Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding cinder policy rules file for policy checks. Implementing rule checks as well. Some cinder API calls actually hit nova, so adding those calls as well. Also a couple of improvements to the Horizon policy engine. First, now providing the token scope project_id and user_id as targets by default, unless otherwise specified. Most service policy rules check on or both of these. Second, checking to see if rule exists, before attempting enforcement. If the rule does not exist, using the default rule for that service. This now matches what the service policy engines do. Implements: blueprint block-rbac Change-Id: Ifef08b8975280f4e621ba8eebec9d405e1e870a2
- Loading branch information
Showing
8 changed files
with
153 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
{ | ||
"context_is_admin": [["role:admin"]], | ||
"admin_or_owner": [["is_admin:True"], ["project_id:%(project_id)s"]], | ||
"default": [["rule:admin_or_owner"]], | ||
|
||
"admin_api": [["is_admin:True"]], | ||
|
||
"volume:create": [], | ||
"volume:delete": [["rule:default"]], | ||
"volume:get_all": [], | ||
"volume:get_volume_metadata": [], | ||
"volume:get_volume_admin_metadata": [["rule:admin_api"]], | ||
"volume:delete_volume_admin_metadata": [["rule:admin_api"]], | ||
"volume:update_volume_admin_metadata": [["rule:admin_api"]], | ||
"volume:create_snapshot": [["rule:default"]], | ||
"volume:delete_snapshot": [["rule:default"]], | ||
"volume:get_snapshot": [], | ||
"volume:get_all_snapshots": [], | ||
"volume:extend": [], | ||
|
||
"volume_extension:types_manage": [["rule:admin_api"]], | ||
"volume_extension:types_extra_specs": [["rule:admin_api"]], | ||
"volume_extension:volume_type_encryption": [["rule:admin_api"]], | ||
"volume_extension:volume_encryption_metadata": [["rule:admin_api"]], | ||
"volume_extension:extended_snapshot_attributes": [], | ||
"volume_extension:volume_image_metadata": [], | ||
|
||
"volume_extension:quotas:show": [], | ||
"volume_extension:quotas:update": [["rule:admin_api"]], | ||
"volume_extension:quota_classes": [], | ||
|
||
"volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]], | ||
"volume_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]], | ||
"volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]], | ||
"volume_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]], | ||
"volume_extension:volume_admin_actions:migrate_volume": [["rule:admin_api"]], | ||
"volume_extension:volume_admin_actions:migrate_volume_completion": [["rule:admin_api"]], | ||
|
||
"volume_extension:volume_host_attribute": [["rule:admin_api"]], | ||
"volume_extension:volume_tenant_attribute": [["rule:admin_api"]], | ||
"volume_extension:volume_mig_status_attribute": [["rule:admin_api"]], | ||
"volume_extension:hosts": [["rule:admin_api"]], | ||
"volume_extension:services": [["rule:admin_api"]], | ||
"volume:services": [["rule:admin_api"]], | ||
|
||
"volume:create_transfer": [], | ||
"volume:accept_transfer": [], | ||
"volume:delete_transfer": [], | ||
"volume:get_all_transfers": [], | ||
|
||
"backup:create" : [], | ||
"backup:delete": [], | ||
"backup:get": [], | ||
"backup:get_all": [], | ||
"backup:restore": [], | ||
|
||
"snapshot_extension:snapshot_actions:update_snapshot_status": [] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters