diff options
| author | Ghanshyam Mann <gmann@ghanshyammann.com> | 2022-07-09 19:30:38 -0500 |
|---|---|---|
| committer | Ghanshyam <gmann@ghanshyammann.com> | 2022-08-24 16:33:27 +0000 |
| commit | 909b0b02470dc795fd3d2775ee33864b055dd678 (patch) | |
| tree | 2e1fd40589578eb25d7ebc0a8e5f92303563a84f /nova/policies | |
| parent | 066e1e69d1394839a9f0bde4ca8c3a0db2d52396 (diff) | |
| download | nova-909b0b02470dc795fd3d2775ee33864b055dd678.tar.gz | |
Keep legacy admin behaviour in new RBAC
While discussing the new RBAC (scope_type and project admin vs
system admin things) with operators in berlin ops meetup and
via emails, and policy popup meetings, we got the feedback that
we need to keep the legacy admin behaviour same as it is otherwise
it is going to be a big breaking change for many of the operators.
Same feedback for scope_type.
- https://etherpad.opendev.org/p/BER-2022-OPS-SRBAC
- https://etherpad.opendev.org/p/rbac-operator-feedback
By considering the feedback, we decided to postpone the
system scope implementation, release project reader
role and not to change the legacy admin behaviour.
To keep the legacy admin behaviour unchanged, we need to
modify our policy new default so that legacy admin continue
to have the access to the APIs they are able to access in
old RBAC. Basically the below changes:
- PROJECT_ADMIN -> ADMIN (legacy admin who can do things in all projects)
- PROJECT_MEMBER -> PROJECT_MEMBER_OR_ADMIN (give access to legacy admin too)
- PROJECT_READER -> PROJECT_READER_OR_ADMIN (give access to legacy admin too)
Complete direction on RBAC is updated in community wide goal
- https://review.opendev.org/c/openstack/governance/+/847418/13
Change-Id: I37e706f75a36fb27da1bdd5fba671cb1bcadc745
Diffstat (limited to 'nova/policies')
39 files changed, 160 insertions, 168 deletions
diff --git a/nova/policies/admin_actions.py b/nova/policies/admin_actions.py index 4db7d8e1c3..e07d66ee36 100644 --- a/nova/policies/admin_actions.py +++ b/nova/policies/admin_actions.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-admin-actions:%s' admin_actions_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'reset_state', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Reset the state of a given server", operations=[ { @@ -35,7 +35,7 @@ admin_actions_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'inject_network_info', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Inject network information into the server", operations=[ { diff --git a/nova/policies/admin_password.py b/nova/policies/admin_password.py index 439966a9af..ad87aa7c96 100644 --- a/nova/policies/admin_password.py +++ b/nova/policies/admin_password.py @@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-admin-password' admin_password_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Change the administrative password for a server", operations=[ { diff --git a/nova/policies/assisted_volume_snapshots.py b/nova/policies/assisted_volume_snapshots.py index 0630ee7a50..98a67a8e37 100644 --- a/nova/policies/assisted_volume_snapshots.py +++ b/nova/policies/assisted_volume_snapshots.py @@ -29,7 +29,7 @@ assisted_volume_snapshots_policies = [ # can call it with user having 'service' role (not having # correct project_id). That is for phase-2 of RBAC goal and until # then, we keep it open for all admin in any project. We cannot - # default it to PROJECT_ADMIN which has the project_id in + # default it to ADMIN which has the project_id in # check_str and will fail if cinder call it with other project_id. check_str=base.ADMIN, description="Create an assisted volume snapshot", @@ -47,7 +47,7 @@ assisted_volume_snapshots_policies = [ # can call it with user having 'service' role (not having # correct project_id). That is for phase-2 of RBAC goal and until # then, we keep it open for all admin in any project. We cannot - # default it to PROJECT_ADMIN which has the project_id in + # default it to ADMIN which has the project_id in # check_str and will fail if cinder call it with other project_id. check_str=base.ADMIN, description="Delete an assisted volume snapshot", diff --git a/nova/policies/attach_interfaces.py b/nova/policies/attach_interfaces.py index eb365fd99d..b996e8ae59 100644 --- a/nova/policies/attach_interfaces.py +++ b/nova/policies/attach_interfaces.py @@ -37,7 +37,7 @@ DEPRECATED_INTERFACES_POLICY = policy.DeprecatedRule( attach_interfaces_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'list', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="List port interfaces attached to a server", operations=[ { @@ -49,7 +49,7 @@ attach_interfaces_policies = [ deprecated_rule=DEPRECATED_INTERFACES_POLICY), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Show details of a port interface attached to a server", operations=[ { @@ -61,7 +61,7 @@ attach_interfaces_policies = [ deprecated_rule=DEPRECATED_INTERFACES_POLICY), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Attach an interface to a server", operations=[ { @@ -73,7 +73,7 @@ attach_interfaces_policies = [ deprecated_rule=DEPRECATED_INTERFACES_POLICY), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Detach an interface from a server", operations=[ { diff --git a/nova/policies/base.py b/nova/policies/base.py index 2d60f4634a..ab0c319cdf 100644 --- a/nova/policies/base.py +++ b/nova/policies/base.py @@ -36,28 +36,26 @@ DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule( deprecated_reason=DEPRECATED_REASON, deprecated_since='21.0.0' ) -PROJECT_ADMIN = 'rule:project_admin_api' + +ADMIN = 'rule:context_is_admin' PROJECT_MEMBER = 'rule:project_member_api' PROJECT_READER = 'rule:project_reader_api' +PROJECT_MEMBER_OR_ADMIN = 'rule:project_member_or_admin' PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin' -ADMIN = 'rule:context_is_admin' -# NOTE(gmann): Below is the mapping of new roles and scope_types -# with legacy roles:: +# NOTE(gmann): Below is the mapping of new roles with legacy roles:: -# Legacy Rule | New Rules |Operation |scope_type| -# -------------------+---------------------+----------------+----------- -# |-> ADMIN |Global resource | [system] -# RULE_ADMIN_API | |Write & Read | -# |-> PROJECT_ADMIN |Project resource| [project] -# | |Write | -# ---------------------------------------------------------------------- -# |-> PROJECT_ADMIN |Project resource| [project] -# | |Write | -# |-> PROJECT_MEMBER |Project resource| [project] -# RULE_ADMIN_OR_OWNER| |Write | -# |-> PROJECT_READER |Project resource| [project] -# | |Read | +# Legacy Rule | New Rules |Operation |scope_type| +# -------------------+---------------------------+----------------+----------- +# RULE_ADMIN_API |-> ADMIN |Global resource | [project] +# | |Write & Read | +# -------------------+---------------------------+----------------+----------- +# |-> ADMIN |Project admin | [project] +# | |level operation | +# RULE_ADMIN_OR_OWNER|-> PROJECT_MEMBER_OR_ADMIN |Project resource| [project] +# | |Write | +# |-> PROJECT_READER_OR_ADMIN |Project resource| [project] +# | |Read | # NOTE(johngarbutt) The base rules here affect so many APIs the list # of related API operations has not been populated. It would be @@ -92,11 +90,6 @@ rules = [ deprecated_reason=DEPRECATED_REASON, deprecated_since='21.0.0'), policy.RuleDefault( - "project_admin_api", - "role:admin and project_id:%(project_id)s", - "Default rule for Project level admin APIs.", - deprecated_rule=DEPRECATED_ADMIN_POLICY), - policy.RuleDefault( "project_member_api", "role:member and project_id:%(project_id)s", "Default rule for Project level non admin APIs.", @@ -107,9 +100,14 @@ rules = [ "Default rule for Project level read only APIs.", deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY), policy.RuleDefault( + "project_member_or_admin", + "rule:project_member_api or rule:context_is_admin", + "Default rule for Project Member or admin APIs.", + deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY), + policy.RuleDefault( "project_reader_or_admin", "rule:project_reader_api or rule:context_is_admin", - "Default rule for Project reader and admin APIs.", + "Default rule for Project reader or admin APIs.", deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY) ] diff --git a/nova/policies/console_auth_tokens.py b/nova/policies/console_auth_tokens.py index bad3130e78..5f784965cf 100644 --- a/nova/policies/console_auth_tokens.py +++ b/nova/policies/console_auth_tokens.py @@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-auth-tokens' console_auth_tokens_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Show console connection information for a given console " "authentication token", operations=[ diff --git a/nova/policies/console_output.py b/nova/policies/console_output.py index 4a5a21ef55..625971b5d7 100644 --- a/nova/policies/console_output.py +++ b/nova/policies/console_output.py @@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-output' console_output_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description='Show console output for a server', operations=[ { diff --git a/nova/policies/create_backup.py b/nova/policies/create_backup.py index 173ad3e36f..c18fa11e84 100644 --- a/nova/policies/create_backup.py +++ b/nova/policies/create_backup.py @@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-create-backup' create_backup_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description='Create a back up of a server', operations=[ { diff --git a/nova/policies/deferred_delete.py b/nova/policies/deferred_delete.py index a912966897..9c18aa02de 100644 --- a/nova/policies/deferred_delete.py +++ b/nova/policies/deferred_delete.py @@ -36,7 +36,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( deferred_delete_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'restore', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Restore a soft deleted server", operations=[ { @@ -48,7 +48,7 @@ deferred_delete_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'force', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Force delete a server before deferred cleanup", operations=[ { diff --git a/nova/policies/evacuate.py b/nova/policies/evacuate.py index 4c66f90147..3a0fd502fd 100644 --- a/nova/policies/evacuate.py +++ b/nova/policies/evacuate.py @@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-evacuate' evacuate_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Evacuate a server from a failed host to a new host", operations=[ { diff --git a/nova/policies/extended_server_attributes.py b/nova/policies/extended_server_attributes.py index ce5c531a73..ba151a36cc 100644 --- a/nova/policies/extended_server_attributes.py +++ b/nova/policies/extended_server_attributes.py @@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-extended-server-attributes' extended_server_attributes_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="""Return extended attributes for server. This rule will control the visibility for a set of servers attributes: diff --git