:is_admin"
592 "baremetal:node:clear_maintenance": "rule:is_admin"
593 "baremetal:node:create": "rule:is_admin"
594 "baremetal:node:delete": "rule:is_admin"
595 "baremetal:node:get": "rule:is_admin or rule:is_observer"
596 "baremetal:node:get_boot_device": "rule:is_admin or rule:is_observer"
597 "baremetal:node:get_console": "rule:is_admin"
598 "baremetal:node:get_states": "rule:is_admin or rule:is_observer"
599 "baremetal:node:inject_nmi": "rule:is_admin"
600 "baremetal:node:ipa_heartbeat": "rule:public_api"
601 "baremetal:node:set_boot_device": "rule:is_admin"
602 "baremetal:node:set_console_state": "rule:is_admin"
603 "baremetal:node:set_maintenance": "rule:is_admin"
604 "baremetal:node:set_power_state": "rule:is_admin"
605 "baremetal:node:set_provision_state": "rule:is_admin"
606 "baremetal:node:set_raid_state": "rule:is_admin"
607 "baremetal:node:update": "rule:is_admin"
608 "baremetal:node:validate": "rule:is_admin"
609 "baremetal:node:vendor_passthru": "rule:is_admin"
610 "baremetal:node:vif:attach": "rule:is_admin"
611 "baremetal:node:vif:detach": "rule:is_admin"
612 "baremetal:node:vif:list": "rule:is_admin"
613 "baremetal:port:create": "rule:is_admin"
614 "baremetal:port:delete": "rule:is_admin"
615 "baremetal:port:get": "rule:is_admin or rule:is_observer"
616 "baremetal:port:update": "rule:is_admin"
617 "baremetal:portgroup:create": "rule:is_admin"
618 "baremetal:portgroup:delete": "rule:is_admin"
619 "baremetal:portgroup:get": "rule:is_admin or rule:is_observer"
620 "baremetal:portgroup:update": "rule:is_admin"
621 "baremetal:volume:create": "rule:is_admin"
622 "baremetal:volume:delete": "rule:is_admin"
623 "baremetal:volume:get": "rule:is_admin or rule:is_observer"
624 "baremetal:volume:update": "rule:is_admin"
625 "is_admin": "rule:admin_api or (rule:is_member and role:baremetal_admin)"
626 "is_member": "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
627 "is_observer": "rule:is_member and (role:observer or role:baremetal_observer)"
628 "public_api": "is_public_api:True"
629 "show_instance_secrets": "!"
630 "show_password": "!"
631 ironic_default_policy_queens:
632 << : *ironic_default_policy_pike
633 "baremetal:node:traits:delete": "rule:is_admin"
634 "baremetal:node:traits:list": "rule:is_admin or rule:is_observer"
635 "baremetal:node:traits:set": "rule:is_admin"
Ivan Berezovskiye7ea8e62020-01-16 16:47:02 +0400[diff] [blame]636 keystone_default_policy_ocata: {}
637 keystone_default_policy_pike: &keystone_default_policy_pike
638 "admin_or_owner": "rule:admin_required or rule:owner"
639 "admin_or_token_subject": "rule:admin_required or rule:token_subject"
640 "admin_required": "role:admin or is_admin:1"
641 "identity:add_endpoint_group_to_project": "rule:admin_required"
642 "identity:add_endpoint_to_project": "rule:admin_required"
643 "identity:add_user_to_group": "rule:admin_required"
644 "identity:authorize_request_token": "rule:admin_required"
645 "identity:check_endpoint_in_project": "rule:admin_required"
646 "identity:check_grant": "rule:admin_required"
647 "identity:check_implied_role": "rule:admin_required"
648 "identity:check_policy_association_for_endpoint": "rule:admin_required"
649 "identity:check_policy_association_for_region_and_service": "rule:admin_required"
650 "identity:check_policy_association_for_service": "rule:admin_required"
651 "identity:check_token": "rule:admin_or_token_subject"
652 "identity:check_user_in_group": "rule:admin_required"
653 "identity:create_consumer": "rule:admin_required"
654 "identity:create_credential": "rule:admin_required"
655 "identity:create_domain": "rule:admin_required"
656 "identity:create_domain_config": "rule:admin_required"
657 "identity:create_domain_role": "rule:admin_required"
658 "identity:create_endpoint": "rule:admin_required"
659 "identity:create_endpoint_group": "rule:admin_required"
660 "identity:create_grant": "rule:admin_required"
661 "identity:create_group": "rule:admin_required"
662 "identity:create_identity_provider": "rule:admin_required"
663 "identity:create_implied_role": "rule:admin_required"
664 "identity:create_mapping": "rule:admin_required"
665 "identity:create_policy": "rule:admin_required"
666 "identity:create_policy_association_for_endpoint": "rule:admin_required"
667 "identity:create_policy_association_for_region_and_service": "rule:admin_required"
668 "identity:create_policy_association_for_service": "rule:admin_required"
669 "identity:create_project": "rule:admin_required"
670 "identity:create_protocol": "rule:admin_required"
671 "identity:create_region": "rule:admin_required"
672 "identity:create_role": "rule:admin_required"
673 "identity:create_service": "rule:admin_required"
674 "identity:create_service_provider": "rule:admin_required"
675 "identity:create_trust": "user_id:%(trust.trustor_user_id)s"
676 "identity:create_user": "rule:admin_required"
677 "identity:delete_access_token": "rule:admin_required"
678 "identity:delete_consumer": "rule:admin_required"
679 "identity:delete_credential": "rule:admin_required"
680 "identity:delete_domain": "rule:admin_required"
681 "identity:delete_domain_config": "rule:admin_required"
682 "identity:delete_domain_role": "rule:admin_required"
683 "identity:delete_endpoint": "rule:admin_required"
684 "identity:delete_endpoint_group": "rule:admin_required"
685 "identity:delete_group": "rule:admin_required"
686 "identity:delete_identity_provider": "rule:admin_required"
687 "identity:delete_implied_role": "rule:admin_required"
688 "identity:delete_mapping": "rule:admin_required"
689 "identity:delete_policy": "rule:admin_required"
690 "identity:delete_policy_association_for_endpoint": "rule:admin_required"
691 "identity:delete_policy_association_for_region_and_service": "rule:admin_required"
692 "identity:delete_policy_association_for_service": "rule:admin_required"
693 "identity:delete_project": "rule:admin_required"
694 "identity:delete_protocol": "rule:admin_required"
695 "identity:delete_region": "rule:admin_required"
696 "identity:delete_role": "rule:admin_required"
697 "identity:delete_service": "rule:admin_required"
698 "identity:delete_service_provider": "rule:admin_required"
699 "identity:delete_trust": ""
