diff options
Diffstat (limited to 'heat/policies/software_configs.py')
-rw-r--r-- | heat/policies/software_configs.py | 66 |
1 files changed, 56 insertions, 10 deletions
diff --git a/heat/policies/software_configs.py b/heat/policies/software_configs.py index 72f6f2c99..5de6535fb 100644 --- a/heat/policies/software_configs.py +++ b/heat/policies/software_configs.py @@ -10,67 +10,113 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_log import versionutils from oslo_policy import policy from heat.policies import base +DEPRECATED_REASON = """ +The software configuration API now support system scope and default roles. +""" + POLICY_ROOT = 'software_configs:%s' +deprecated_global_index = policy.DeprecatedRule( + name=POLICY_ROOT % 'global_index', + check_str=base.RULE_DENY_EVERYBODY +) +deprecated_index = policy.DeprecatedRule( + name=POLICY_ROOT % 'index', + check_str=base.RULE_DENY_STACK_USER +) +deprecated_create = policy.DeprecatedRule( + name=POLICY_ROOT % 'create', + check_str=base.RULE_DENY_STACK_USER +) +deprecated_show = policy.DeprecatedRule( + name=POLICY_ROOT % 'show', + check_str=base.RULE_DENY_STACK_USER +) +deprecated_delete = policy.DeprecatedRule( + name=POLICY_ROOT % 'delete', + check_str=base.RULE_DENY_STACK_USER +) + software_configs_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'global_index', - check_str=base.RULE_DENY_EVERYBODY, + check_str=base.SYSTEM_READER, + scope_types=['system', 'project'], description='List configs globally.', operations=[ { 'path': '/v1/{tenant_id}/software_configs', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_global_index, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.RULE_DENY_STACK_USER, + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], description='List configs.', operations=[ { 'path': '/v1/{tenant_id}/software_configs', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_index, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.RULE_DENY_STACK_USER, + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], description='Create config.', operations=[ { 'path': '/v1/{tenant_id}/software_configs', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_create, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.RULE_DENY_STACK_USER, + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], description='Show config details.', operations=[ { 'path': '/v1/{tenant_id}/software_configs/{config_id}', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_show, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.RULE_DENY_STACK_USER, + check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, + scope_types=['system', 'project'], description='Delete config.', operations=[ { 'path': '/v1/{tenant_id}/software_configs/{config_id}', 'method': 'DELETE' } - ] + ], + deprecated_rule=deprecated_delete, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ) ] |