diff --git a/etc/ironic/policy.json.sample b/etc/ironic/policy.json.sample index 8857fdf8bd..a5310f944b 100644 --- a/etc/ironic/policy.json.sample +++ b/etc/ironic/policy.json.sample @@ -19,129 +19,207 @@ # Full read/write API access #"is_admin": "rule:admin_api or (rule:is_member and role:baremetal_admin)" -# Retrieve Node records -#"baremetal:node:get": "rule:is_admin or rule:is_observer" - -# Retrieve Node boot device metadata -#"baremetal:node:get_boot_device": "rule:is_admin or rule:is_observer" - -# View Node power and provision state -#"baremetal:node:get_states": "rule:is_admin or rule:is_observer" - # Create Node records +# POST /nodes #"baremetal:node:create": "rule:is_admin" -# Delete Node records -#"baremetal:node:delete": "rule:is_admin" +# Retrieve Node records +# GET /nodes +# GET /nodes/detail +# GET /nodes/{node_ident} +#"baremetal:node:get": "rule:is_admin or rule:is_observer" # Update Node records +# PATCH /nodes/{node_ident} #"baremetal:node:update": "rule:is_admin" +# Delete Node records +# DELETE /nodes/{node_ident} +#"baremetal:node:delete": "rule:is_admin" + # Request active validation of Nodes +# GET /nodes/{node_ident}/validate #"baremetal:node:validate": "rule:is_admin" # Set maintenance flag, taking a Node out of service +# PUT /nodes/{node_ident}/maintenance #"baremetal:node:set_maintenance": "rule:is_admin" # Clear maintenance flag, placing the Node into service again +# DELETE /nodes/{node_ident}/maintenance #"baremetal:node:clear_maintenance": "rule:is_admin" +# Retrieve Node boot device metadata +# GET /nodes/{node_ident}/management/boot_device +# GET /nodes/{node_ident}/management/boot_device/supported +#"baremetal:node:get_boot_device": "rule:is_admin or rule:is_observer" + # Change Node boot device +# PUT /nodes/{node_ident}/management/boot_device #"baremetal:node:set_boot_device": "rule:is_admin" +# Inject NMI for a node +# PUT /nodes/{node_ident}/management/inject_nmi +#"baremetal:node:inject_nmi": "rule:is_admin" + +# View Node power and provision state +# GET /nodes/{node_ident}/states +#"baremetal:node:get_states": "rule:is_admin or rule:is_observer" + # Change Node power status +# PUT /nodes/{node_ident}/states/power #"baremetal:node:set_power_state": "rule:is_admin" # Change Node provision status +# PUT /nodes/{node_ident}/states/provision #"baremetal:node:set_provision_state": "rule:is_admin" # Change Node RAID status +# PUT /nodes/{node_ident}/states/raid #"baremetal:node:set_raid_state": "rule:is_admin" # Get Node console connection information +# GET /nodes/{node_ident}/states/console #"baremetal:node:get_console": "rule:is_admin" # Change Node console status +# PUT /nodes/{node_ident}/states/console #"baremetal:node:set_console_state": "rule:is_admin" # List VIFs attached to node +# GET /nodes/{node_ident}/vifs #"baremetal:node:vif:list": "rule:is_admin" # Attach a VIF to a node +# POST /nodes/{node_ident}/vifs #"baremetal:node:vif:attach": "rule:is_admin" # Detach a VIF from a node +# DELETE /nodes/{node_ident}/vifs/{node_vif_ident} #"baremetal:node:vif:detach": "rule:is_admin" -# Inject NMI for a node -#"baremetal:node:inject_nmi": "rule:is_admin" - # Retrieve Port records +# GET /ports +# GET /ports/detail +# GET /ports/{port_id} +# GET /nodes/{node_ident}/ports +# GET /nodes/{node_ident}/ports/detail +# GET /portgroups/{portgroup_ident}/ports +# GET /portgroups/{portgroup_ident}/ports/detail #"baremetal:port:get": "rule:is_admin or rule:is_observer" # Create Port records +# POST /ports #"baremetal:port:create": "rule:is_admin" # Delete Port records +# DELETE /ports/{port_id} #"baremetal:port:delete": "rule:is_admin" # Update Port records +# PATCH /ports/{port_id} #"baremetal:port:update": "rule:is_admin" # Retrieve Portgroup records +# GET /portgroups +# GET /portgroups/detail +# GET /portgroups/{portgroup_ident} +# GET /nodes/{node_ident}/portgroups +# GET /nodes/{node_ident}/portgroups/detail #"baremetal:portgroup:get": "rule:is_admin or rule:is_observer" # Create Portgroup records +# POST /portgroups #"baremetal:portgroup:create": "rule:is_admin" # Delete Portgroup records +# DELETE /portgroups/{portgroup_ident} #"baremetal:portgroup:delete": "rule:is_admin" # Update Portgroup records +# PATCH /portgroups/{portgroup_ident} #"baremetal:portgroup:update": "rule:is_admin" # Retrieve Chassis records +# GET /chassis +# GET /chassis/detail +# GET /chassis/{chassis_id} #"baremetal:chassis:get": "rule:is_admin or rule:is_observer" # Create Chassis records +# POST /chassis #"baremetal:chassis:create": "rule:is_admin" # Delete Chassis records +# DELETE /chassis/{chassis_id} #"baremetal:chassis:delete": "rule:is_admin" # Update Chassis records +# PATCH /chassis/{chassis_id} #"baremetal:chassis:update": "rule:is_admin" # View list of available drivers +# GET /drivers +# GET /drivers/{driver_name} #"baremetal:driver:get": "rule:is_admin or rule:is_observer" # View driver-specific properties +# GET /drivers/{driver_name}/properties #"baremetal:driver:get_properties": "rule:is_admin or rule:is_observer" # View driver-specific RAID metadata +# GET /drivers/{driver_name}/raid/logical_disk_properties #"baremetal:driver:get_raid_logical_disk_properties": "rule:is_admin or rule:is_observer" # Access vendor-specific Node functions +# GET nodes/{node_ident}/vendor_passthru/methods +# GET nodes/{node_ident}/vendor_passthru?method={method_name} +# PUT nodes/{node_ident}/vendor_passthru?method={method_name} +# POST nodes/{node_ident}/vendor_passthru?method={method_name} +# PATCH nodes/{node_ident}/vendor_passthru?method={method_name} +# DELETE nodes/{node_ident}/vendor_passthru?method={method_name} #"baremetal:node:vendor_passthru": "rule:is_admin" # Access vendor-specific Driver functions +# GET drivers/{driver_name}/vendor_passthru/methods +# GET drivers/{driver_name}/vendor_passthru?method={method_name} +# PUT drivers/{driver_name}/vendor_passthru?method={method_name} +# POST drivers/{driver_name}/vendor_passthru?method={method_name} +# PATCH drivers/{driver_name}/vendor_passthru?method={method_name} +# DELETE drivers/{driver_name}/vendor_passthru?method={method_name} #"baremetal:driver:vendor_passthru": "rule:is_admin" # Send heartbeats from IPA ramdisk +# POST /heartbeat/{node_ident} #"baremetal:node:ipa_heartbeat": "rule:public_api" # Access IPA ramdisk functions +# GET /lookup #"baremetal:driver:ipa_lookup": "rule:public_api" # Retrieve Volume connector and target records +# GET /volume +# GET /volume/connectors +# GET /volume/connectors/{volume_connector_id} +# GET /volume/targets +# GET /volume/targets/{volume_target_id} +# GET /nodes/{node_ident}/volume +# GET /nodes/{node_ident}/volume/connectors +# GET /nodes/{node_ident}/volume/targets #"baremetal:volume:get": "rule:is_admin or rule:is_observer" # Create Volume connector and target records +# POST /volume/connectors +# POST /volume/targets #"baremetal:volume:create": "rule:is_admin" -# Delete Volume connetor and target records +# Delete Volume connector and target records +# DELETE /volume/connectors/{volume_connector_id} +# DELETE /volume/targets/{volume_target_id} #"baremetal:volume:delete": "rule:is_admin" # Update Volume connector and target records +# PATCH /volume/connectors/{volume_connector_id} +# PATCH /volume/targets/{volume_target_id} #"baremetal:volume:update": "rule:is_admin" diff --git a/ironic/common/policy.py b/ironic/common/policy.py index 3bdc40f4ca..ac67987df6 100644 --- a/ironic/common/policy.py +++ b/ironic/common/policy.py @@ -15,6 +15,7 @@ """Policy Engine For Ironic.""" +import itertools import sys from oslo_concurrency import lockutils @@ -70,169 +71,317 @@ default_policies = [ # depend on their existence throughout the code. node_policies = [ - policy.RuleDefault('baremetal:node:get', - 'rule:is_admin or rule:is_observer', - description='Retrieve Node records'), - policy.RuleDefault('baremetal:node:get_boot_device', - 'rule:is_admin or rule:is_observer', - description='Retrieve Node boot device metadata'), - policy.RuleDefault('baremetal:node:get_states', - 'rule:is_admin or rule:is_observer', - description='View Node power and provision state'), - policy.RuleDefault('baremetal:node:create', - 'rule:is_admin', - description='Create Node records'), - policy.RuleDefault('baremetal:node:delete', - 'rule:is_admin', - description='Delete Node records'), - policy.RuleDefault('baremetal:node:update', - 'rule:is_admin', - description='Update Node records'), - policy.RuleDefault('baremetal:node:validate', - 'rule:is_admin', - description='Request active validation of Nodes'), - policy.RuleDefault('baremetal:node:set_maintenance', - 'rule:is_admin', - description='Set maintenance flag, taking a Node ' - 'out of service'), - policy.RuleDefault('baremetal:node:clear_maintenance', - 'rule:is_admin', - description='Clear maintenance flag, placing the Node ' - 'into service again'), - policy.RuleDefault('baremetal:node:set_boot_device', - 'rule:is_admin', - description='Change Node boot device'), - policy.RuleDefault('baremetal:node:set_power_state', - 'rule:is_admin', - description='Change Node power status'), - policy.RuleDefault('baremetal:node:set_provision_state', - 'rule:is_admin', - description='Change Node provision status'), - policy.RuleDefault('baremetal:node:set_raid_state', - 'rule:is_admin', - description='Change Node RAID status'), - policy.RuleDefault('baremetal:node:get_console', - 'rule:is_admin', - description='Get Node console connection information'), - policy.RuleDefault('baremetal:node:set_console_state', - 'rule:is_admin', - description='Change Node console status'), - policy.RuleDefault('baremetal:node:vif:list', - 'rule:is_admin', - description='List VIFs attached to node'), - policy.RuleDefault('baremetal:node:vif:attach', - 'rule:is_admin', - description='Attach a VIF to a node'), - policy.RuleDefault('baremetal:node:vif:detach', - 'rule:is_admin', - description='Detach a VIF from a node'), - policy.RuleDefault('baremetal:node:inject_nmi', - 'rule:is_admin', - description='Inject NMI for a node'), + policy.DocumentedRuleDefault( + 'baremetal:node:create', + 'rule:is_admin', + 'Create Node records', + [{'path': '/nodes', 'method': 'POST'}]), + policy.DocumentedRuleDefault( + 