700 "identity:delete_user": "rule:admin_required"
701 "identity:ec2_create_credential": "rule:admin_or_owner"
702 "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"
703 "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"
704 "identity:ec2_list_credentials": "rule:admin_or_owner"
705 "identity:get_access_token": "rule:admin_required"
706 "identity:get_access_token_role": "rule:admin_required"
707 "identity:get_auth_catalog": ""
708 "identity:get_auth_domains": ""
709 "identity:get_auth_projects": ""
710 "identity:get_consumer": "rule:admin_required"
711 "identity:get_credential": "rule:admin_required"
712 "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s"
713 "identity:get_domain_config": "rule:admin_required"
714 "identity:get_domain_config_default": "rule:admin_required"
715 "identity:get_domain_role": "rule:admin_required"
716 "identity:get_endpoint": "rule:admin_required"
717 "identity:get_endpoint_group": "rule:admin_required"
718 "identity:get_endpoint_group_in_project": "rule:admin_required"
719 "identity:get_group": "rule:admin_required"
720 "identity:get_identity_provider": "rule:admin_required"
721 "identity:get_implied_role": "rule:admin_required"
722 "identity:get_mapping": "rule:admin_required"
723 "identity:get_policy": "rule:admin_required"
724 "identity:get_policy_for_endpoint": "rule:admin_required"
725 "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s"
726 "identity:get_protocol": "rule:admin_required"
727 "identity:get_region": ""
728 "identity:get_role": "rule:admin_required"
729 "identity:get_role_for_trust": ""
730 "identity:get_security_compliance_domain_config": ""
731 "identity:get_service": "rule:admin_required"
732 "identity:get_service_provider": "rule:admin_required"
733 "identity:get_trust": ""
734 "identity:get_user": "rule:admin_or_owner"
735 "identity:list_access_token_roles": "rule:admin_required"
736 "identity:list_access_tokens": "rule:admin_required"
737 "identity:list_consumers": "rule:admin_required"
738 "identity:list_credentials": "rule:admin_required"
739 "identity:list_domain_roles": "rule:admin_required"
740 "identity:list_domains": "rule:admin_required"
741 "identity:list_domains_for_user": ""
742 "identity:list_endpoint_groups": "rule:admin_required"
743 "identity:list_endpoint_groups_for_project": "rule:admin_required"
744 "identity:list_endpoints": "rule:admin_required"
745 "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required"
746 "identity:list_endpoints_for_policy": "rule:admin_required"
747 "identity:list_endpoints_for_project": "rule:admin_required"
748 "identity:list_grants": "rule:admin_required"
749 "identity:list_groups": "rule:admin_required"
750 "identity:list_groups_for_user": "rule:admin_or_owner"
751 "identity:list_identity_providers": "rule:admin_required"
752 "identity:list_implied_roles": "rule:admin_required"
753 "identity:list_mappings": "rule:admin_required"
754 "identity:list_policies": "rule:admin_required"
755 "identity:list_projects": "rule:admin_required"
756 "identity:list_projects_associated_with_endpoint_group": "rule:admin_required"
757 "identity:list_projects_for_endpoint": "rule:admin_required"
758 "identity:list_projects_for_user": ""
759 "identity:list_protocols": "rule:admin_required"
760 "identity:list_regions": ""
761 "identity:list_revoke_events": "rule:service_or_admin"
762 "identity:list_role_assignments": "rule:admin_required"
763 "identity:list_role_assignments_for_tree": "rule:admin_required"
764 "identity:list_role_inference_rules": "rule:admin_required"
765 "identity:list_roles": "rule:admin_required"
766 "identity:list_roles_for_trust": ""
767 "identity:list_service_providers": "rule:admin_required"
768 "identity:list_services": "rule:admin_required"
769 "identity:list_trusts": ""
770 "identity:list_user_projects": "rule:admin_or_owner"
771 "identity:list_users": "rule:admin_required"
772 "identity:list_users_in_group": "rule:admin_required"
773 "identity:remove_endpoint_from_project": "rule:admin_required"
774 "identity:remove_endpoint_group_from_project": "rule:admin_required"
775 "identity:remove_user_from_group": "rule:admin_required"
776 "identity:revocation_list": "rule:service_or_admin"
777 "identity:revoke_grant": "rule:admin_required"
778 "identity:revoke_token": "rule:admin_or_token_subject"
779 "identity:update_consumer": "rule:admin_required"
780 "identity:update_credential": "rule:admin_required"
781 "identity:update_domain": "rule:admin_required"
782 "identity:update_domain_config": "rule:admin_required"
783 "identity:update_domain_role": "rule:admin_required"
784 "identity:update_endpoint": "rule:admin_required"
785 "identity:update_endpoint_group": "rule:admin_required"
786 "identity:update_group": "rule:admin_required"
787 "identity:update_identity_provider": "rule:admin_required"
788 "identity:update_mapping": "rule:admin_required"
789 "identity:update_policy": "rule:admin_required"
790 "identity:update_project": "rule:admin_required"
791 "identity:update_protocol": "rule:admin_required"
792 "identity:update_region": "rule:admin_required"
793 "identity:update_role": "rule:admin_required"
794 "identity:update_service": "rule:admin_required"
795 "identity:update_service_provider": "rule:admin_required"
796 "identity:update_user": "rule:admin_required"
797 "identity:validate_token": "rule:service_admin_or_token_subject"
798 "identity:validate_token_head": "rule:service_or_admin"
799 "owner": "user_id:%(user_id)s"
800 "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject"
801 "service_or_admin": "rule:admin_required or rule:service_role"
802 "service_role": "role:service"
803 "token_subject": "user_id:%(target.token.user_id)s"
804 keystone_default_policy_queens:
805 << : *keystone_default_policy_pike
806 "identity:check_system_grant_for_group": "rule:admin_required"
807 "identity:check_system_grant_for_user": "rule:admin_required"
808 "identity:create_application_credential": "rule:admin_or_owner"
809 "identity:create_limits": "rule:admin_required"
810 "identity:create_project_tag": "rule:admin_required"
811 "identity:create_registered_limits": "rule:admin_required"
812 "identity:create_system_grant_for_group": "rule:admin_required"
813 "identity:create_system_grant_for_user": "rule:admin_required"
814 "identity:delete_application_credential": "rule:admin_or_owner"
815 "identity:delete_limit": "rule:admin_required"
816 "identity:delete_project_tag": "rule:admin_required"
817 "identity:delete_project_tags": "rule:admin_required"
818 "identity:delete_registered_limit": "rule:admin_required"
819 "identity:get_application_credential": "rule:admin_or_owner"
820 "identity:get_auth_system": ""
821 "identity:get_limit": ""
822 "identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s"
823 "identity:get_registered_limit": ""
824 "identity:list_application_credentials": "rule:admin_or_owner"
825 "identity:list_limits": ""
826 "identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s"
827 "identity:list_registered_limits": ""
828 "identity:list_system_grants_for_group": "rule:admin_required"
829 "identity:list_system_grants_for_user": "rule:admin_required"
830 "identity:revoke_system_grant_for_group": "rule:admin_required"
831 "identity:revoke_system_grant_for_user": "rule:admin_required"
832 "identity:update_limits": "rule:admin_required"
833 "identity:update_project_tags": "rule:admin_required"
834 "identity:update_registered_limits": "rule:admin_required"
835 "identity:validate_token_head":
836 manila_default_policy_ocata: {}
837 manila_default_policy_pike:
838 "admin_api": "is_admin:True"
839 "admin_or_owner": "is_admin:True or project_id:%(project_id)s"
840 "availability_zone:index": "rule:default"
841 "context_is_admin": "role:admin"
842 "default": "rule:admin_or_owner"
843 "message:delete": "rule:default"
844 "message:get_all": "rule:default"
845 "message:get": "rule:default"
846 "quota_class_set:show": "rule:default"
847 "quota_class_set:update": "rule:admin_api"
848 "quota_set:delete": "rule:admin_api"
849 "quota_set:show": "rule:default"
850 "quota_set:update": "rule:admin_api"
851 "scheduler_stats:pools:detail": "rule:admin_api"
852 "scheduler_stats:pools:index": "rule:admin_api"
853 "security_service:create": "rule:default"
854 "security_service:delete": "rule:default"
855 "security_service:detail": "rule:default"
856 "security_service:get_all_security_services": "rule:admin_api"
857 "security_service:index": "rule:default"
858 "security_service:show": "rule:default"
859 "security_service:update": "rule:default"
860 "service:index": "rule:admin_api"
861 "service:update": "rule:admin_api"
862 "share:access_get_all": "rule:default"
863 "share:access_get": "rule:default"
864 "share:allow_access": "rule:default"
865 "share:create": ""
866 "share:create_snapshot": "rule:default"
867 "share:delete": "rule:default"
868 "share:delete_share_metadata": "rule:default"
869 "share:delete_snapshot": "rule:default"
870 "share:deny_access": "rule:default"
871 "share_export_location:index": "rule:default"
872 "share_export_location:show": "rule:default"
873 "share:extend": "rule:default"
874 "share:force_delete": "rule:admin_api"
875 "share:get_all": "rule:default"
876 "share:get": "rule:default"
877 "share:get_share_metadata": "rule:default"
878 "share_group:create": "rule:default"
879 "share_group:delete": "rule:default"
880 "share_group:force_delete": "rule:admin_api"
881 "share_group:get_all": "rule:default"
882 "share_group:get": "rule:default"
883 "share_group:reset_status": "rule:admin_api"
884 "share_group_snapshot:create": "rule:default"
885 "share_group_snapshot:delete": "rule:default"
886 "share_group_snapshot:force_delete": "rule:admin_api"
887 "share_group_snapshot:get_all": "rule:default"
888 "share_group_snapshot:get": "rule:default"
889 "share_group_snapshot:reset_status": "rule:admin_api"
890 "share_group_snapshot:update": "rule:default"
891 "share_group_type:add_project_access": "rule:admin_api"
892 "share_group_type:create": "rule:admin_api"
893 "share_group_type:default": "rule:default"
894 "share_group_type:delete": "rule:admin_api"
895 "share_group_type:index": "rule:default"
896 "share_group_type:list_project_access": "rule:admin_api"
897 "share_group_type:remove_project_access": "rule:admin_api"
898 "share_group_type:show": "rule:default"
899 "share_group_types_spec:create": "rule:admin_api"
900 "share_group_types_spec:delete": "rule:admin_api"
901 "share_group_types_spec:index": "rule:admin_api"
902 "share_group_types_spec:show": "rule:admin_api"
903 "share_group_types_spec:update": "rule:admin_api"
904 "share_group:update": "rule:default"
905 "share_instance_export_location:index": "rule:admin_api"
906 "share_instance_export_location:show": "rule:admin_api"
907 "share_instance:force_delete": "rule:admin_api"
908 "share_instance:index": "rule:admin_api"
909 "share_instance:reset_status": "rule:admin_api"
910 "share_instance:show": "rule:admin_api"
911 "share:list_by_host": "rule:admin_api"
912 "share:list_by_share_server_id": "rule:admin_api"
913 "share:manage": "rule:admin_api"
914 "share:migration_cancel": "rule:admin_api"
915 "share:migration_complete": "rule:admin_api"
916 "share:migration_get_progress": "rule:admin_api"
917 "share:migration_start": "rule:admin_api"
918 "share_network:add_security_service": "rule:default"
919 "share_network:create": "rule:default"
920 "share_network:delete": "rule:default"
921 "share_network:detail": "rule:default"
922 "share_network:get_all_share_networks": "rule:admin_api"
923 "share_network:index": "rule:default"
924 "share_network:remove_security_service": "rule:default"
925 "share_network:show": "rule:default"
926 "share_network:update": "rule:default"
927 "share_replica:create": "rule:default"
928 "share_replica:delete": "rule:default"
929 "share_replica:force_delete": "rule:admin_api"
930 "share_replica:get_all": "rule:default"
931 "share_replica:promote": "rule:default"
932 "share_replica:reset_replica_state": "rule:admin_api"
933 "share_replica:reset_status": "rule:admin_api"
934 "share_replica:resync": "rule:admin_api"
935 "share_replica:show": "rule:default"
936 "share:reset_status": "rule:admin_api"
937 "share:reset_task_state": "rule:admin_api"
938 "share:revert_to_snapshot": "rule:default"
939 "share_server:delete": "rule:admin_api"
940 "share_server:details": "rule:admin_api"
