Security: Make policy fully configurable via helm values
This PS moves the policy.json to be fully driven by gotpl, allowing full configuration without editing the template. Nova and Cinder are addressed in the seperate patchsets: * https://review.openstack.org/#/c/498215/ * https://review.openstack.org/#/c/498216/ Change-Id: Ia2be5fb4e460d41034fdadbbefc1e48d0869e023
This commit is contained in:
parent
27864cec04
commit
7cfd182929
@ -81,7 +81,7 @@ data:
|
||||
api_audit_map.conf: |+
|
||||
{{- tuple .Values.conf.audit_map "etc/_api_audit_map.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
policy.json: |+
|
||||
{{- tuple .Values.conf.override "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{ toJson .Values.conf.policy | indent 4 }}
|
||||
barbican-api.ini: |+
|
||||
{{- tuple .Values.conf.barbican_api "etc/_barbican-api.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{- end }}
|
||||
|
@ -1,90 +0,0 @@
|
||||
{
|
||||
"admin": "role:admin",
|
||||
"observer": "role:observer",
|
||||
"creator": "role:creator",
|
||||
"audit": "role:audit",
|
||||
"service_admin": "role:key-manager:service-admin",
|
||||
"admin_or_user_does_not_work": "project_id:%(project_id)s",
|
||||
"admin_or_user": "rule:admin or project_id:%(project_id)s",
|
||||
"admin_or_creator": "rule:admin or rule:creator",
|
||||
"all_but_audit": "rule:admin or rule:observer or rule:creator",
|
||||
"all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin",
|
||||
"secret_project_match": "project:%(target.secret.project_id)s",
|
||||
"secret_acl_read": "'read':%(target.secret.read)s",
|
||||
"secret_private_read": "'False':%(target.secret.read_project_access)s",
|
||||
"secret_creator_user": "user:%(target.secret.creator_id)s",
|
||||
"container_project_match": "project:%(target.container.project_id)s",
|
||||
"container_acl_read": "'read':%(target.container.read)s",
|
||||
"container_private_read": "'False':%(target.container.read_project_access)s",
|
||||
"container_creator_user": "user:%(target.container.creator_id)s",
|
||||
|
||||
"secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read",
|
||||
"secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read",
|
||||
"container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read",
|
||||
"secret_project_admin": "rule:admin and rule:secret_project_match",
|
||||
"secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user",
|
||||
"container_project_admin": "rule:admin and rule:container_project_match",
|
||||
"container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user",
|
||||
|
||||
"version:get": "@",
|
||||
"secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
|
||||
"secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
|
||||
"secret:put": "rule:admin_or_creator and rule:secret_project_match",
|
||||
"secret:delete": "rule:secret_project_admin or rule:secret_project_creator",
|
||||
"secrets:post": "rule:admin_or_creator",
|
||||
"secrets:get": "rule:all_but_audit",
|
||||
"orders:post": "rule:admin_or_creator",
|
||||
"orders:get": "rule:all_but_audit",
|
||||
"order:get": "rule:all_users",
|
||||
"order:put": "rule:admin_or_creator",
|
||||
"order:delete": "rule:admin",
|
||||
"consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
||||
"consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
||||
"consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
||||
"consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
||||
"containers:post": "rule:admin_or_creator",
