diff options
| author | Petr Malik <pmalik@tesora.com> | 2016-06-27 16:01:42 -0400 |
|---|---|---|
| committer | Petr Malik <pmalik@tesora.com> | 2016-12-06 21:51:21 +0000 |
| commit | 21250cf20c0efbe6d57c4a712c51b80667e53b44 (patch) | |
| tree | d18e6ee84986b798e7654e254a2a6894dc8d54f4 /etc | |
| parent | 77fd7014c0007c83652dd4fb1f9d3316a97b1ed3 (diff) | |
| download | trove-21250cf20c0efbe6d57c4a712c51b80667e53b44.tar.gz | |
Add support for Oslo Policies to Trove
The Oslo Policy library provides support for RBAC policy
enforcement across all OpenStack services.
Update the devstack plugin to copy the default policy file
over to /etc/trove in the gate environments.
Note: Not adding a rule for 'reset-password' instance
action as that API was discontinued years ago
and is now just waiting for removal (Bug: 1645866).
DocImpact
Co-Authored-By: Ali Adil <aadil@tesora.com>
Change-Id: Ic443a4c663301840406cad537159eab7b0b5ed1c
Implements: blueprint trove-policy
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/trove/policy.json | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/etc/trove/policy.json b/etc/trove/policy.json new file mode 100644 index 00000000..370a8f2a --- /dev/null +++ b/etc/trove/policy.json @@ -0,0 +1,96 @@ +{ + "admin": "role:admin or is_admin:True", + "admin_or_owner": "rule:admin or tenant:%(tenant)s", + "default": "rule:admin_or_owner", + + "instance:create": "rule:admin_or_owner", + "instance:delete": "rule:admin_or_owner", + "instance:force_delete": "rule:admin_or_owner", + "instance:index": "rule:admin_or_owner", + "instance:show": "rule:admin_or_owner", + "instance:update": "rule:admin_or_owner", + "instance:edit": "rule:admin_or_owner", + "instance:restart": "rule:admin_or_owner", + "instance:resize_volume": "rule:admin_or_owner", + "instance:resize_flavor": "rule:admin_or_owner", + "instance:reset_status": "rule:admin", + "instance:promote_to_replica_source": "rule:admin_or_owner", + "instance:eject_replica_source": "rule:admin_or_owner", + "instance:configuration": "rule:admin_or_owner", + "instance:guest_log_list": "rule:admin_or_owner", + "instance:backups": "rule:admin_or_owner", + "instance:module_list": "rule:admin_or_owner", + "instance:module_apply": "rule:admin_or_owner", + "instance:module_remove": "rule:admin_or_owner", + + "instance:extension:root:create": "rule:admin_or_owner", + "instance:extension:root:delete": "rule:admin_or_owner", + "instance:extension:root:index": "rule:admin_or_owner", + + "instance:extension:user:create": "rule:admin_or_owner", + "instance:extension:user:delete": "rule:admin_or_owner", + "instance:extension:user:index": "rule:admin_or_owner", + "instance:extension:user:show": "rule:admin_or_owner", + "instance:extension:user:update": "rule:admin_or_owner", + "instance:extension:user:update_all": "rule:admin_or_owner", + + "instance:extension:user_access:update": "rule:admin_or_owner", + "instance:extension:user_access:delete": "rule:admin_or_owner", + "instance:extension:user_access:index": "rule:admin_or_owner", + + "instance:extension:database:create": "rule:admin_or_owner", + "instance:extension:database:delete": "rule:admin_or_owner", + "instance:extension:database:index": "rule:admin_or_owner", + "instance:extension:database:show": "rule:admin_or_owner", + + "cluster:create": "rule:admin_or_owner", + "cluster:delete": "rule:admin_or_owner", + "cluster:force_delete": "rule:admin_or_owner", + "cluster:index": "rule:admin_or_owner", + "cluster:show": "rule:admin_or_owner", + "cluster:show_instance": "rule:admin_or_owner", + "cluster:action": "rule:admin_or_owner", + "cluster:reset-status": "rule:admin", + + "cluster:extension:root:create": "rule:admin_or_owner", + "cluster:extension:root:delete": "rule:admin_or_owner", + "cluster:extension:root:index": "rule:admin_or_owner", + + "backup:create": "rule:admin_or_owner", + "backup:delete": "rule:admin_or_owner", + "backup:index": "rule:admin_or_owner", + "backup:show": "rule:admin_or_owner", + + "configuration:create": "rule:admin_or_owner", + "configuration:delete": "rule:admin_or_owner", + "configuration:index": "rule:admin_or_owner", + "configuration:show": "rule:admin_or_owner", + "configuration:instances": "rule:admin_or_owner", + "configuration:update": "rule:admin_or_owner", + "configuration:edit": "rule:admin_or_owner", + + "configuration-parameter:index": "rule:admin_or_owner", + "configuration-parameter:show": "rule:admin_or_owner", + "configuration-parameter:index_by_version": "rule:admin_or_owner", + "configuration-parameter:show_by_version": "rule:admin_or_owner", + + "datastore:index": "", + "datastore:show": "", + "datastore:version_show": "", + "datastore:version_show_by_uuid": "", + "datastore:version_index": "", + "datastore:list_associated_flavors": "", + "datastore:list_associated_volume_types": "", + + "flavor:index": "", + "flavor:show": "", + + "limits:index": "rule:admin_or_owner", + + "module:create": "rule:admin_or_owner", + "module:delete": "rule:admin_or_owner", + "module:index": "rule:admin_or_owner", + "module:show": "rule:admin_or_owner", + "module:instances": "rule:admin_or_owner", + "module:update": "rule:admin_or_owner" +} |