941 "share_server:index": "rule:admin_api"
942 "share_server:show": "rule:admin_api"
943 "share:shrink": "rule:default"
944 "share_snapshot:access_list": "rule:default"
945 "share_snapshot:allow_access": "rule:default"
946 "share_snapshot:deny_access": "rule:default"
947 "share_snapshot_export_location:index": "rule:default"
948 "share_snapshot_export_location:show": "rule:default"
949 "share_snapshot:force_delete": "rule:admin_api"
950 "share_snapshot:get_all_snapshots": "rule:default"
951 "share_snapshot:get_snapshot": "rule:default"
952 "share_snapshot_instance:detail": "rule:admin_api"
953 "share_snapshot_instance_export_location:index": "rule:admin_api"
954 "share_snapshot_instance_export_location:show": "rule:admin_api"
955 "share_snapshot_instance:index": "rule:admin_api"
956 "share_snapshot_instance:reset_status": "rule:admin_api"
957 "share_snapshot_instance:show": "rule:admin_api"
958 "share_snapshot:manage_snapshot": "rule:admin_api"
959 "share_snapshot:reset_status": "rule:admin_api"
960 "share_snapshot:unmanage_snapshot": "rule:admin_api"
961 "share:snapshot_update": "rule:default"
962 "share_type:add_project_access": "rule:admin_api"
963 "share_type:create": "rule:admin_api"
964 "share_type:default": "rule:default"
965 "share_type:delete": "rule:admin_api"
966 "share_type:index": "rule:default"
967 "share_type:list_project_access": "rule:admin_api"
968 "share_type:remove_project_access": "rule:admin_api"
969 "share_types_extra_spec:create": "rule:admin_api"
970 "share_types_extra_spec:delete": "rule:admin_api"
971 "share_types_extra_spec:index": "rule:admin_api"
972 "share_types_extra_spec:show": "rule:admin_api"
973 "share_types_extra_spec:update": "rule:admin_api"
974 "share_type:show": "rule:default"
975 "share:unmanage": "rule:admin_api"
976 "share:update": "rule:default"
977 "share:update_share_metadata": "rule:default"
978 manila_default_policy_queens: ${_param:manila_default_policy_pike}
979 neutron_default_policy_ocata: {}
980 neutron_default_policy_pike: &neutron_default_policy_pike
981 "add_router_interface": "rule:admin_or_owner"
982 "add_subports": "rule:admin_or_owner"
983 "admin_only": "rule:context_is_admin"
984 "admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator"
985 "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s"
986 "admin_or_owner": "rule:context_is_admin or rule:owner"
987 "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner"
988 "context_is_admin": "role:admin"
989 "context_is_advsvc": "role:advsvc"
990 "create_address_scope": ""
991 "create_address_scope:shared": "rule:admin_only"
992 "create_dhcp-network": "rule:admin_only"
993 "create_flavor": "rule:admin_only"
994 "create_flavor_service_profile": "rule:admin_only"
995 "create_floatingip": "rule:regular_user"
996 "create_floatingip:floating_ip_address": "rule:admin_only"
997 "create_l3-router": "rule:admin_only"
998 "create_log": "rule:admin_only"
999 "create_lsn": "rule:admin_only"
1000 "create_metering_label": "rule:admin_only"
1001 "create_metering_label_rule": "rule:admin_only"
1002 "create_network": ""
1003 "create_network:is_default": "rule:admin_only"
1004 "create_network:provider:network_type": "rule:admin_only"
1005 "create_network:provider:physical_network": "rule:admin_only"
1006 "create_network:provider:segmentation_id": "rule:admin_only"
1007 "create_network:router:external": "rule:admin_only"
1008 "create_network:segments": "rule:admin_only"
1009 "create_network:shared": "rule:admin_only"
1010 "create_network_profile": "rule:admin_only"
1011 "create_policy": "rule:admin_only"
1012 "create_policy_bandwidth_limit_rule": "rule:admin_only"
1013 "create_policy_dscp_marking_rule": "rule:admin_only"
1014 "create_policy_minimum_bandwidth_rule": "rule:admin_only"
1015 "create_port": ""
1016 "create_port:allowed_address_pairs": "rule:admin_or_network_owner"
1017 "create_port:binding:host_id": "rule:admin_only"
1018 "create_port:binding:profile": "rule:admin_only"
1019 "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
1020 "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"
1021 "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
1022 "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
1023 "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
1024 "create_qos_queue": "rule:admin_only"
1025 "create_rbac_policy": ""
1026 "create_rbac_policy:target_tenant": "rule:restrict_wildcard"
1027 "create_router": "rule:regular_user"
1028 "create_router:distributed": "rule:admin_only"
1029 "create_router:external_gateway_info:enable_snat": "rule:admin_only"
1030 "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
1031 "create_router:ha": "rule:admin_only"
1032 "create_security_group": "rule:admin_or_owner"
1033 "create_security_group_rule": "rule:admin_or_owner"
1034 "create_segment": "rule:admin_only"
1035 "create_service_profile": "rule:admin_only"
1036 "create_subnet": "rule:admin_or_network_owner"
1037 "create_subnet:segment_id": "rule:admin_only"
1038 "create_subnet:service_types": "rule:admin_only"
1039 "create_subnetpool": ""
1040 "create_subnetpool:is_default": "rule:admin_only"
1041 "create_subnetpool:shared": "rule:admin_only"
1042 "create_trunk": "rule:regular_user"
1043 "default": "rule:admin_or_owner"
1044 "delete_address_scope": "rule:admin_or_owner"
1045 "delete_agent": "rule:admin_only"
1046 "delete_dhcp-network": "rule:admin_only"
1047 "delete_flavor": "rule:admin_only"
1048 "delete_flavor_service_profile": "rule:admin_only"
1049 "delete_floatingip": "rule:admin_or_owner"
1050 "delete_l3-router": "rule:admin_only"
1051 "delete_log": "rule:admin_only"
1052 "delete_metering_label": "rule:admin_only"
1053 "delete_metering_label_rule": "rule:admin_only"
1054 "delete_network": "rule:admin_or_owner"
1055 "delete_network_profile": "rule:admin_only"
1056 "delete_policy": "rule:admin_only"
1057 "delete_policy_bandwidth_limit_rule": "rule:admin_only"
1058 "delete_policy_dscp_marking_rule": "rule:admin_only"
1059 "delete_policy_minimum_bandwidth_rule": "rule:admin_only"
1060 "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
1061 "delete_rbac_policy": "rule:admin_or_owner"