|
||||
"containers:get": "rule:all_but_audit",
|
||||
"container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
||||
"container:delete": "rule:container_project_admin or rule:container_project_creator",
|
||||
"container_secret:post": "rule:admin",
|
||||
"container_secret:delete": "rule:admin",
|
||||
"transport_key:get": "rule:all_users",
|
||||
"transport_key:delete": "rule:admin",
|
||||
"transport_keys:get": "rule:all_users",
|
||||
"transport_keys:post": "rule:admin",
|
||||
"certificate_authorities:get_limited": "rule:all_users",
|
||||
"certificate_authorities:get_all": "rule:admin",
|
||||
"certificate_authorities:post": "rule:admin",
|
||||
"certificate_authorities:get_preferred_ca": "rule:all_users",
|
||||
"certificate_authorities:get_global_preferred_ca": "rule:service_admin",
|
||||
"certificate_authorities:unset_global_preferred": "rule:service_admin",
|
||||
"certificate_authority:delete": "rule:admin",
|
||||
"certificate_authority:get": "rule:all_users",
|
||||
"certificate_authority:get_cacert": "rule:all_users",
|
||||
"certificate_authority:get_ca_cert_chain": "rule:all_users",
|
||||
"certificate_authority:get_projects": "rule:service_admin",
|
||||
"certificate_authority:add_to_project": "rule:admin",
|
||||
"certificate_authority:remove_from_project": "rule:admin",
|
||||
"certificate_authority:set_preferred": "rule:admin",
|
||||
"certificate_authority:set_global_preferred": "rule:service_admin",
|
||||
"secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator",
|
||||
"secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator",
|
||||
"secret_acls:get": "rule:all_but_audit and rule:secret_project_match",
|
||||
"container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator",
|
||||
"container_acls:delete": "rule:container_project_admin or rule:container_project_creator",
|
||||
"container_acls:get": "rule:all_but_audit and rule:container_project_match",
|
||||
"quotas:get": "rule:all_users",
|
||||
"project_quotas:get": "rule:service_admin",
|
||||
"project_quotas:put": "rule:service_admin",
|
||||
"project_quotas:delete": "rule:service_admin",
|
||||
"secret_meta:get": "rule:all_but_audit",
|
||||
"secret_meta:post": "rule:admin_or_creator",
|
||||
"secret_meta:put": "rule:admin_or_creator",
|
||||
"secret_meta:delete": "rule:admin_or_creator",
|
||||
"secretstores:get": "rule:admin",
|
||||
"secretstores:get_global_default": "rule:admin",
|
||||
"secretstores:get_preferred": "rule:admin",
|
||||
"secretstore_preferred:post": "rule:admin",
|
||||
"secretstore_preferred:delete": "rule:admin",
|
||||
"secretstore:get": "rule:admin"
|
||||
}
|
@ -172,8 +172,101 @@ conf:
|
||||
override:
|
||||
append:
|
||||
policy:
|
||||
override:
|
||||
append:
|
||||
admin: role:admin
|
||||
observer: role:observer
|
||||
creator: role:creator
|
||||
audit: role:audit
|
||||
service_admin: role:key-manager:service-admin
|
||||
admin_or_user_does_not_work: project_id:%(project_id)s
|
||||
admin_or_user: rule:admin or project_id:%(project_id)s
|
||||
admin_or_creator: rule:admin or rule:creator
|
||||
all_but_audit: rule:admin or rule:observer or rule:creator
|
||||
all_users: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin
|
||||
secret_project_match: project:%(target.secret.project_id)s
|
||||
secret_acl_read: "'read':%(target.secret.read)s"
|
||||
secret_private_read: "'False':%(target.secret.read_project_access)s"
|
||||
secret_creator_user: user:%(target.secret.creator_id)s
|
