diff options
| author | Slawek Kaplonski <skaplons@redhat.com> | 2022-08-18 15:41:33 +0200 |
|---|---|---|
| committer | Slawek Kaplonski <skaplons@redhat.com> | 2022-08-19 11:16:44 +0200 |
| commit | 32e16bf466c258e891d0227348b431b478a01bda (patch) | |
| tree | 7ffdb73c73c4328c5f00df77039eda0c652c5dc0 /neutron/conf | |
| parent | 09207ba731bfc859c2f6d175588a8bfe09be01db (diff) | |
| download | neutron-32e16bf466c258e891d0227348b431b478a01bda.tar.gz | |
[S-RBAC] Remove system scope from the API policies
According to the new guidelines accepted in [1] for now all new default
API policy rules should have "project" scope only.
This patch adjusts neutron policies according to [1].
[1] https://review.opendev.org/c/openstack/governance/+/847418
Change-Id: I1e923cc268d80087120a9c4d8a7aa4f2780cd82f
Diffstat (limited to 'neutron/conf')
| -rw-r--r-- | neutron/conf/policies/agent.py | 24 | ||||
| -rw-r--r-- | neutron/conf/policies/availability_zone.py | 4 | ||||
| -rw-r--r-- | neutron/conf/policies/flavor.py | 24 | ||||
| -rw-r--r-- | neutron/conf/policies/logging.py | 12 | ||||
| -rw-r--r-- | neutron/conf/policies/network_ip_availability.py | 4 | ||||
| -rw-r--r-- | neutron/conf/policies/network_segment_range.py | 10 | ||||
| -rw-r--r-- | neutron/conf/policies/port.py | 2 | ||||
| -rw-r--r-- | neutron/conf/policies/qos.py | 4 | ||||
| -rw-r--r-- | neutron/conf/policies/quotas.py | 8 | ||||
| -rw-r--r-- | neutron/conf/policies/segment.py | 10 | ||||
| -rw-r--r-- | neutron/conf/policies/service_type.py | 4 |
11 files changed, 53 insertions, 53 deletions
diff --git a/neutron/conf/policies/agent.py b/neutron/conf/policies/agent.py index e96ab412c6..6821b72c91 100644 --- a/neutron/conf/policies/agent.py +++ b/neutron/conf/policies/agent.py @@ -20,7 +20,7 @@ COLLECTION_PATH = '/agents' RESOURCE_PATH = '/agents/{id}' DEPRECATION_REASON = ( - "The Agent API now supports system scope and default roles.") + "The Agent API now supports project scope and default roles.") rules = [ policy.DocumentedRuleDefault( @@ -37,7 +37,7 @@ rules = [ 'path': RESOURCE_PATH, }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='get_agent', check_str=base.RULE_ADMIN_ONLY, @@ -54,7 +54,7 @@ rules = [ 'path': RESOURCE_PATH, }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='update_agent', check_str=base.RULE_ADMIN_ONLY, @@ -71,7 +71,7 @@ rules = [ 'path': RESOURCE_PATH, }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='delete_agent', check_str=base.RULE_ADMIN_ONLY, @@ -88,7 +88,7 @@ rules = [ 'path': '/agents/{agent_id}/dhcp-networks', }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='create_dhcp-network', check_str=base.RULE_ADMIN_ONLY, @@ -105,7 +105,7 @@ rules = [ 'path': '/agents/{agent_id}/dhcp-networks', }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='get_dhcp-networks', check_str=base.RULE_ADMIN_ONLY, @@ -122,7 +122,7 @@ rules = [ 'path': '/agents/{agent_id}/dhcp-networks/{network_id}', }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='delete_dhcp-network', check_str=base.RULE_ADMIN_ONLY, @@ -139,7 +139,7 @@ rules = [ 'path': '/agents/{agent_id}/l3-routers', }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='create_l3-router', check_str=base.RULE_ADMIN_ONLY, @@ -156,7 +156,7 @@ rules = [ 'path': '/agents/{agent_id}/l3-routers', }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='get_l3-routers', check_str=base.RULE_ADMIN_ONLY, @@ -173,7 +173,7 @@ rules = [ 'path': '/agents/{agent_id}/l3-routers/{router_id}', }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='delete_l3-router', check_str=base.RULE_ADMIN_ONLY, @@ -190,7 +190,7 @@ rules = [ 'path': '/networks/{network_id}/dhcp-agents', }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='get_dhcp-agents', check_str=base.RULE_ADMIN_ONLY, @@ -207,7 +207,7 @@ rules = [ 'path': '/routers/{router_id}/l3-agents', }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='get_l3-agents', check_str=base.RULE_ADMIN_ONLY, diff --git a/neutron/conf/policies/availability_zone.py b/neutron/conf/policies/availability_zone.py index 7a5431c14d..faaea686d5 100644 --- a/neutron/conf/policies/availability_zone.py +++ b/neutron/conf/policies/availability_zone.py @@ -16,7 +16,7 @@ from oslo_policy import policy from neutron.conf.policies import base DEPRECATION_REASON = ( - "The Availability Zone API now supports system scope and default roles.") + "The Availability Zone API now supports project scope and default roles.") rules = [ @@ -30,7 +30,7 @@ rules = [ 'path': '/availability_zones', }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='get_availability_zone', check_str=base.RULE_ANY, diff --git a/neutron/conf/policies/flavor.py b/neutron/conf/policies/flavor.py index e33f6802a3..6e281d2e61 100644 --- a/neutron/conf/policies/flavor.py +++ b/neutron/conf/policies/flavor.py @@ -24,7 +24,7 @@ ASSOC_COLLECTION_PATH = '/flavors/{flavor_id}/service_profiles' ASSOC_RESOURCE_PATH = '/flavors/{flavor_id}/service_profiles/{profile_id}' DEPRECATION_REASON = ( - "The flavor API now supports system scope and default roles.") + "The flavor API now supports project scope and default roles.") rules = [ @@ -38,7 +38,7 @@ rules = [ 'path': FLAVOR_COLLECTION_PATH, }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='create_flavor', check_str=base.RULE_ADMIN_ONLY, @@ -59,7 +59,7 @@ rules = [ 'path': FLAVOR_RESOURCE_PATH, }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='get_flavor', check_str=base.RULE_ANY, @@ -76,7 +76,7 @@ rules = [ 'path': FLAVOR_RESOURCE_PATH, }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='update_flavor', check_str=base.RULE_ADMIN_ONLY, @@ -93,7 +93,7 @@ rules = [ 'path': FLAVOR_RESOURCE_PATH, }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='delete_flavor', check_str=base.RULE_ADMIN_ONLY, @@ -111,7 +111,7 @@ rules = [ 'path': PROFILE_COLLECTION_PATH, }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='create_service_profile', check_str=base.RULE_ADMIN_ONLY, @@ -132,7 +132,7 @@ rules = [ 'path': PROFILE_RESOURCE_PATH, }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='get_service_profile', check_str=base.RULE_ADMIN_ONLY, @@ -149,7 +149,7 @@ rules = [ 'path': PROFILE_RESOURCE_PATH, }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='update_service_profile', check_str=base.RULE_ADMIN_ONLY, @@ -166,7 +166,7 @@ rules = [ 'path': PROFILE_RESOURCE_PATH, }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='delete_service_profile', check_str=base.RULE_ADMIN_ONLY, @@ -182,7 +182,7 @@ rules = [ 'There is no corresponding GET operations in API currently. ' 'This rule is currently referred only in the DELETE ' 'of flavor_service_profile.'), - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='get_flavor_service_profile', check_str=base.RULE_ANY, @@ -199,7 +199,7 @@ rules = [ 'path': ASSOC_COLLECTION_PATH, }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='create_flavor_service_profile', check_str=base.RULE_ADMIN_ONLY, @@ -216,7 +216,7 @@ rules = [ 'path': ASSOC_RESOURCE_PATH, }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='delete_flavor_service_profile', check_str=base.RULE_ADMIN_ONLY, diff --git a/neutron/conf/policies/logging.py b/neutron/conf/policies/logging.py index b9ba4325cf..083371499d 100644 --- a/neutron/conf/policies/logging.py +++ b/neutron/conf/policies/logging.py @@ -17,7 +17,7 @@ from neutron.conf.policies import base DEPRECATED_REASON = """ -The logging API now supports system scope and default roles. +The logging API now supports project scope and default roles. """ COLLECTION_PATH = '/log/logs' @@ -28,7 +28,7 @@ rules = [ policy.DocumentedRuleDefault( name='get_loggable_resource', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Get loggable resources', operations=[ { @@ -45,7 +45,7 @@ rules = [ policy.DocumentedRuleDefault( name='create_log', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Create a network log', operations=[ { @@ -62,7 +62,7 @@ rules = [ policy.DocumentedRuleDefault( name='get_log', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Get a network log', operations=[ { @@ -83,7 +83,7 @@ rules = [ policy.DocumentedRuleDefault( name='update_log', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Update a network log', operations=[ { @@ -100,7 +100,7 @@ rules = [ policy.DocumentedRuleDefault( name='delete_log', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Delete a network log', operations=[ { diff --git a/neutron/conf/policies/network_ip_availability.py b/neutron/conf/policies/network_ip_availability.py index 2c14b14ca6..3894741846 100644 --- a/neutron/conf/policies/network_ip_availability.py +++ b/neutron/conf/policies/network_ip_availability.py @@ -16,7 +16,7 @@ from oslo_policy import policy from neutron.conf.policies import base DEPRECATED_REASON = """ -The network IP availability API now support system scope and default roles. +The network IP availability API now support project scope and default roles. """ @@ -24,7 +24,7 @@ rules = [ policy.DocumentedRuleDefault( name='get_network_ip_availability', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Get network IP availability', operations=[ { diff --git a/neutron/conf/policies/network_segment_range.py b/neutron/conf/policies/network_segment_range.py index 77d1dfaad8..b0e07640f7 100644 --- a/neutron/conf/policies/network_segment_range.py +++ b/neutron/conf/policies/network_segment_range.py @@ -19,7 +19,7 @@ from oslo_policy import policy from neutron.conf.policies import base DEPRECATED_REASON = """ -The network segment range API now supports system scope and default