diff options
author | Zuul <zuul@review.opendev.org> | 2020-08-07 15:58:05 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2020-08-07 15:58:05 +0000 |
commit | f96e2f4f62f568571dab580953cac540a1b91ddc (patch) | |
tree | 61e7b4af531e144143b704baa3d7ef4de773c209 /nova/policies | |
parent | ce68f2a7589c0ce399e645f49e240b901c70f692 (diff) | |
parent | b39712f03ed754557c1d3a5d10c37fe0a0e35efb (diff) | |
download | nova-f96e2f4f62f568571dab580953cac540a1b91ddc.tar.gz |
Merge "Add new default roles in volumes policies"
Diffstat (limited to 'nova/policies')
-rw-r--r-- | nova/policies/volumes.py | 138 |
1 files changed, 129 insertions, 9 deletions
diff --git a/nova/policies/volumes.py b/nova/policies/volumes.py index d346cccc6b..a66e4b1893 100644 --- a/nova/policies/volumes.py +++ b/nova/policies/volumes.py @@ -19,61 +19,181 @@ from nova.policies import base BASE_POLICY_NAME = 'os_compute_api:os-volumes' +POLICY_NAME = 'os_compute_api:os-volumes:%s' + +DEPRECATED_POLICY = policy.DeprecatedRule( + BASE_POLICY_NAME, + base.RULE_ADMIN_OR_OWNER, +) + +DEPRECATED_REASON = """ +Nova API policies are introducing new default roles with scope_type +capabilities. Old policies are deprecated and silently going to be ignored +in nova 23.0.0 release. +""" volumes_policies = [ policy.DocumentedRuleDefault( - name=BASE_POLICY_NAME, - check_str=base.RULE_ADMIN_OR_OWNER, - description="""Manage volumes for use with the Compute API. - -Lists, shows details, creates, and deletes volumes and -snapshots. These APIs are proxy calls to the Volume service. -These are all deprecated. -""", + name=POLICY_NAME % 'list', + check_str=base.PROJECT_READER_OR_SYSTEM_READER, + description="""List volumes. + +This API is a proxy call to the Volume service. It is deprecated.""", operations=[ { 'method': 'GET', 'path': '/os-volumes' }, + ], + scope_types=['system', 'project'], + deprecated_rule=DEPRECATED_POLICY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='22.0.0'), + policy.DocumentedRuleDefault( + name=POLICY_NAME % 'create', + check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + description="""Create volume. + +This API is a proxy call to the Volume service. It is deprecated.""", + operations=[ { 'method': 'POST', 'path': '/os-volumes' }, + ], + scope_types=['system', 'project'], + deprecated_rule=DEPRECATED_POLICY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='22.0.0'), + policy.DocumentedRuleDefault( + name=POLICY_NAME % 'detail', + check_str=base.PROJECT_READER_OR_SYSTEM_READER, + description="""List volumes detail. + +This API is a proxy call to the Volume service. It is deprecated.""", + operations=[ { 'method': 'GET', 'path': '/os-volumes/detail' }, + ], + scope_types=['system', 'project'], + deprecated_rule=DEPRECATED_POLICY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='22.0.0'), + policy.DocumentedRuleDefault( + name=POLICY_NAME % 'show', + check_str=base.PROJECT_READER_OR_SYSTEM_READER, + description="""Show volume. + +This API is a proxy call to the Volume service. It is deprecated.""", + operations=[ { 'method': 'GET', 'path': '/os-volumes/{volume_id}' }, + ], + scope_types=['system', 'project'], + deprecated_rule=DEPRECATED_POLICY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='22.0.0'), + policy.DocumentedRuleDefault( + name=POLICY_NAME % 'delete', + check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + description="""Delete volume. + +This API is a proxy call to the Volume service. It is deprecated.""", + operations=[ { 'method': 'DELETE', 'path': '/os-volumes/{volume_id}' }, + ], + scope_types=['system', 'project'], + deprecated_rule=DEPRECATED_POLICY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='22.0.0'), + policy.DocumentedRuleDefault( + name=POLICY_NAME % 'snapshots:list', + check_str=base.PROJECT_READER_OR_SYSTEM_READER, + description="""List snapshots. + +This API is a proxy call to the Volume service. It is deprecated.""", + operations=[ { 'method': 'GET', 'path': '/os-snapshots' }, + ], + scope_types=['system', 'project'], + deprecated_rule=DEPRECATED_POLICY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='22.0.0'), + policy.DocumentedRuleDefault( + name=POLICY_NAME % 'snapshots:create', + check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + description="""Create snapshots. + +This API is a proxy call to the Volume service. It is deprecated.""", + operations=[ { 'method': 'POST', 'path': '/os-snapshots' }, + ], + scope_types=['system', 'project'], + deprecated_rule=DEPRECATED_POLICY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='22.0.0'), + policy.DocumentedRuleDefault( + name=POLICY_NAME % 'snapshots:detail', + check_str=base.PROJECT_READER_OR_SYSTEM_READER, + description="""List snapshots details. + +This API is a proxy call to the Volume service. It is deprecated.""", + operations=[ { 'method': 'GET', 'path': '/os-snapshots/detail' }, + ], + scope_types=['system', 'project'], + deprecated_rule=DEPRECATED_POLICY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='22.0.0'), + policy.DocumentedRuleDefault( + name=POLICY_NAME % 'snapshots:show', + check_str=base.PROJECT_READER_OR_SYSTEM_READER, + description="""Show snapshot. + +This API is a proxy call to the Volume service. It is deprecated.""", + operations=[ { 'method': 'GET', 'path': '/os-snapshots/{snapshot_id}' }, + ], + scope_types=['system', 'project'], + deprecated_rule=DEPRECATED_POLICY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='22.0.0'), + policy.DocumentedRuleDefault( + name=POLICY_NAME % 'snapshots:delete', + check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + description="""Delete snapshot. + +This API is a proxy call to the Volume service. It is deprecated.""", + operations=[ { 'method': 'DELETE', 'path': '/os-snapshots/{snapshot_id}' } ], - scope_types=['system', 'project']), + scope_types=['system', 'project'], + deprecated_rule=DEPRECATED_POLICY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='22.0.0'), ] |