1062 "delete_router": "rule:admin_or_owner"
1063 "delete_security_group": "rule:admin_or_owner"
1064 "delete_security_group_rule": "rule:admin_or_owner"
1065 "delete_segment": "rule:admin_only"
1066 "delete_service_profile": "rule:admin_only"
1067 "delete_subnet": "rule:admin_or_network_owner"
1068 "delete_subnetpool": "rule:admin_or_owner"
1069 "delete_trunk": "rule:admin_or_owner"
1070 "external": "field:networks:router:external=True"
1071 "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes"
1072 "get_agent": "rule:admin_only"
1073 "get_agent-loadbalancers": "rule:admin_only"
1074 "get_auto_allocated_topology": "rule:admin_or_owner"
1075 "get_dhcp-agents": "rule:admin_only"
1076 "get_dhcp-networks": "rule:admin_only"
1077 "get_flavor": "rule:regular_user"
1078 "get_flavor_service_profile": "rule:regular_user"
1079 "get_flavors": "rule:regular_user"
1080 "get_floatingip": "rule:admin_or_owner"
1081 "get_l3-agents": "rule:admin_only"
1082 "get_l3-routers": "rule:admin_only"
1083 "get_loadbalancer-agent": "rule:admin_only"
1084 "get_loadbalancer-hosting-agent": "rule:admin_only"
1085 "get_loadbalancer-pools": "rule:admin_only"
1086 "get_log": "rule:admin_only"
1087 "get_loggable_resources": "rule:admin_only"
1088 "get_logs": "rule:admin_only"
1089 "get_lsn": "rule:admin_only"
1090 "get_metering_label": "rule:admin_only"
1091 "get_metering_label_rule": "rule:admin_only"
1092 "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc"
1093 "get_network:provider:network_type": "rule:admin_only"
1094 "get_network:provider:physical_network": "rule:admin_only"
1095 "get_network:provider:segmentation_id": "rule:admin_only"
1096 "get_network:queue_id": "rule:admin_only"
1097 "get_network:router:external": "rule:regular_user"
1098 "get_network:segments": "rule:admin_only"
1099 "get_network_ip_availabilities": "rule:admin_only"
1100 "get_network_ip_availability": "rule:admin_only"
1101 "get_network_profile": ""
1102 "get_network_profiles": ""
1103 "get_policy": "rule:regular_user"
1104 "get_policy_bandwidth_limit_rule": "rule:regular_user"
1105 "get_policy_dscp_marking_rule": "rule:regular_user"
1106 "get_policy_minimum_bandwidth_rule": "rule:regular_user"
1107 "get_policy_profile": ""
1108 "get_policy_profiles": ""
1109 "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
1110 "get_port:binding:host_id": "rule:admin_only"
1111 "get_port:binding:profile": "rule:admin_only"
1112 "get_port:binding:vif_details": "rule:admin_only"
1113 "get_port:binding:vif_type": "rule:admin_only"
1114 "get_port:queue_id": "rule:admin_only"
1115 "get_qos_queue": "rule:admin_only"
1116 "get_rbac_policy": "rule:admin_or_owner"
1117 "get_router": "rule:admin_or_owner"
1118 "get_router:distributed": "rule:admin_only"
1119 "get_router:ha": "rule:admin_only"
1120 "get_rule_type": "rule:regular_user"
1121 "get_security_group": "rule:admin_or_owner"
1122 "get_security_group_rule": "rule:admin_or_owner"
1123 "get_security_group_rules": "rule:admin_or_owner"
1124 "get_security_groups": "rule:admin_or_owner"
1125 "get_segment": "rule:admin_only"
1126 "get_service_profile": "rule:admin_only"
1127 "get_service_profiles": "rule:admin_only"
1128 "get_service_provider": "rule:regular_user"
1129 "get_subnet": "rule:admin_or_owner or rule:shared"
1130 "get_subnet:segment_id": "rule:admin_only"
1131 "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools"
1132 "get_subports": ""
1133 "get_trunk": "rule:admin_or_owner"
1134 "network_device": "field:port:device_owner=~^network:"
1135 "owner": "tenant_id:%(tenant_id)s"
1136 "regular_user": ""
1137 "remove_router_interface": "rule:admin_or_owner"
1138 "remove_subports": "rule:admin_or_owner"
1139 "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
1140 "shared": "field:networks:shared=True"
1141 "shared_address_scopes": "field:address_scopes:shared=True"
1142 "shared_subnetpools": "field:subnetpools:shared=True"
1143 "update_address_scope": "rule:admin_or_owner"
1144 "update_address_scope:shared": "rule:admin_only"
1145 "update_agent": "rule:admin_only"
1146 "update_flavor": "rule:admin_only"
1147 "update_floatingip": "rule:admin_or_owner"
1148 "update_log": "rule:admin_only"
1149 "update_network": "rule:admin_or_owner"
1150 "update_network:provider:network_type": "rule:admin_only"
1151 "update_network:provider:physical_network": "rule:admin_only"
1152 "update_network:provider:segmentation_id": "rule:admin_only"
1153 "update_network:router:external": "rule:admin_only"
1154 "update_network:segments": "rule:admin_only"
1155 "update_network:shared": "rule:admin_only"
1156 "update_network_profile": "rule:admin_only"
1157 "update_policy": "rule:admin_only"
1158 "update_policy_bandwidth_limit_rule": "rule:admin_only"
1159 "update_policy_dscp_marking_rule": "rule:admin_only"
1160 "update_policy_minimum_bandwidth_rule": "rule:admin_only"
1161 "update_policy_profiles": "rule:admin_only"
1162 "update_port": "rule:admin_or_owner or rule:context_is_advsvc"
1163 "update_port:allowed_address_pairs": "rule:admin_or_network_owner"
1164 "update_port:binding:host_id": "rule:admin_only"
1165 "update_port:binding:profile": "rule:admin_only"
1166 "update_port:data_plane_status": "rule:admin_or_data_plane_int"
1167 "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
1168 "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"
1169 "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc"
1170 "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
1171 "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
1172 "update_rbac_policy": "rule:admin_or_owner"
1173 "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner"
1174 "update_router": "rule:admin_or_owner"
1175 "update_router:distributed": "rule:admin_only"
1176 "update_router:external_gateway_info": "rule:admin_or_owner"
1177 "update_router:external_gateway_info:enable_snat": "rule:admin_only"
1178 "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
1179 "update_router:external_gateway_info:network_id": "rule:admin_or_owner"
1180 "update_router:ha": "rule:admin_only"
1181 "update_security_group": "rule:admin_or_owner"
1182 "update_segment": "rule:admin_only"
1183 "update_service_profile": "rule:admin_only"