a/nova/policies/floating_ips.py b/nova/policies/floating_ips.py index 2cb5b34679..48d60d7b89 100644 --- a/nova/policies/floating_ips.py +++ b/nova/policies/floating_ips.py @@ -38,7 +38,7 @@ DEPRECATED_FIP_POLICY = policy.DeprecatedRule( floating_ips_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'add', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Associate floating IPs to server. " " This API is deprecated.", operations=[ @@ -51,7 +51,7 @@ floating_ips_policies = [ deprecated_rule=DEPRECATED_FIP_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'remove', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Disassociate floating IPs to server. " " This API is deprecated.", operations=[ @@ -64,7 +64,7 @@ floating_ips_policies = [ deprecated_rule=DEPRECATED_FIP_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'list', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="List floating IPs. This API is deprecated.", operations=[ { @@ -76,7 +76,7 @@ floating_ips_policies = [ deprecated_rule=DEPRECATED_FIP_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Create floating IPs. This API is deprecated.", operations=[ { @@ -88,7 +88,7 @@ floating_ips_policies = [ deprecated_rule=DEPRECATED_FIP_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Show floating IPs. This API is deprecated.", operations=[ { @@ -100,7 +100,7 @@ floating_ips_policies = [ deprecated_rule=DEPRECATED_FIP_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Delete floating IPs. This API is deprecated.", operations=[ { diff --git a/nova/policies/instance_actions.py b/nova/policies/instance_actions.py index 85e2f63244..e3e16a58f0 100644 --- a/nova/policies/instance_actions.py +++ b/nova/policies/instance_actions.py @@ -38,7 +38,7 @@ DEPRECATED_INSTANCE_ACTION_POLICY = policy.DeprecatedRule( instance_actions_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'events:details', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="""Add "details" key in action events for a server. This check is performed only after the check @@ -59,7 +59,7 @@ but in the other hand it might leak information about the deployment scope_types=['project']), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'events', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="""Add events details in action details for a server. This check is performed only after the check os_compute_api:os-instance-actions:show passes. Beginning with Microversion @@ -76,7 +76,7 @@ passes, the name of the host.""", scope_types=['project']), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'list', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="""List actions for a server.""", operations=[ { @@ -88,7 +88,7 @@ passes, the name of the host.""", deprecated_rule=DEPRECATED_INSTANCE_ACTION_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="""Show action details for a server.""", operations=[ { diff --git a/nova/policies/ips.py b/nova/policies/ips.py index d63c345389..20cad2522a 100644 --- a/nova/policies/ips.py +++ b/nova/policies/ips.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:ips:%s' ips_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Show IP addresses details for a network label of a " " server", operations=[ @@ -36,7 +36,7 @@ ips_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="List IP addresses that are assigned to a server", operations=[ { diff --git a/nova/policies/limits.py b/nova/policies/limits.py index 56bc0e830d..1216dd1995 100644 --- a/nova/policies/limits.py +++ b/nova/policies/limits.py @@ -49,7 +49,7 @@ limits_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=OTHER_PROJECT_LIMIT_POLICY_NAME, - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="""Show rate and absolute limits of other project. This policy only checks if the user has access to the requested diff --git a/nova/policies/lock_server.py b/nova/policies/lock_server.py index ca65b1cf9b..f7a018803c 100644 --- a/nova/policies/lock_server.py +++ b/nova/policies/lock_server.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-lock-server:%s' lock_server_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'lock', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Lock a server", operations=[ { @@ -36,7 +36,7 @@ lock_server_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'unlock', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Unlock a server", operations=[ { @@ -48,7 +48,7 @@ lock_server_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'unlock:unlock_override', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="""Unlock a server, regardless who locked the server. This check is performed only after the check diff --git a/nova/policies/migrate_server.py b/nova/policies/migrate_server.py index d00fd562d2..0b3d7c8bd1 100644 --- a/nova/policies/migrate_server.py +++ b/nova/policies/migrate_server.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-migrate-server:%s' migrate_server_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'migrate', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Cold migrate a server to a host", operations=[ { @@ -35,7 +35,7 @@ migrate_server_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'migrate_live', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Live migrate a server to a new host without a reboot", operations=[ { diff --git a/nova/policies/migrations.py b/nova/policies/migrations.py index 4647d53496..ce2aeaa564 100644 --- a/nova/policies/migrations.py +++ b/nova/policies/migrations.