'baremetal:node:get', + 'rule:is_admin or rule:is_observer', + 'Retrieve Node records', + [{'path': '/nodes', 'method': 'GET'}, + {'path': '/nodes/detail', 'method': 'GET'}, + {'path': '/nodes/{node_ident}', 'method': 'GET'}]), + policy.DocumentedRuleDefault( + 'baremetal:node:update', + 'rule:is_admin', + 'Update Node records', + [{'path': '/nodes/{node_ident}', 'method': 'PATCH'}]), + policy.DocumentedRuleDefault( + 'baremetal:node:delete', + 'rule:is_admin', + 'Delete Node records', + [{'path': '/nodes/{node_ident}', 'method': 'DELETE'}]), + + policy.DocumentedRuleDefault( + 'baremetal:node:validate', + 'rule:is_admin', + 'Request active validation of Nodes', + [{'path': '/nodes/{node_ident}/validate', 'method': 'GET'}]), + + policy.DocumentedRuleDefault( + 'baremetal:node:set_maintenance', + 'rule:is_admin', + 'Set maintenance flag, taking a Node out of service', + [{'path': '/nodes/{node_ident}/maintenance', 'method': 'PUT'}]), + policy.DocumentedRuleDefault( + 'baremetal:node:clear_maintenance', + 'rule:is_admin', + 'Clear maintenance flag, placing the Node into service again', + [{'path': '/nodes/{node_ident}/maintenance', 'method': 'DELETE'}]), + + policy.DocumentedRuleDefault( + 'baremetal:node:get_boot_device', + 'rule:is_admin or rule:is_observer', + 'Retrieve Node boot device metadata', + [{'path': '/nodes/{node_ident}/management/boot_device', + 'method': 'GET'}, + {'path': '/nodes/{node_ident}/management/boot_device/supported', + 'method': 'GET'}]), + policy.DocumentedRuleDefault( + 'baremetal:node:set_boot_device', + 'rule:is_admin', + 'Change Node boot device', + [{'path': '/nodes/{node_ident}/management/boot_device', + 'method': 'PUT'}]), + + policy.DocumentedRuleDefault( + 'baremetal:node:inject_nmi', + 'rule:is_admin', + 'Inject NMI for a node', + [{'path': '/nodes/{node_ident}/management/inject_nmi', + 'method': 'PUT'}]), + + policy.DocumentedRuleDefault( + 'baremetal:node:get_states', + 'rule:is_admin or rule:is_observer', + 'View Node power and provision state', + [{'path': '/nodes/{node_ident}/states', 'method': 'GET'}]), + policy.DocumentedRuleDefault( + 'baremetal:node:set_power_state', + 'rule:is_admin', + 'Change Node power status', + [{'path': '/nodes/{node_ident}/states/power', 'method': 'PUT'}]), + policy.DocumentedRuleDefault( + 'baremetal:node:set_provision_state', + 'rule:is_admin', + 'Change Node provision status', + [{'path': '/nodes/{node_ident}/states/provision', 'method': 'PUT'}]), + policy.DocumentedRuleDefault( + 'baremetal:node:set_raid_state', + 'rule:is_admin', + 'Change Node RAID status', + [{'path': '/nodes/{node_ident}/states/raid', 'method': 'PUT'}]), + policy.DocumentedRuleDefault( + 'baremetal:node:get_console', + 'rule:is_admin', + 'Get Node console connection information', + [{'path': '/nodes/{node_ident}/states/console', 'method': 'GET'}]), + policy.DocumentedRuleDefault( + 'baremetal:node:set_console_state', + 'rule:is_admin', + 'Change Node console status', + [{'path': '/nodes/{node_ident}/states/console', 'method': 'PUT'}]), + + policy.DocumentedRuleDefault( + 'baremetal:node:vif:list', + 'rule:is_admin', + 'List VIFs attached to node', + [{'path': '/nodes/{node_ident}/vifs', 'method': 'GET'}]), + policy.DocumentedRuleDefault( + 'baremetal:node:vif:attach', + 'rule:is_admin', + 'Attach a VIF to a node', + [{'path': '/nodes/{node_ident}/vifs', 'method': 