1184 "update_subnet": "rule:admin_or_network_owner"
1185 "update_subnet:service_types": "rule:admin_only"
1186 "update_subnetpool": "rule:admin_or_owner"
1187 "update_subnetpool:is_default": "rule:admin_only"
1188 neutron_default_policy_queens:
1189 << : *neutron_default_policy_pike
1190 "create_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
1191 "create_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
1192 "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
1193 "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
1194 "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
1195 "create_router:external_gateway_info": "rule:admin_or_owner"
1196 "create_router:external_gateway_info:network_id": "rule:admin_or_owner"
1197 "update_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
1198 "update_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
1199 "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
1200 "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
1201 "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
1202 nova_default_policy_ocata: {}
1203 nova_default_policy_pike: &nova_default_policy_pike
1204 "admin_api": "is_admin:True"
1205 "admin_or_owner": "is_admin:True or project_id:%(project_id)s"
1206 "cells_scheduler_filter:DifferentCellFilter": "is_admin:True"
1207 "cells_scheduler_filter:TargetCellFilter": "is_admin:True"
1208 "context_is_admin": "role:admin"
1209 "network:attach_external_network": "is_admin:True"
1210 "os_compute_api:extensions": "rule:admin_or_owner"
1211 "os_compute_api:flavors": "rule:admin_or_owner"
1212 "os_compute_api:image-size": "rule:admin_or_owner"
1213 "os_compute_api:ips:index": "rule:admin_or_owner"
1214 "os_compute_api:ips:show": "rule:admin_or_owner"
1215 "os_compute_api:limits": "rule:admin_or_owner"
1216 "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api"
1217 "os_compute_api:os-admin-actions:reset_network": "rule:admin_api"
1218 "os_compute_api:os-admin-actions:reset_state": "rule:admin_api"
1219 "os_compute_api:os-admin-password": "rule:admin_or_owner"
1220 "os_compute_api:os-agents": "rule:admin_api"
1221 "os_compute_api:os-aggregates:add_host": "rule:admin_api"
1222 "os_compute_api:os-aggregates:create": "rule:admin_api"
1223 "os_compute_api:os-aggregates:delete": "rule:admin_api"
1224 "os_compute_api:os-aggregates:index": "rule:admin_api"
1225 "os_compute_api:os-aggregates:remove_host": "rule:admin_api"
1226 "os_compute_api:os-aggregates:set_metadata": "rule:admin_api"
1227 "os_compute_api:os-aggregates:show": "rule:admin_api"
1228 "os_compute_api:os-aggregates:update": "rule:admin_api"
1229 "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api"
1230 "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api"
1231 "os_compute_api:os-attach-interfaces": "rule:admin_or_owner"
1232 "os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner"
1233 "os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner"
1234 "os_compute_api:os-availability-zone:detail": "rule:admin_api"
1235 "os_compute_api:os-availability-zone:list": "rule:admin_or_owner"
1236 "os_compute_api:os-baremetal-nodes": "rule:admin_api"
1237 "os_compute_api:os-cells": "rule:admin_api"
1238 "os_compute_api:os-cells:create": "rule:admin_api"
1239 "os_compute_api:os-cells:delete": "rule:admin_api"
1240 "os_compute_api:os-cells:sync_instances": "rule:admin_api"
1241 "os_compute_api:os-cells:update": "rule:admin_api"
1242 "os_compute_api:os-config-drive": "rule:admin_or_owner"
1243 "os_compute_api:os-console-auth-tokens": "rule:admin_api"
1244 "os_compute_api:os-console-output": "rule:admin_or_owner"
1245 "os_compute_api:os-consoles:create": "rule:admin_or_owner"
1246 "os_compute_api:os-consoles:delete": "rule:admin_or_owner"
1247 "os_compute_api:os-consoles:index": "rule:admin_or_owner"
1248 "os_compute_api:os-consoles:show": "rule:admin_or_owner"
1249 "os_compute_api:os-create-backup": "rule:admin_or_owner"
1250 "os_compute_api:os-deferred-delete": "rule:admin_or_owner"
1251 "os_compute_api:os-evacuate": "rule:admin_api"
1252 "os_compute_api:os-extended-availability-zone": "rule:admin_or_owner"
1253 "os_compute_api:os-extended-server-attributes": "rule:admin_api"
1254 "os_compute_api:os-extended-status": "rule:admin_or_owner"
1255 "os_compute_api:os-extended-volumes": "rule:admin_or_owner"
1256 "os_compute_api:os-fixed-ips": "rule:admin_api"
1257 "os_compute_api:os-flavor-access": "rule:admin_or_owner"
1258 "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api"
1259 "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api"
1260 "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api"
1261 "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api"
1262 "os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner"
1263 "os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner"
1264 "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api"
1265 "os_compute_api:os-flavor-manage": "rule:admin_api"
1266 "os_compute_api:os-flavor-manage:create": "rule:os_compute_api:os-flavor-manage"
1267 "os_compute_api:os-flavor-manage:delete": "rule:os_compute_api:os-flavor-manage"
1268 "os_compute_api:os-flavor-rxtx": "rule:admin_or_owner"
1269 "os_compute_api:os-floating-ip-dns": "rule:admin_or_owner"
1270 "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api"
1271 "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api"
1272 "os_compute_api:os-floating-ip-pools": "rule:admin_or_owner"
1273 "os_compute_api:os-floating-ips": "rule:admin_or_owner"
1274 "os_compute_api:os-floating-ips-bulk": "rule:admin_api"
1275 "os_compute_api:os-fping": "rule:admin_or_owner"
1276 "os_compute_api:os-fping:all_tenants": "rule:admin_api"
1277 "os_compute_api:os-hide-server-addresses": "is_admin:False"
1278 "os_compute_api:os-hosts": "rule:admin_api"
1279 "os_compute_api:os-hypervisors": "rule:admin_api"
1280 "os_compute_api:os-instance-actions": "rule:admin_or_owner"
1281 "os_compute_api:os-instance-actions:events": "rule:admin_api"
1282 "os_compute_api:os-instance-usage-audit-log": "rule:admin_api"
1283 "os_compute_api:os-keypairs": "rule:admin_or_owner"
1284 "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s"