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-migrations:%s' migrations_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="List migrations", operations=[ { diff --git a/nova/policies/multinic.py b/nova/policies/multinic.py index ff16cb5143..7119ec25b4 100644 --- a/nova/policies/multinic.py +++ b/nova/policies/multinic.py @@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( multinic_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'add', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="""Add a fixed IP address to a server. This API is proxy calls to the Network service. This is @@ -53,7 +53,7 @@ deprecated.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'remove', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="""Remove a fixed IP address from a server. This API is proxy calls to the Network service. This is diff --git a/nova/policies/networks.py b/nova/policies/networks.py index ab0ce1512b..928705d8be 100644 --- a/nova/policies/networks.py +++ b/nova/policies/networks.py @@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( networks_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'list', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="""List networks for the project. This API is proxy calls to the Network service. This is deprecated.""", @@ -52,7 +52,7 @@ This API is proxy calls to the Network service. This is deprecated.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="""Show network details. This API is proxy calls to the Network service. This is deprecated.""", diff --git a/nova/policies/pause_server.py b/nova/policies/pause_server.py index a7318b16f8..96a1ff4c0d 100644 --- a/nova/policies/pause_server.py +++ b/nova/policies/pause_server.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-pause-server:%s' pause_server_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'pause', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Pause a server", operations=[ { @@ -36,7 +36,7 @@ pause_server_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'unpause', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Unpause a paused server", operations=[ { diff --git a/nova/policies/quota_sets.py b/nova/policies/quota_sets.py index a44c6fa918..ae8c471f56 100644 --- a/nova/policies/quota_sets.py +++ b/nova/policies/quota_sets.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-sets:%s' quota_sets_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Update the quotas", operations=[ { @@ -46,13 +46,7 @@ quota_sets_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - # TODO(gmann): Until we have domain admin or so to get other project's - # data, allow admin role(with scope check it will be project admin) to - # get other project quota. We cannot use PROJECT_ADMIN here as - # project_id passed in request url is used as policy targets which - # would not match with context's project_id fetched for rule - # PROJECT_ADMIN check. - check_str='(' + base.PROJECT_READER + ') or role:admin', + check_str=base.PROJECT_READER_OR_ADMIN, description="Show a quota", operations=[ { @@ -63,7 +57,7 @@ quota_sets_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Revert quotas to defaults", operations=[ { @@ -77,7 +71,7 @@ quota_sets_policies = [ # TODO(gmann): Until we have domain admin or so to get other project's # data, allow admin role(with scope check it will be project admin) to # get other project quota. - check_str='(' + base.PROJECT_READER + ') or role:admin', + check_str=base.PROJECT_READER_OR_ADMIN, description="Show the detail of quota", operations=[ { diff --git a/nova/policies/remote_consoles.py b/nova/policies/remote_consoles.py index 4b217dc74c..e32dd33d4c 100644 --- a/nova/policies/remote_consoles.py +++ b/nova/policies/remote_consoles.py @@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-remote-consoles' remote_consoles_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="""Generate a URL to access remove server console. This policy is for ``POST /remote-consoles`` API and below Server actions APIs diff --git a/nova/policies/rescue.py b/nova/policies/rescue.py index 040caa4275..f9f72e92ef 100644 --- a/nova/policies/rescue.py +++ b/nova/policies/rescue.py @@ -37,7 +37,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( rescue_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Rescue a server", operations=[ { @@ -48,7 +48,7 @@ rescue_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=UNRESCUE_POLICY_NAME, - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Unrescue a server", operations=[ { diff --git a/nova/policies/security_groups.py b/nova/policies/security_groups.py index e5649d5da5..d6318bc724 100644 --- a/nova/policies/security_groups.py +++ b/nova/policies/security_groups.py @@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( security_groups_policies = [ policy.DocumentedRuleDefault( name=POLICY_NAME % 'get', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="List security groups. This API is deprecated.", operations=[ { @@ -50,7 +50,7 @@ security_groups_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Show security group. This API is deprecated.", operations=[ { @@ -62,7 +62,7 @@ security_groups_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'create', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Create security group. This API is deprecated.", operations=[ { @@ -74,7 +74,7 @@ security_groups_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'update', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Update