roles. +The network segment range API now supports project scope and default roles. """ COLLECTION_PATH = '/network_segment_ranges' @@ -30,7 +30,7 @@ rules = [ policy.DocumentedRuleDefault( name='create_network_segment_range', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Create a network segment range', operations=[ { @@ -47,7 +47,7 @@ rules = [ policy.DocumentedRuleDefault( name='get_network_segment_range', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Get a network segment range', operations=[ { @@ -68,7 +68,7 @@ rules = [ policy.DocumentedRuleDefault( name='update_network_segment_range', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Update a network segment range', operations=[ { @@ -85,7 +85,7 @@ rules = [ policy.DocumentedRuleDefault( name='delete_network_segment_range', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Delete a network segment range', operations=[ { diff --git a/neutron/conf/policies/port.py b/neutron/conf/policies/port.py index 9ce3d6ba75..5b9d20c990 100644 --- a/neutron/conf/policies/port.py +++ b/neutron/conf/policies/port.py @@ -16,7 +16,7 @@ from oslo_policy import policy from neutron.conf.policies import base DEPRECATED_REASON = ( - "The port API now supports system scope and default roles.") + "The port API now supports project scope and default roles.") COLLECTION_PATH = '/ports' diff --git a/neutron/conf/policies/qos.py b/neutron/conf/policies/qos.py index c9bdd93c45..0aa0d47d5d 100644 --- a/neutron/conf/policies/qos.py +++ b/neutron/conf/policies/qos.py @@ -16,7 +16,7 @@ from oslo_policy import policy from neutron.conf.policies import base DEPRECATED_REASON = """ -The QoS API now supports system scope and default roles. +The QoS API now supports project scope and default roles. """ @@ -97,7 +97,7 @@ rules = [ policy.DocumentedRuleDefault( name='get_rule_type', check_str=base.ADMIN, - scope_types=['system', 'project'], + scope_types=['project'], description='Get available QoS rule types', operations=[ { diff --git a/neutron/conf/policies/quotas.py b/neutron/conf/policies/quotas.py index 15ad30de0a..006b63fc32 100644 --- a/neutron/conf/policies/quotas.py +++ b/neutron/conf/policies/quotas.py @@ -16,7 +16,7 @@ from oslo_policy import policy from neutron.conf.policies import base DEPRECATED_REASON = """ -The quotas API now supports system scope and default roles. +The quotas API now supports project scope and default roles. """ @@ -28,7 +28,7 @@ rules = [ policy.DocumentedRuleDefault( name='get_quota', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Get a resource quota', operations=[ { @@ -49,7 +49,7 @@ rules = [ policy.DocumentedRuleDefault( name='update_quota', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Update a resource quota', operations=[ { @@ -66,7 +66,7 @@ rules = [ policy.DocumentedRuleDefault( name='delete_quota', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Delete a resource quota', operations=[ { diff --git a/neutron/conf/policies/segment.py b/neutron/conf/policies/segment.py index de0182a254..2c83834999 100644 --- a/neutron/conf/policies/segment.py +++ b/neutron/conf/policies/segment.py @@ -16,7 +16,7 @@ from oslo_policy import policy from neutron.conf.policies import base DEPRECATED_REASON = ( - "The segment API now supports system scope and default roles.") + "The segment API now supports project scope and default roles.") COLLECTION_PATH = '/segments' RESOURCE_PATH = '/segments/{id}' @@ -26,7 +26,7 @@ rules = [ policy.DocumentedRuleDefault( name='create_segment', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Create a segment', operations=[ { @@ -43,7 +43,7 @@ rules = [ policy.DocumentedRuleDefault( name='get_segment', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Get a segment', operations=[ { @@ -64,7 +64,7 @@ rules = [ policy.DocumentedRuleDefault( name='update_segment', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Update a segment', operations=[ { @@ -81,7 +81,7 @@ rules = [ policy.DocumentedRuleDefault( name='delete_segment', check_str=base.ADMIN, - scope_types=['system'], + scope_types=['project'], description='Delete a segment', operations=[ { diff --git a/neutron/conf/policies/service_type.py b/neutron/conf/policies/service_type.py index 8239ee3996..d476cf2b1d 100644 --- a/neutron/conf/policies/service_type.py +++ b/neutron/conf/policies/service_type.py @@ -17,7 +17,7 @@ from neutron.conf.policies import base DEPRECATION_REASON = ( - "The Service Providers API now supports system scope and default roles.") + "The Service Providers API now supports project scope and default roles.") rules = [ policy.DocumentedRuleDefault( @@ -34,7 +34,7 @@ rules = [ 'path': '/service-providers', }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='get_service_provider', check_str=base.RULE_ANY, |