1285 "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s"
1286 "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s"
1287 "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s"
1288 "os_compute_api:os-lock-server:lock": "rule:admin_or_owner"
1289 "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner"
1290 "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api"
1291 "os_compute_api:os-migrate-server:migrate": "rule:admin_api"
1292 "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api"
1293 "os_compute_api:os-migrations:index": "rule:admin_api"
1294 "os_compute_api:os-multinic": "rule:admin_or_owner"
1295 "os_compute_api:os-networks": "rule:admin_api"
1296 "os_compute_api:os-networks-associate": "rule:admin_api"
1297 "os_compute_api:os-networks:view": "rule:admin_or_owner"
1298 "os_compute_api:os-pause-server:pause": "rule:admin_or_owner"
1299 "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner"
1300 "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s"
1301 "os_compute_api:os-quota-class-sets:update": "rule:admin_api"
1302 "os_compute_api:os-quota-sets:defaults": "@"
1303 "os_compute_api:os-quota-sets:delete": "rule:admin_api"
1304 "os_compute_api:os-quota-sets:detail": "rule:admin_or_owner"
1305 "os_compute_api:os-quota-sets:show": "rule:admin_or_owner"
1306 "os_compute_api:os-quota-sets:update": "rule:admin_api"
1307 "os_compute_api:os-remote-consoles": "rule:admin_or_owner"
1308 "os_compute_api:os-rescue": "rule:admin_or_owner"
1309 "os_compute_api:os-security-group-default-rules": "rule:admin_api"
1310 "os_compute_api:os-security-groups": "rule:admin_or_owner"
1311 "os_compute_api:os-server-diagnostics": "rule:admin_api"
1312 "os_compute_api:os-server-external-events:create": "rule:admin_api"
1313 "os_compute_api:os-server-groups": "rule:admin_or_owner"
1314 "os_compute_api:os-server-groups:create": "rule:os_compute_api:os-server-groups"
1315 "os_compute_api:os-server-groups:delete": "rule:os_compute_api:os-server-groups"
1316 "os_compute_api:os-server-groups:index": "rule:os_compute_api:os-server-groups"
1317 "os_compute_api:os-server-groups:show": "rule:os_compute_api:os-server-groups"
1318 "os_compute_api:os-server-password": "rule:admin_or_owner"
1319 "os_compute_api:os-server-tags:delete": "rule:admin_or_owner"
1320 "os_compute_api:os-server-tags:delete_all": "rule:admin_or_owner"
1321 "os_compute_api:os-server-tags:index": "rule:admin_or_owner"
1322 "os_compute_api:os-server-tags:show": "rule:admin_or_owner"
1323 "os_compute_api:os-server-tags:update": "rule:admin_or_owner"
1324 "os_compute_api:os-server-tags:update_all": "rule:admin_or_owner"
1325 "os_compute_api:os-server-usage": "rule:admin_or_owner"
1326 "os_compute_api:os-services": "rule:admin_api"
1327 "os_compute_api:os-shelve:shelve": "rule:admin_or_owner"
1328 "os_compute_api:os-shelve:shelve_offload": "rule:admin_api"
1329 "os_compute_api:os-shelve:unshelve": "rule:admin_or_owner"
1330 "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api"
1331 "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner"
1332 "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner"
1333 "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner"
1334 "os_compute_api:os-tenant-networks": "rule:admin_or_owner"
1335 "os_compute_api:os-used-limits": "rule:admin_api"
1336 "os_compute_api:os-virtual-interfaces": "rule:admin_or_owner"
1337 "os_compute_api:os-volumes": "rule:admin_or_owner"
1338 "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner"
1339 "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner"
1340 "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner"
1341 "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner"
1342 "os_compute_api:os-volumes-attachments:update": "rule:admin_api"
1343 "os_compute_api:server-metadata:create": "rule:admin_or_owner"
1344 "os_compute_api:server-metadata:delete": "rule:admin_or_owner"
1345 "os_compute_api:server-metadata:index": "rule:admin_or_owner"
1346 "os_compute_api:server-metadata:show": "rule:admin_or_owner"
1347 "os_compute_api:server-metadata:update": "rule:admin_or_owner"
1348 "os_compute_api:server-metadata:update_all": "rule:admin_or_owner"
1349 "os_compute_api:servers:confirm_resize": "rule:admin_or_owner"
1350 "os_compute_api:servers:create": "rule:admin_or_owner"
1351 "os_compute_api:servers:create:attach_network": "rule:admin_or_owner"
1352 "os_compute_api:servers:create:attach_volume": "rule:admin_or_owner"
1353 "os_compute_api:servers:create:forced_host": "rule:admin_api"
1354 "os_compute_api:servers:create:zero_disk_flavor": "rule:admin_or_owner"
1355 "os_compute_api:servers:create_image": "rule:admin_or_owner"
1356 "os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner"
1357 "os_compute_api:servers:delete": "rule:admin_or_owner"
1358 "os_compute_api:servers:detail": "rule:admin_or_owner"
1359 "os_compute_api:servers:detail:get_all_tenants": "rule:admin_api"
1360 "os_compute_api:servers:index": "rule:admin_or_owner"
1361 "os_compute_api:servers:index:get_all_tenants": "rule:admin_api"
1362 "os_compute_api:servers:migrations:delete": "rule:admin_api"
1363 "os_compute_api:servers:migrations:force_complete": "rule:admin_api"
1364 "os_compute_api:servers:migrations:index": "rule:admin_api"
1365 "os_compute_api:servers:migrations:show": "rule:admin_api"
1366 "os_compute_api:servers:reboot": "rule:admin_or_owner"
1367 "os_compute_api:servers:rebuild": "rule:admin_or_owner"
1368 "os_compute_api:servers:resize": "rule:admin_or_owner"
1369 "os_compute_api:servers:revert_resize": "rule:admin_or_owner"
1370 "os_compute_api:servers:show": "rule:admin_or_owner"
1371 "os_compute_api:servers:show:host_status": "rule:admin_api"
1372 "os_compute_api:servers:start": "rule:admin_or_owner"
1373 "os_compute_api:servers:stop": "rule:admin_or_owner"
1374 "os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner"
1375 "os_compute_api:servers:update": "rule:admin_or_owner"
1376 nova_default_policy_queens:
1377 << : *nova_default_policy_pike
1378 "os_compute_api:os-flavor-manage:update": "rule:admin_api"
1379 octavia_default_policy_ocata: {}
1380 octavia_default_policy_pike: &octavia_default_policy_pike