security group. This API is deprecated.", operations=[ { @@ -86,7 +86,7 @@ security_groups_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'delete', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Delete security group. This API is deprecated.", operations=[ { @@ -98,7 +98,7 @@ security_groups_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'rule:create', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Create security group Rule. This API is deprecated.", operations=[ { @@ -110,7 +110,7 @@ security_groups_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'rule:delete', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Delete security group Rule. This API is deprecated.", operations=[ { @@ -122,7 +122,7 @@ security_groups_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'list', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="List security groups of server.", operations=[ { @@ -134,7 +134,7 @@ security_groups_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'add', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Add security groups to server.", operations=[ { @@ -146,7 +146,7 @@ security_groups_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'remove', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Remove security groups from server.", operations=[ { diff --git a/nova/policies/server_diagnostics.py b/nova/policies/server_diagnostics.py index ebafab4378..6774b7e862 100644 --- a/nova/policies/server_diagnostics.py +++ b/nova/policies/server_diagnostics.py @@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-server-diagnostics' server_diagnostics_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Show the usage data for a server", operations=[ { diff --git a/nova/policies/server_external_events.py b/nova/policies/server_external_events.py index da832eb94d..56034d0186 100644 --- a/nova/policies/server_external_events.py +++ b/nova/policies/server_external_events.py @@ -30,7 +30,7 @@ server_external_events_policies = [ # neutron can call it with user having 'service' role (not having # server's project_id). That is for phase-2 of RBAC goal and until # then, we keep it open for all admin in any project. We cannot - # default it to PROJECT_ADMIN which has the project_id in + # default it to ADMIN which has the project_id in # check_str and will fail if neutron call it with other project_id. check_str=base.ADMIN, description="Create one or more external events", diff --git a/nova/policies/server_groups.py b/nova/policies/server_groups.py index be1cb62835..8dfbe7c202 100644 --- a/nova/policies/server_groups.py +++ b/nova/policies/server_groups.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-server-groups:%s' server_groups_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Create a new server group", operations=[ { @@ -36,7 +36,7 @@ server_groups_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Delete a server group", operations=[ { @@ -48,7 +48,7 @@ server_groups_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="List all server groups", operations=[ { @@ -60,7 +60,7 @@ server_groups_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index:all_projects', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="List all server groups for all projects", operations=[ { @@ -72,7 +72,7 @@ server_groups_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Show details of a server group", operations=[ { diff --git a/nova/policies/server_metadata.py b/nova/policies/server_metadata.py index 1e6b525cb6..f136df8439 100644 --- a/nova/policies/server_metadata.py +++ b/nova/policies/server_metadata.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:server-metadata:%s' server_metadata_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="List all metadata of a server", operations=[ { @@ -36,7 +36,7 @@ server_metadata_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Show metadata for a server", operations=[ { @@ -48,7 +48,7 @@ server_metadata_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Create metadata for a server", operations=[ { @@ -60,7 +60,7 @@ server_metadata_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update_all', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Replace metadata for a server", operations=[ { @@ -72,7 +72,7 @@ server_metadata_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Update metadata from a server", operations=[ { @@ -84,7 +84,7 @@ server_metadata_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Delete metadata from a server", operations=[ { diff --git a/nova/policies/server_password.py b/nova/policies/server_password.py index 95fa95830c..1f9ddafd3c 100644 --- a/nova/policies/server_password.py +++ b/nova/policies/server_password.py @@ -37,7 +37,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( server_password_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Show the encrypted administrative " "password of a server", operations=[ @@ -50,7 +50,7 @@ server_password_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'clear', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Clear the encrypted administrative " "password of a server", operations=[ diff --git a/nova/policies/server_tags.py b/nova/policies/server_tags.py index 014c8d1488..baa1123987 100644 --- a/nova/policies/server_tags.py +++ b/nova/policies/server_tags.