'POST'}]), + policy.DocumentedRuleDefault( + 'baremetal:node:vif:detach', + 'rule:is_admin', + 'Detach a VIF from a node', + [{'path': '/nodes/{node_ident}/vifs/{node_vif_ident}', + 'method': 'DELETE'}]), ] port_policies = [ - policy.RuleDefault('baremetal:port:get', - 'rule:is_admin or rule:is_observer', - description='Retrieve Port records'), - policy.RuleDefault('baremetal:port:create', - 'rule:is_admin', - description='Create Port records'), - policy.RuleDefault('baremetal:port:delete', - 'rule:is_admin', - description='Delete Port records'), - policy.RuleDefault('baremetal:port:update', - 'rule:is_admin', - description='Update Port records'), + policy.DocumentedRuleDefault( + 'baremetal:port:get', + 'rule:is_admin or rule:is_observer', + 'Retrieve Port records', + [{'path': '/ports', 'method': 'GET'}, + {'path': '/ports/detail', 'method': 'GET'}, + {'path': '/ports/{port_id}', 'method': 'GET'}, + {'path': '/nodes/{node_ident}/ports', 'method': 'GET'}, + {'path': '/nodes/{node_ident}/ports/detail', 'method': 'GET'}, + {'path': '/portgroups/{portgroup_ident}/ports', 'method': 'GET'}, + {'path': '/portgroups/{portgroup_ident}/ports/detail', + 'method': 'GET'}]), + policy.DocumentedRuleDefault( + 'baremetal:port:create', + 'rule:is_admin', + 'Create Port records', + [{'path': '/ports', 'method': 'POST'}]), + policy.DocumentedRuleDefault( + 'baremetal:port:delete', + 'rule:is_admin', + 'Delete Port records', + [{'path': '/ports/{port_id}', 'method': 'DELETE'}]), + policy.DocumentedRuleDefault( + 'baremetal:port:update', + 'rule:is_admin', + 'Update Port records', + [{'path': '/ports/{port_id}', 'method': 'PATCH'}]), ] portgroup_policies = [ - policy.RuleDefault('baremetal:portgroup:get', - 'rule:is_admin or rule:is_observer', - description='Retrieve Portgroup records'), - policy.RuleDefault('baremetal:portgroup:create', - 'rule:is_admin', - description='Create Portgroup records'), - policy.RuleDefault('baremetal:portgroup:delete', - 'rule:is_admin', - description='Delete Portgroup records'), - policy.RuleDefault('baremetal:portgroup:update', - 'rule:is_admin', - description='Update Portgroup records'), + policy.DocumentedRuleDefault( + 'baremetal:portgroup:get', + 'rule:is_admin or rule:is_observer', + 'Retrieve Portgroup records', + [{'path': '/portgroups', 'method': 'GET'}, + {'path': '/portgroups/detail', 'method': 'GET'}, + {'path': '/portgroups/{portgroup_ident}', 'method': 'GET'}, + {'path': '/nodes/{node_ident}/portgroups', 'method': 'GET'}, + {'path': '/nodes/{node_ident}/portgroups/detail', 'method': 'GET'}]), + policy.DocumentedRuleDefault( + 'baremetal:portgroup:create', + 'rule:is_admin', + 'Create Portgroup records', + [{'path': '/portgroups', 'method': 'POST'}]), + policy.DocumentedRuleDefault( + 'baremetal:portgroup:delete', + 'rule:is_admin', + 'Delete Portgroup records', + [{'path': '/portgroups/{portgroup_ident}', 'method': 'DELETE'}]), + policy.DocumentedRuleDefault( + 'baremetal:portgroup:update', + 'rule:is_admin', + 'Update Portgroup records', + [{'path': '/portgroups/{portgroup_ident}', 'method': 'PATCH'}]), ] chassis_policies = [ - policy.RuleDefault('baremetal:chassis:get', - 'rule:is_admin or rule:is_observer', - description='Retrieve Chassis records'), - policy.RuleDefault('baremetal:chassis:create', - 'rule:is_admin', - description='Create Chassis records'), - policy.RuleDefault('baremetal:chassis:delete', - 