1381 "context_is_admin": "role:admin or role:load-balancer_admin"
1382 "load-balancer:owner": "project_id:%(project_id)s"
1383 "load-balancer:observer_and_owner": "role:load-balancer_observer and rule:load-balancer:owner"
1384 "load-balancer:global_observer": "role:load-balancer_global_observer"
1385 "load-balancer:member_and_owner": "role:load-balancer_member and rule:load-balancer:owner"
1386 "load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or is_admin:True"
1387 "load-balancer:read-global": "rule:load-balancer:global_observer or is_admin:True"
1388 "load-balancer:write": "rule:load-balancer:member_and_owner or is_admin:True"
1389 "load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or is_admin:True"
1390 "load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or is_admin:True"
1391 "load-balancer:write-quota": "role:load-balancer_quota_admin or is_admin:True"
1392 "os_load-balancer_api:healthmonitor:get_all": "rule:load-balancer:read"
1393 "os_load-balancer_api:healthmonitor:get_all-global": "rule:load-balancer:read-global"
1394 "os_load-balancer_api:healthmonitor:post": "rule:load-balancer:write"
1395 "os_load-balancer_api:healthmonitor:get_one": "rule:load-balancer:read"
1396 "os_load-balancer_api:healthmonitor:put": "rule:load-balancer:write"
1397 "os_load-balancer_api:healthmonitor:delete": "rule:load-balancer:write"
1398 "os_load-balancer_api:l7policy:get_all": "rule:load-balancer:read"
1399 "os_load-balancer_api:l7policy:get_all-global": "rule:load-balancer:read-global"
1400 "os_load-balancer_api:l7policy:post": "rule:load-balancer:write"
1401 "os_load-balancer_api:l7policy:get_one": "rule:load-balancer:read"
1402 "os_load-balancer_api:l7policy:put": "rule:load-balancer:write"
1403 "os_load-balancer_api:l7policy:delete": "rule:load-balancer:write"
1404 "os_load-balancer_api:l7rule:get_all": "rule:load-balancer:read"
1405 "os_load-balancer_api:l7rule:post": "rule:load-balancer:write"
1406 "os_load-balancer_api:l7rule:get_one": "rule:load-balancer:read"
1407 "os_load-balancer_api:l7rule:put": "rule:load-balancer:write"
1408 "os_load-balancer_api:l7rule:delete": "rule:load-balancer:write"
1409 "os_load-balancer_api:listener:get_all": "rule:load-balancer:read"
1410 "os_load-balancer_api:listener:get_all-global": "rule:load-balancer:read-global"
1411 "os_load-balancer_api:listener:post": "rule:load-balancer:write"
1412 "os_load-balancer_api:listener:get_one": "rule:load-balancer:read"
1413 "os_load-balancer_api:listener:put": "rule:load-balancer:write"
1414 "os_load-balancer_api:listener:delete": "rule:load-balancer:write"
1415 "os_load-balancer_api:listener:get_stats": "rule:load-balancer:read"
1416 "os_load-balancer_api:loadbalancer:get_all": "rule:load-balancer:read"
1417 "os_load-balancer_api:loadbalancer:get_all-global": "rule:load-balancer:read-global"
1418 "os_load-balancer_api:loadbalancer:post": "rule:load-balancer:write"
1419 "os_load-balancer_api:loadbalancer:get_one": "rule:load-balancer:read"
1420 "os_load-balancer_api:loadbalancer:put": "rule:load-balancer:write"
1421 "os_load-balancer_api:loadbalancer:delete": "rule:load-balancer:write"
1422 "os_load-balancer_api:loadbalancer:get_stats": "rule:load-balancer:read"
1423 "os_load-balancer_api:loadbalancer:get_status": "rule:load-balancer:read"
1424 "os_load-balancer_api:member:get_all": "rule:load-balancer:read"
1425 "os_load-balancer_api:member:post": "rule:load-balancer:write"
1426 "os_load-balancer_api:member:get_one": "rule:load-balancer:read"
1427 "os_load-balancer_api:member:put": "rule:load-balancer:write"
1428 "os_load-balancer_api:member:delete": "rule:load-balancer:write"
1429 "os_load-balancer_api:pool:get_all": "rule:load-balancer:read"
1430 "os_load-balancer_api:pool:get_all-global": "rule:load-balancer:read-global"
1431 "os_load-balancer_api:pool:post": "rule:load-balancer:write"
1432 "os_load-balancer_api:pool:get_one": "rule:load-balancer:read"
1433 "os_load-balancer_api:pool:put": "rule:load-balancer:write"
1434 "os_load-balancer_api:pool:delete": "rule:load-balancer:write"
1435 "os_load-balancer_api:quota:get_all": "rule:load-balancer:read-quota"
1436 "os_load-balancer_api:quota:get_all-global": "rule:load-balancer:read-quota-global"
1437 "os_load-balancer_api:quota:get_one": "rule:load-balancer:read-quota"
1438 "os_load-balancer_api:quota:put": "rule:load-balancer:write-quota"
1439 "os_load-balancer_api:quota:delete": "rule:load-balancer:write-quota"
1440 "os_load-balancer_api:quota:get_defaults": "rule:load-balancer:read-quota"
1441 octavia_default_policy_queens:
1442 << : *octavia_default_policy_pike
1443 "load-balancer:admin": "is_admin:True or role:admin or role:load-balancer_admin"
1444 "load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"
1445 "load-balancer:read-global": "rule:load-balancer:global_observer or rule:load-balancer:admin"
1446 "load-balancer:write": "rule:load-balancer:member_and_owner or rule:load-balancer:admin"
1447 "load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"
1448 "load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"
1449 "load-balancer:write-quota": "role:load-balancer_quota_admin or rule:load-balancer:admin"
1450 "os_load-balancer_api:loadbalancer:put_failover": "rule:load-balancer:admin"
Roman Lubianyi24e9fed2020-07-22 15:02:46 +0300[diff] [blame]1451 panko_default_policy_ocata: {}
1452 panko_default_policy_pike:
1453 "context_is_admin": "role:admin"
1454 "segregation": "rule:context_is_admin"
1455 "telemetry:events:index": ""
1456 "telemetry:events:show": ""
1457 panko_default_policy_queens: ${_param:panko_default_policy_pike}
Ivan Berezovskiye7ea8e62020-01-16 16:47:02 +0400[diff] [blame]1458 telemetry_default_policy_ocata: {}
1459 telemetry_default_policy_pike:
1460 "context_is_admin": "role:admin"
1461 "segregation": "rule:context_is_admin"
1462 "telemetry:compute_statistics": ""
1463 "telemetry:create_samples": ""
1464 "telemetry:get_meters": ""
1465 "telemetry:get_resource": ""
1466 "telemetry:get_resources": ""
1467 "telemetry:get_sample": ""
1468 "telemetry:get_samples": ""
1469 "telemetry:query_sample": ""
1470 telemetry_default_policy_queens: ${_param:telemetry_default_policy_pike}