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-server-tags:%s' server_tags_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete_all', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Delete all the server tags", operations=[ { @@ -35,7 +35,7 @@ server_tags_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="List all tags for given server", operations=[ { @@ -46,7 +46,7 @@ server_tags_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update_all', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Replace all tags on specified server with the new set " "of tags.", operations=[ @@ -59,7 +59,7 @@ server_tags_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Delete a single tag from the specified server", operations=[ { @@ -71,7 +71,7 @@ server_tags_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Add a single tag to the server if server has no " "specified tag", operations=[ @@ -84,7 +84,7 @@ server_tags_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Check tag existence on the server.", operations=[ { diff --git a/nova/policies/server_topology.py b/nova/policies/server_topology.py index 7b68e67481..0e6c203e4f 100644 --- a/nova/policies/server_topology.py +++ b/nova/policies/server_topology.py @@ -21,7 +21,7 @@ BASE_POLICY_NAME = 'compute:server:topology:%s' server_topology_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Show the NUMA topology data for a server", operations=[ { @@ -33,7 +33,7 @@ server_topology_policies = [ policy.DocumentedRuleDefault( # Control host NUMA node and cpu pinning information name=BASE_POLICY_NAME % 'host:index', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Show the NUMA topology data for a server with host " "NUMA ID and CPU pinning information", operations=[ diff --git a/nova/policies/servers.py b/nova/policies/servers.py index faa8f8d02c..1e41baa203 100644 --- a/nova/policies/servers.py +++ b/nova/policies/servers.py @@ -36,7 +36,7 @@ not for list extra specs and showing it in flavor API response. rules = [ policy.DocumentedRuleDefault( name=SERVERS % 'index', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="List all servers", operations=[ { @@ -47,7 +47,7 @@ rules = [ scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'detail', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="List all servers with detailed information", operations=[ { @@ -58,7 +58,7 @@ rules = [ scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'index:get_all_tenants', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="List all servers for all projects", operations=[ { @@ -70,7 +70,7 @@ rules = [ policy.DocumentedRuleDefault( name=SERVERS % 'detail:get_all_tenants', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="List all servers with detailed information for " " all projects", operations=[ @@ -82,7 +82,7 @@ rules = [ scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'allow_all_filters', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Allow all filters when listing servers", operations=[ { @@ -97,7 +97,7 @@ rules = [ scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Show a server", operations=[ { @@ -108,7 +108,7 @@ rules = [ scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'show:flavor-extra-specs', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Starting with microversion 2.47, the flavor and its " "extra specs used for a server is also returned in the response " "when showing server details, updating a server or rebuilding a " @@ -140,7 +140,7 @@ rules = [ # should do that by default. policy.DocumentedRuleDefault( name=SERVERS % 'show:host_status', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description=""" Show a server with additional host status information. @@ -174,7 +174,7 @@ API responses which are also controlled by this policy rule, like the scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'show:host_status:unknown-only', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description=""" Show a server with additional host status information, only if host status is UNKNOWN. @@ -207,7 +207,7 @@ allow everyone. scope_types=['project'],), policy.DocumentedRuleDefault( name=SERVERS % 'create', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Create a server", operations=[ { @@ -218,7 +218,7 @@ allow everyone. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'create:forced_host', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description=""" Create a server on the specified host and/or node. @@ -235,7 +235,7 @@ host and/or node by bypassing the scheduler filters unlike the scope_types=['project']), policy.DocumentedRuleDefault( name=REQUESTED_DESTINATION, - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description=""" Create a server on the requested compute service host and/or hypervisor_hostname. @@ -253,7 +253,7 @@ validated by the scheduler filters unlike the scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'create:attach_volume', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Create a server with the requested volume attached to it", operations=[ { @@ -264,7 +264,7 @@ validated by the scheduler filters unlike the scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'create:attach_network', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Create a server with the requested network attached " " to it", operations=[ @@ -276,7 +276,7 @@ validated by the scheduler filters unlike the scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'create:trusted_certs', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Create