||||
container_project_match: project:%(target.container.project_id)s
|
||||
container_acl_read: "'read':%(target.container.read)s"
|
||||
container_private_read: "'False':%(target.container.read_project_access)s"
|
||||
container_creator_user: user:%(target.container.creator_id)s
|
||||
secret_non_private_read: rule:all_users and rule:secret_project_match and not rule:secret_private_read
|
||||
secret_decrypt_non_private_read: rule:all_but_audit and rule:secret_project_match
|
||||
and not rule:secret_private_read
|
||||
container_non_private_read: rule:all_users and rule:container_project_match and not
|
||||
rule:container_private_read
|
||||
secret_project_admin: rule:admin and rule:secret_project_match
|
||||
secret_project_creator: rule:creator and rule:secret_project_match and rule:secret_creator_user
|
||||
container_project_admin: rule:admin and rule:container_project_match
|
||||
container_project_creator: rule:creator and rule:container_project_match and rule:container_creator_user
|
||||
version:get: "@"
|
||||
secret:decrypt: rule:secret_decrypt_non_private_read or rule:secret_project_creator
|
||||
or rule:secret_project_admin or rule:secret_acl_read
|
||||
secret:get: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin
|
||||
or rule:secret_acl_read
|
||||
secret:put: rule:admin_or_creator and rule:secret_project_match
|
||||
secret:delete: rule:secret_project_admin or rule:secret_project_creator
|
||||
secrets:post: rule:admin_or_creator
|
||||
secrets:get: rule:all_but_audit
|
||||
orders:post: rule:admin_or_creator
|
||||
orders:get: rule:all_but_audit
|
||||
order:get: rule:all_users
|
||||
order:put: rule:admin_or_creator
|
||||
order:delete: rule:admin
|
||||
consumer:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
|
||||
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
|
||||
consumers:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
|
||||
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
|
||||
consumers:post: rule:admin or rule:container_non_private_read or rule:container_project_creator
|
||||
or rule:container_project_admin or rule:container_acl_read
|
||||
consumers:delete: rule:admin or rule:container_non_private_read or rule:container_project_creator
|
||||
or rule:container_project_admin or rule:container_acl_read
|
||||
containers:post: rule:admin_or_creator
|
||||
containers:get: rule:all_but_audit
|
||||
container:get: rule:container_non_private_read or rule:container_project_creator or
|
||||
rule:container_project_admin or rule:container_acl_read
|
||||
container:delete: rule:container_project_admin or rule:container_project_creator
|
||||
container_secret:post: rule:admin
|
||||
container_secret:delete: rule:admin
|
||||
transport_key:get: rule:all_users
|
||||
transport_key:delete: rule:admin
|
||||
transport_keys:get: rule:all_users
|
||||
transport_keys:post: rule:admin
|
||||
certificate_authorities:get_limited: rule:all_users
|
||||
certificate_authorities:get_all: rule:admin
|
||||
certificate_authorities:post: rule:admin
|
||||
certificate_authorities:get_preferred_ca: rule:all_users
|
||||
certificate_authorities:get_global_preferred_ca: rule:service_admin
|
||||
certificate_authorities:unset_global_preferred: rule:service_admin
|
||||
certificate_authority:delete: rule:admin
|
||||
certificate_authority:get: rule:all_users
|
||||
certificate_authority:get_cacert: rule:all_users
|
||||
certificate_authority:get_ca_cert_chain: rule:all_users
|
||||