'rule:is_admin', - description='Delete Chassis records'), - policy.RuleDefault('baremetal:chassis:update', - 'rule:is_admin', - description='Update Chassis records'), + policy.DocumentedRuleDefault( + 'baremetal:chassis:get', + 'rule:is_admin or rule:is_observer', + 'Retrieve Chassis records', + [{'path': '/chassis', 'method': 'GET'}, + {'path': '/chassis/detail', 'method': 'GET'}, + {'path': '/chassis/{chassis_id}', 'method': 'GET'}]), + policy.DocumentedRuleDefault( + 'baremetal:chassis:create', + 'rule:is_admin', + 'Create Chassis records', + [{'path': '/chassis', 'method': 'POST'}]), + policy.DocumentedRuleDefault( + 'baremetal:chassis:delete', + 'rule:is_admin', + 'Delete Chassis records', + [{'path': '/chassis/{chassis_id}', 'method': 'DELETE'}]), + policy.DocumentedRuleDefault( + 'baremetal:chassis:update', + 'rule:is_admin', + 'Update Chassis records', + [{'path': '/chassis/{chassis_id}', 'method': 'PATCH'}]), ] driver_policies = [ - policy.RuleDefault('baremetal:driver:get', - 'rule:is_admin or rule:is_observer', - description='View list of available drivers'), - policy.RuleDefault('baremetal:driver:get_properties', - 'rule:is_admin or rule:is_observer', - description='View driver-specific properties'), - policy.RuleDefault('baremetal:driver:get_raid_logical_disk_properties', - 'rule:is_admin or rule:is_observer', - description='View driver-specific RAID metadata'), - + policy.DocumentedRuleDefault( + 'baremetal:driver:get', + 'rule:is_admin or rule:is_observer', + 'View list of available drivers', + [{'path': '/drivers', 'method': 'GET'}, + {'path': '/drivers/{driver_name}', 'method': 'GET'}]), + policy.DocumentedRuleDefault( + 'baremetal:driver:get_properties', + 'rule:is_admin or rule:is_observer', + 'View driver-specific properties', + [{'path': '/drivers/{driver_name}/properties', 'method': 'GET'}]), + policy.DocumentedRuleDefault( + 'baremetal:driver:get_raid_logical_disk_properties', + 'rule:is_admin or rule:is_observer', + 'View driver-specific RAID metadata', + [{'path': '/drivers/{driver_name}/raid/logical_disk_properties', + 'method': 'GET'}]), ] -extra_policies = [ - policy.RuleDefault('baremetal:node:vendor_passthru', - 'rule:is_admin', - description='Access vendor-specific Node functions'), - policy.RuleDefault('baremetal:driver:vendor_passthru', - 'rule:is_admin', - description='Access vendor-specific Driver functions'), - policy.RuleDefault('baremetal:node:ipa_heartbeat', - 'rule:public_api', - description='Send heartbeats from IPA ramdisk'), - policy.RuleDefault('baremetal:driver:ipa_lookup', - 'rule:public_api', - description='Access IPA ramdisk functions'), +vendor_passthru_policies = [ + policy.DocumentedRuleDefault( + 'baremetal:node:vendor_passthru', + 'rule:is_admin', + 'Access vendor-specific Node functions', + [{'path': 'nodes/{node_ident}/vendor_passthru/methods', + 'method': 'GET'}, + {'path': 'nodes/{node_ident}/vendor_passthru?method={method_name}', + 'method': 'GET'}, + {'path': 'nodes/{node_ident}/vendor_passthru?method={method_name}', + 'method': 'PUT'}, + {'path': 'nodes/{node_ident}/vendor_passthru?method={method_name}', + 'method': 'POST'}, + {'path': 'nodes/{node_ident}/vendor_passthru?method={method_name}', + 'method': 'PATCH'}, + {'path': 'nodes/{node_ident}/vendor_passthru?method={method_name}', + 'method': 'DELETE'}]), + policy.DocumentedRuleDefault( + 'baremetal:driver:vendor_passthru', + 