a server with trusted image certificate IDs", operations=[ { @@ -287,7 +287,7 @@ validated by the scheduler filters unlike the scope_types=['project']), policy.DocumentedRuleDefault( name=ZERO_DISK_FLAVOR, - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description=""" This rule controls the compute API validation behavior of creating a server with a flavor that has 0 disk, indicating the server should be volume-backed. @@ -312,7 +312,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=NETWORK_ATTACH_EXTERNAL, - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Attach an unshared external network to a server", operations=[ # Create a server with a requested network or port. @@ -329,7 +329,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'delete', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Delete a server", operations=[ { @@ -340,7 +340,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'update', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Update a server", operations=[ { @@ -351,7 +351,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'confirm_resize', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Confirm a server resize", operations=[ { @@ -362,7 +362,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'revert_resize', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Revert a server resize", operations=[ { @@ -373,7 +373,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'reboot', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Reboot a server", operations=[ { @@ -384,7 +384,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'resize', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Resize a server", operations=[ { @@ -410,7 +410,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'rebuild', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Rebuild a server", operations=[ { @@ -421,7 +421,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'rebuild:trusted_certs', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Rebuild a server with trusted image certificate IDs", operations=[ { @@ -432,7 +432,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'create_image', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Create an image from a server", operations=[ { @@ -443,7 +443,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'create_image:allow_volume_backed', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Create an image from a volume backed server", operations=[ { @@ -454,7 +454,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'start', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Start a server", operations=[ { @@ -465,7 +465,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'stop', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Stop a server", operations=[ { @@ -476,7 +476,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'trigger_crash_dump', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Trigger crash dump in a server", operations=[ { diff --git a/nova/policies/servers_migrations.py b/nova/policies/servers_migrations.py index 427da8bba2..21762fc575 100644 --- a/nova/policies/servers_migrations.py +++ b/nova/policies/servers_migrations.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:servers:migrations:%s' servers_migrations_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Show details for an in-progress live migration for a " "given server", operations=[ @@ -36,7 +36,7 @@ servers_migrations_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'force_complete', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Force an in-progress live migration for a given server " "to complete", operations=[ @@ -49,7 +49,7 @@ servers_migrations_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Delete(Abort) an in-progress live migration", operations=[ { @@ -60,7 +60,7 @@ servers_migrations_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Lists in-progress live migrations for a given server", operations=[ { diff --git a/nova/policies/shelve.py b/nova/policies/shelve.py index eb06ffaa2f..476d212b04 100644 --- a/nova/policies/shelve.py +++ b/nova/policies/shelve.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-shelve:%s' shelve_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'shelve', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Shelve server", operations=[ { @@ -35,7 +35,7 @@ shelve_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'unshelve', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Unshelve (restore) shelved server", operations=[ { @@ -46,7 +46,7 @@ shelve_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'unshelve_to_host', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Unshelve (restore) shelve offloaded server to a " "specific host", operations=[ @@ -58,7 +58,7 @@ shelve_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'shelve_offload', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="Shelf-offload (remove) server", operations=[ { diff --git a/nova/policies/simple_tenant_usage.py b/nova/policies/simple_tenant_usage.py index d97d5909eb..41d87d1426 100644 --- a/nova/policies/simple_tenant_usage.py +++ b/nova/policies/simple_tenant_usage.