certificate_authority:get_projects: rule:service_admin
|
||||
certificate_authority:add_to_project: rule:admin
|
||||
certificate_authority:remove_from_project: rule:admin
|
||||
certificate_authority:set_preferred: rule:admin
|
||||
certificate_authority:set_global_preferred: rule:service_admin
|
||||
secret_acls:put_patch: rule:secret_project_admin or rule:secret_project_creator
|
||||
secret_acls:delete: rule:secret_project_admin or rule:secret_project_creator
|
||||
secret_acls:get: rule:all_but_audit and rule:secret_project_match
|
||||
container_acls:put_patch: rule:container_project_admin or rule:container_project_creator
|
||||
container_acls:delete: rule:container_project_admin or rule:container_project_creator
|
||||
container_acls:get: rule:all_but_audit and rule:container_project_match
|
||||
quotas:get: rule:all_users
|
||||
project_quotas:get: rule:service_admin
|
||||
project_quotas:put: rule:service_admin
|
||||
project_quotas:delete: rule:service_admin
|
||||
secret_meta:get: rule:all_but_audit
|
||||
secret_meta:post: rule:admin_or_creator
|
||||
secret_meta:put: rule:admin_or_creator
|
||||
secret_meta:delete: rule:admin_or_creator
|
||||
secretstores:get: rule:admin
|
||||
secretstores:get_global_default: rule:admin
|
||||
secretstores:get_preferred: rule:admin
|
||||
secretstore_preferred:post: rule:admin
|
||||
secretstore_preferred:delete: rule:admin
|
||||
secretstore:get: rule:admin
|
||||
audit_map:
|
||||
override:
|
||||
append:
|
||||
|
@ -135,5 +135,5 @@ data:
|
||||
glance-registry-paste.ini: |+
|
||||
{{- tuple .Values.conf.paste_registry "etc/_glance-registry-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
policy.json: |+
|
||||
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{ toJson .Values.conf.policy | indent 4 }}
|
||||
{{- end }}
|
||||
|
@ -1,61 +0,0 @@
|
||||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"default": "role:admin",
|
||||
|
||||
"add_image": "",
|
||||
"delete_image": "",
|
||||
"get_image": "",
|
||||
"get_images": "",
|
||||
"modify_image": "",
|
||||
"publicize_image": "role:admin",
|
||||
"copy_from": "",
|
||||
|
||||
"download_image": "",
|
||||
"upload_image": "",
|
||||
|
||||
"delete_image_location": "",
|
||||
"get_image_location": "",
|
||||
"set_image_location": "",
|
||||
|
||||
"add_member": "",
|
||||
"delete_member": "",
|
||||
"get_member": "",
|
||||
"get_members": "",
|
||||
"modify_member": "",
|
||||
|
||||
"manage_image_cache": "role:admin",
|
||||
|
||||
"get_task": "role:admin",
|
||||
"get_tasks": "role:admin",
|
||||
"add_task": "role:admin",
|
||||
"modify_task": "role:admin",
|
||||
|
||||
"deactivate": "",
|
||||
"reactivate": "",
|
||||
|
||||
"get_metadef_namespace": "",
|
||||
"get_metadef_namespaces":"",
|
||||
"modify_metadef_namespace":"",
|
||||
"add_metadef_namespace":"",
|
||||
|
||||
"get_metadef_object":"",
|
||||
"get_metadef_objects":"",
|
||||
"modify_metadef_object":"",
|
||||
"add_metadef_object":"",
|
||||
|
||||
"list_metadef_resource_types":"",
|
||||
"get_metadef_resource_type":"",
|
||||
"add_metadef_resource_type_association":"",
|
||||
|
||||
"get_metadef_property":"",
|
||||
"get_metadef_properties":"",
|
||||
"modify_metadef_property":"",
|
||||
"add_metadef_property":"",
|
||||
|
||||
"get_metadef_tag":"",
|
||||
"get_metadef_tags":"",
|
||||
"modify_metadef_tag":"",
|
||||
"add_metadef_tag":"",
|
||||
"add_metadef_tags":""
|
||||
|
||||
}
|
@ -76,8 +76,52 @@ conf:
|
||||
override:
|
||||
append:
|
||||
policy:
|
||||
override:
|
||||
append:
|
||||
context_is_admin: role:admin
|
||||
default: role:admin
|
||||
add_image: ''
|
||||
delete_image: ''
|
||||
get_image: ''
|
||||
get_images: ''
|
||||
modify_image: ''
|
||||
publicize_image: role:admin
|
||||
copy_from: ''
|
||||
download_image: ''
|
||||
upload_image: ''
|
||||
delete_image_location: ''
|
||||
get_image_location: ''
|
||||
set_image_location: ''
|
||||
add_member: ''
|
||||
delete_member: ''
|
||||
get_member: ''
|
||||
get_members: ''
|
||||
modify_member: ''
|
||||
manage_image_cache: role:admin
|
||||
get_task: role:admin
|
||||
get_tasks: role:admin
|
||||
add_task: role:admin
|
||||
modify_task: role:admin
|
||||
deactivate: ''
|
||||
reactivate: ''
|
||||
get_metadef_namespace: ''
|
||||
get_metadef_namespaces: ''
|
||||
modify_metadef_namespace: ''
|
||||
add_metadef_namespace: ''
|
||||
get_metadef_object: ''
|
||||
get_metadef_objects: ''
|
||||
modify_metadef_object: ''
|
||||
add_metadef_object: ''
|
||||
list_metadef_resource_types: ''
|
||||
get_metadef_resource_type: ''
|
||||
add_metadef_resource_type_association: ''
|
||||
get_metadef_property: ''
|
||||
get_metadef_properties: ''
|
||||
modify_metadef_property: ''
|
||||
add_metadef_property: ''
|
||||
get_metadef_tag: ''
|
||||
get_metadef_tags: ''
|
||||
modify_metadef_tag: ''
|
||||
add_metadef_tag: ''
|
||||
add_metadef_tags: ''
|
||||
glance:
|
||||
override:
|
||||
append:
|
||||
|
@ -123,5 +123,5 @@ data:
|
||||
api-paste.ini: |+
|
||||
{{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
policy.json: |+
|
||||
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{ toJson .Values.conf.policy | indent 4 }}
|
||||
{{- end }}
|
||||
|
@ -1,96 +0,0 @@
|
||||
{
|
||||
"context_is_admin": "role:admin and is_admin_project:True",
|
||||
"project_admin": "role:admin",
|
||||
"deny_stack_user": "not role:heat_stack_user",
|
||||
"deny_everybody": "!",
|
||||
|
||||
"cloudformation:ListStacks": "rule:deny_stack_user",
|
||||
"cloudformation:CreateStack": "rule:deny_stack_user",
|
||||
"cloudformation:DescribeStacks": "rule:deny_stack_user",
|
||||
"cloudformation:DeleteStack": "rule:deny_stack_user",
|
||||
"cloudformation:UpdateStack": "rule:deny_stack_user",
|
||||
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
|
||||
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
|
||||
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
|
||||
"cloudformation:GetTemplate": "rule:deny_stack_user",
|
||||
"cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
|
||||
"cloudformation:DescribeStackResource": "",
|
||||
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
|
||||
"cloudformation:ListStackResources": "rule:deny_stack_user",
|
||||
|
||||
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
|
||||
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
|
||||
"cloudwatch:DescribeAlarms": "rule:deny_stack_user",
|
||||
"cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
|
||||
"cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
|
||||
"cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
|
||||
"cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
|
||||
"cloudwatch:ListMetrics": "rule:deny_stack_user",
|
||||
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
|
||||
"cloudwatch:PutMetricData": "",
|
||||
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
|
||||
|
||||
"actions:action": "rule:deny_stack_user",
|
||||
"build_info:build_info": "rule:deny_stack_user",
|
||||