'rule:is_admin', + 'Access vendor-specific Driver functions', + [{'path': 'drivers/{driver_name}/vendor_passthru/methods', + 'method': 'GET'}, + {'path': 'drivers/{driver_name}/vendor_passthru?method={method_name}', + 'method': 'GET'}, + {'path': 'drivers/{driver_name}/vendor_passthru?method={method_name}', + 'method': 'PUT'}, + {'path': 'drivers/{driver_name}/vendor_passthru?method={method_name}', + 'method': 'POST'}, + {'path': 'drivers/{driver_name}/vendor_passthru?method={method_name}', + 'method': 'PATCH'}, + {'path': 'drivers/{driver_name}/vendor_passthru?method={method_name}', + 'method': 'DELETE'}]), +] + +utility_policies = [ + policy.DocumentedRuleDefault( + 'baremetal:node:ipa_heartbeat', + 'rule:public_api', + 'Send heartbeats from IPA ramdisk', + [{'path': '/heartbeat/{node_ident}', 'method': 'POST'}]), + policy.DocumentedRuleDefault( + 'baremetal:driver:ipa_lookup', + 'rule:public_api', + 'Access IPA ramdisk functions', + [{'path': '/lookup', 'method': 'GET'}]), ] volume_policies = [ - policy.RuleDefault('baremetal:volume:get', - 'rule:is_admin or rule:is_observer', - description='Retrieve Volume connector and target ' - 'records'), - policy.RuleDefault('baremetal:volume:create', - 'rule:is_admin', - description='Create Volume connector and target ' - 'records'), - policy.RuleDefault('baremetal:volume:delete', - 'rule:is_admin', - description='Delete Volume connetor and target ' - 'records'), - policy.RuleDefault('baremetal:volume:update', - 'rule:is_admin', - description='Update Volume connector and target ' - 'records'), + policy.DocumentedRuleDefault( + 'baremetal:volume:get', + 'rule:is_admin or rule:is_observer', + 'Retrieve Volume connector and target records', + [{'path': '/volume', 'method': 'GET'}, + {'path': '/volume/connectors', 'method': 'GET'}, + {'path': '/volume/connectors/{volume_connector_id}', 'method': 'GET'}, + {'path': '/volume/targets', 'method': 'GET'}, + {'path': '/volume/targets/{volume_target_id}', 'method': 'GET'}, + {'path': '/nodes/{node_ident}/volume', 'method': 'GET'}, + {'path': '/nodes/{node_ident}/volume/connectors', 'method': 'GET'}, + {'path': '/nodes/{node_ident}/volume/targets', 'method': 'GET'}]), + policy.DocumentedRuleDefault( + 'baremetal:volume:create', + 'rule:is_admin', + 'Create Volume connector and target records', + [{'path': '/volume/connectors', 'method': 'POST'}, + {'path': '/volume/targets', 'method': 'POST'}]), + policy.DocumentedRuleDefault( + 'baremetal:volume:delete', + 'rule:is_admin', + 'Delete Volume connector and target records', + [{'path': '/volume/connectors/{volume_connector_id}', + 'method': 'DELETE'}, + {'path': '/volume/targets/{volume_target_id}', + 'method': 'DELETE'}]), + policy.DocumentedRuleDefault( + 'baremetal:volume:update', + 'rule:is_admin', + 'Update Volume connector and target records', + [{'path': '/volume/connectors/{volume_connector_id}', + 'method': 'PATCH'}, + {'path': '/volume/targets/{volume_target_id}', + 'method': 'PATCH'}]), ] def list_policies(): - policies = (default_policies - + node_policies - + port_policies - + portgroup_policies - + chassis_policies - + driver_policies - + extra_policies - + volume_policies) + policies = itertools.chain( + default_policies, + node_policies, + port_policies, + portgroup_policies, + chassis_policies, + driver_policies, + vendor_passthru_policies, + utility_policies, + volume_policies + ) return policies