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-simple-tenant-usage:%s' simple_tenant_usage_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Show usage statistics for a specific tenant", operations=[ { @@ -35,7 +35,7 @@ simple_tenant_usage_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'list', - check_str=base.PROJECT_ADMIN, + check_str=base.ADMIN, description="List per tenant usage statistics for all tenants", operations=[ { diff --git a/nova/policies/suspend_server.py b/nova/policies/suspend_server.py index 3a603903c8..5e889808fd 100644 --- a/nova/policies/suspend_server.py +++ b/nova/policies/suspend_server.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-suspend-server:%s' suspend_server_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'resume', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Resume suspended server", operations=[ { @@ -35,7 +35,7 @@ suspend_server_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'suspend', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Suspend server", operations=[ { diff --git a/nova/policies/volumes.py b/nova/policies/volumes.py index 0ee941074d..129ced82c1 100644 --- a/nova/policies/volumes.py +++ b/nova/policies/volumes.py @@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( volumes_policies = [ policy.DocumentedRuleDefault( name=POLICY_NAME % 'list', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="""List volumes. This API is a proxy call to the Volume service. It is deprecated.""", @@ -52,7 +52,7 @@ This API is a proxy call to the Volume service. It is deprecated.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'create', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="""Create volume. This API is a proxy call to the Volume service. It is deprecated.""", @@ -66,7 +66,7 @@ This API is a proxy call to the Volume service. It is deprecated.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'detail', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="""List volumes detail. This API is a proxy call to the Volume service. It is deprecated.""", @@ -80,7 +80,7 @@ This API is a proxy call to the Volume service. It is deprecated.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="""Show volume. This API is a proxy call to the Volume service. It is deprecated.""", @@ -94,7 +94,7 @@ This API is a proxy call to the Volume service. It is deprecated.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'delete', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="""Delete volume. This API is a proxy call to the Volume service. It is deprecated.""", @@ -108,7 +108,7 @@ This API is a proxy call to the Volume service. It is deprecated.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'snapshots:list', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="""List snapshots. This API is a proxy call to the Volume service. It is deprecated.""", @@ -122,7 +122,7 @@ This API is a proxy call to the Volume service. It is deprecated.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'snapshots:create', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="""Create snapshots. This API is a proxy call to the Volume service. It is deprecated.""", @@ -136,7 +136,7 @@ This API is a proxy call to the Volume service. It is deprecated.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'snapshots:detail', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="""List snapshots details. This API is a proxy call to the Volume service. It is deprecated.""", @@ -150,7 +150,7 @@ This API is a proxy call to the Volume service. It is deprecated.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'snapshots:show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="""Show snapshot. This API is a proxy call to the Volume service. It is deprecated.""", @@ -164,7 +164,7 @@ This API is a proxy call to the Volume service. It is deprecated.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'snapshots:delete', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="""Delete snapshot. This API is a proxy call to the Volume service. It is deprecated.""", diff --git a/nova/policies/volumes_attachments.py b/nova/policies/volumes_attachments.py index 20b3a2f3e6..68a1694c59 100644 --- a/nova/policies/volumes_attachments.py +++ b/nova/policies/volumes_attachments.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-volumes-attachments:%s' volumes_attachments_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="List volume attachments for an instance", operations=[ {'method': 'GET', @@ -34,7 +34,7 @@ volumes_attachments_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Attach a volume to an instance", operations=[ { @@ -45,7 +45,7 @@ volumes_attachments_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Show details of a volume attachment", operations=[ { @@ -57,7 +57,7 @@ volumes_attachments_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="""Update a volume attachment. New 'update' policy about 'swap + update' request (which is possible only >2.85) only <swap policy> is checked. We expect <swap policy> to be @@ -78,7 +78,7 @@ always superset of this policy permission. # can call it with user having 'service' role (not having server's # project_id). That is for phase-2 of RBAC goal and until then, # we keep it open for all admin in any project. We cannot default it to - # PROJECT_ADMIN which has the project_id in check_str and will fail + # ADMIN which has the project_id in check_str and will fail # if cinder call it with other project_id. check_str=base.ADMIN, description="Update a volume attachment with a different volumeId", @@ -92,7 +92,7 @@ always superset of this policy permission. scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Detach a volume from an instance", operations=[ { |