"events:index": "rule:deny_stack_user",
|
||||
"events:show": "rule:deny_stack_user",
|
||||
"resource:index": "rule:deny_stack_user",
|
||||
"resource:metadata": "",
|
||||
"resource:signal": "",
|
||||
"resource:mark_unhealthy": "rule:deny_stack_user",
|
||||
"resource:show": "rule:deny_stack_user",
|
||||
"stacks:abandon": "rule:deny_stack_user",
|
||||
"stacks:create": "rule:deny_stack_user",
|
||||
"stacks:delete": "rule:deny_stack_user",
|
||||
"stacks:detail": "rule:deny_stack_user",
|
||||
"stacks:export": "rule:deny_stack_user",
|
||||
"stacks:generate_template": "rule:deny_stack_user",
|
||||
"stacks:global_index": "rule:deny_everybody",
|
||||
"stacks:index": "rule:deny_stack_user",
|
||||
"stacks:list_resource_types": "rule:deny_stack_user",
|
||||
"stacks:list_template_versions": "rule:deny_stack_user",
|
||||
"stacks:list_template_functions": "rule:deny_stack_user",
|
||||
"stacks:lookup": "",
|
||||
"stacks:preview": "rule:deny_stack_user",
|
||||
"stacks:resource_schema": "rule:deny_stack_user",
|
||||
"stacks:show": "rule:deny_stack_user",
|
||||
"stacks:template": "rule:deny_stack_user",
|
||||
"stacks:environment": "rule:deny_stack_user",
|
||||
"stacks:files": "rule:deny_stack_user",
|
||||
"stacks:update": "rule:deny_stack_user",
|
||||
"stacks:update_patch": "rule:deny_stack_user",
|
||||
"stacks:preview_update": "rule:deny_stack_user",
|
||||
"stacks:preview_update_patch": "rule:deny_stack_user",
|
||||
"stacks:validate_template": "rule:deny_stack_user",
|
||||
"stacks:snapshot": "rule:deny_stack_user",
|
||||
"stacks:show_snapshot": "rule:deny_stack_user",
|
||||
"stacks:delete_snapshot": "rule:deny_stack_user",
|
||||
"stacks:list_snapshots": "rule:deny_stack_user",
|
||||
"stacks:restore_snapshot": "rule:deny_stack_user",
|
||||
"stacks:list_outputs": "rule:deny_stack_user",
|
||||
"stacks:show_output": "rule:deny_stack_user",
|
||||
|
||||
"software_configs:global_index": "rule:deny_everybody",
|
||||
"software_configs:index": "rule:deny_stack_user",
|
||||
"software_configs:create": "rule:deny_stack_user",
|
||||
"software_configs:show": "rule:deny_stack_user",
|
||||
"software_configs:delete": "rule:deny_stack_user",
|
||||
"software_deployments:index": "rule:deny_stack_user",
|
||||
"software_deployments:create": "rule:deny_stack_user",
|
||||
"software_deployments:show": "rule:deny_stack_user",
|
||||
"software_deployments:update": "rule:deny_stack_user",
|
||||
"software_deployments:delete": "rule:deny_stack_user",
|
||||
"software_deployments:metadata": "",
|
||||
|
||||
"service:index": "rule:context_is_admin",
|
||||
|
||||
"resource_types:OS::Nova::Flavor": "rule:project_admin",
|
||||
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin",
|
||||
"resource_types:OS::Cinder::VolumeType": "rule:project_admin",
|
||||
"resource_types:OS::Cinder::Quota": "rule:project_admin",
|
||||
"resource_types:OS::Manila::ShareType": "rule:project_admin",
|
||||
"resource_types:OS::Neutron::QoSPolicy": "rule:project_admin",
|
||||
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin",
|
||||
"resource_types:OS::Nova::HostAggregate": "rule:project_admin",
|
||||
"resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
|
||||
}
|
@ -42,8 +42,94 @@ conf:
|
||||
override:
|
||||
append:
|
||||
policy:
|
||||
override:
|
||||
append:
|
||||
context_is_admin: role:admin and is_admin_project:True
|
||||
project_admin: role:admin
|
||||
deny_stack_user: not role:heat_stack_user
|
||||
deny_everybody: "!"
|
||||
cloudformation:ListStacks: rule:deny_stack_user
|
||||
cloudformation:CreateStack: rule:deny_stack_user
|
||||
cloudformation:DescribeStacks: rule:deny_stack_user
|
||||
cloudformation:DeleteStack: rule:deny_stack_user
|
||||
cloudformation:UpdateStack: rule:deny_stack_user
|
||||
cloudformation:CancelUpdateStack: rule:deny_stack_user
|
||||
cloudformation:DescribeStackEvents: rule:deny_stack_user
|
||||
cloudformation:ValidateTemplate: rule:deny_stack_user
|
||||
cloudformation:GetTemplate: rule:deny_stack_user
|
||||
cloudformation:EstimateTemplateCost: rule:deny_stack_user
|
||||
cloudformation:DescribeStackResource: ''
|
||||
cloudformation:DescribeStackResources: rule:deny_stack_user
|
||||
cloudformation:ListStackResources: rule:deny_stack_user
|
||||
cloudwatch:DeleteAlarms: rule:deny_stack_user
|
||||
cloudwatch:DescribeAlarmHistory: rule:deny_stack_user
|
||||
cloudwatch:DescribeAlarms: rule:deny_stack_user
|
||||
cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user
|
||||
cloudwatch:DisableAlarmActions: rule:deny_stack_user
|
||||
cloudwatch:EnableAlarmActions: rule:deny_stack_user
|
||||
cloudwatch:GetMetricStatistics: rule:deny_stack_user
|
||||
cloudwatch:ListMetrics: rule:deny_stack_user
|
||||
cloudwatch:PutMetricAlarm: rule:deny_stack_user
|
||||
cloudwatch:PutMetricData: ''
|
||||
cloudwatch:SetAlarmState: rule:deny_stack_user
|
||||
actions:action: rule:deny_stack_user
|
||||
build_info:build_info: rule:deny_stack_user
|
||||
events:index: rule:deny_stack_user
|
||||
events:show: rule:deny_stack_user
|
||||
resource:index: rule:deny_stack_user
|
||||
resource:metadata: ''
|
||||
resource:signal: ''
|
||||
resource:mark_unhealthy: rule:deny_stack_user
|
||||
resource:show: rule:deny_stack_user
|
||||
stacks:abandon: rule:deny_stack_user
|
||||
stacks:create: rule:deny_stack_user
|
||||
stacks:delete: rule:deny_stack_user
|
||||
stacks:detail: rule:deny_stack_user
|
||||
stacks:export: rule:deny_stack_user
|
||||
stacks:generate_template: rule:deny_stack_user
|
||||
stacks:global_index: rule:deny_everybody
|
||||
stacks:index: rule:deny_stack_user
|
||||
stacks:list_resource_types: rule:deny_stack_user
|
||||
stacks:list_template_versions: rule:deny_stack_user
|
||||
stacks:list_template_functions: rule:deny_stack_user
|
||||
stacks:lookup: ''
|
||||
stacks:preview: rule:deny_stack_user
|
||||
stacks:resource_schema: rule:deny_stack_user
|
||||
stacks:show: rule:deny_stack_user
|
||||
stacks:template: rule:deny_stack_user
|
||||
stacks:environment: rule:deny_stack_user
|
||||
stacks:files: rule:deny_stack_user
|
||||
stacks:update: rule:deny_stack_user
|
||||
stacks:update_patch: rule:deny_stack_user
|
||||
stacks:preview_update: rule:deny_stack_user
|
||||
stacks:preview_update_patch: rule:deny_stack_user
|
||||
stacks:validate_template: rule:deny_stack_user
|
||||
stacks:snapshot: rule:deny_stack_user
|
||||
stacks:show_snapshot: rule:deny_stack_user
|
||||
stacks:delete_snapshot: rule:deny_stack_user
|
||||
stacks:list_snapshots: rule:deny_stack_user
|
||||
stacks:restore_snapshot: rule:deny_stack_user
|
||||
stacks:list_outputs: rule:deny_stack_user
|
||||
stacks:show_output: rule:deny_stack_user
|
||||
software_configs:global_index: rule:deny_everybody
|
||||
software_configs:index: rule:deny_stack_user
|
||||
software_configs:create: rule:deny_stack_user
|
||||
software_configs:show: rule:deny_stack_user
|
||||
software_configs:delete: rule:deny_stack_user
|
||||
software_deployments:index: rule:deny_stack_user
|
||||
software_deployments:create: rule:deny_stack_user
|
||||
software_deployments:show: rule:deny_stack_user
|
||||
software_deployments:update: rule:deny_stack_user
|
||||
software_deployments:delete: rule:deny_stack_user
|
||||
software_deployments:metadata: ''
|
||||
service:index: rule:context_is_admin
|
||||
resource_types:OS::Nova::Flavor: rule:project_admin
|
||||
resource_types:OS::Cinder::EncryptedVolumeType: rule:project_admin
|
||||
resource_types:OS::Cinder::VolumeType: rule:project_admin
|
||||
resource_types:OS::Cinder::Quota: rule:project_admin
|
||||
resource_types:OS::Manila::ShareType: rule:project_admin
|
||||
resource_types:OS::Neutron::QoSPolicy: rule:project_admin
|
||||
resource_types:OS::Neutron::QoSBandwidthLimitRule: rule:project_admin
|
||||
resource_types:OS::Nova::HostAggregate: rule:project_admin
|
||||
resource_types:OS::Cinder::QoSSpecs: rule:project_admin
|
||||
heat:
|
||||
override:
|
||||
append:
|
||||
|
@ -44,7 +44,7 @@ data:
|
||||
keystone-paste.ini: |+
|
||||
{{- tuple .Values.conf.paste "etc/_keystone-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
policy.json: |+
|
||||
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{ toJson .Values.conf.policy | indent 4 }}
|
||||
mpm_event.conf: |+
|
||||
{{- tuple .Values.conf.mpm_event "etc/_mpm_event.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
wsgi-keystone.conf: |+
|
||||
|
@ -1,199 +0,0 @@
|
||||
{
|
||||
"admin_required": "role:admin or is_admin:1",
|
||||
"service_role": "role:service",
|
||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||
"owner" : "user_id:%(user_id)s",
|
||||
"admin_or_owner": "rule:admin_required or rule:owner",
|
||||
"token_subject": "user_id:%(target.token.user_id)s",
|
||||
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
|
||||
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
"identity:get_region": "",
|
||||
"identity:list_regions": "",
|
||||
"identity:create_region": "rule:admin_required",
|
||||
"identity:update_region": "rule:admin_required",
|
||||
"identity:delete_region": "rule:admin_required",
|
||||
|
||||
"identity:get_service": "rule:admin_required",
|
||||
"identity:list_services": "rule:admin_required",
|
||||
"identity:create_service": "rule:admin_required",
|
||||
"identity:update_service": "rule:admin_required",
|
||||
"identity:delete_service": "rule:admin_required",
|
||||
|
||||
"identity:get_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints": "rule:admin_required",
|
||||
"identity:create_endpoint": "rule:admin_required",
|
||||
"identity:update_endpoint": "rule:admin_required",
|
||||
"identity:delete_endpoint": "rule:admin_required",
|
||||
|
||||
"identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
|
||||
"identity:list_domains": "rule:admin_required",
|
||||
"identity:create_domain": "rule:admin_required",
|
||||
"identity:update_domain": "rule:admin_required",
|
||||
"identity:delete_domain": "rule:admin_required",
|
||||
|
||||
"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
|
||||
"identity:list_projects": "rule:admin_required",
|
||||
"identity:list_user_projects": "rule:admin_or_owner",
|
||||
"identity:create_project": "rule:admin_required",
|
||||
"identity:update_project": "rule:admin_required",
|
||||
"identity:delete_project": "rule:admin_required",
|
||||
|
||||
"identity:get_user": "rule:admin_or_owner",
|
||||
"identity:list_users": "rule:admin_required",
|
||||
"identity:create_user": "rule:admin_required",
|
||||
"identity:update_user": "rule:admin_required",
|
||||
"identity:delete_user": "rule:admin_required",
|
||||
"identity:change_password": "rule:admin_or_owner",
|
||||
|
||||
"identity:get_group": "rule:admin_required",
|
||||
"identity:list_groups": "rule:admin_required",
|
||||
"identity:list_groups_for_user": "rule:admin_or_owner",
|
||||
"identity:create_group": "rule:admin_required",
|
||||
"identity:update_group": "rule:admin_required",
|
||||
"identity:delete_group": "rule:admin_required",
|
||||
"identity:list_users_in_group": "rule:admin_required",
|
||||
"identity:remove_user_from_group": "rule:admin_required",
|
||||
"identity:check_user_in_group": "rule:admin_required",
|
||||
"identity:add_user_to_group": "rule:admin_required",
|
||||
|
||||
"identity:get_credential": "rule:admin_required",
|
||||
"identity:list_credentials": "rule:admin_required",
|
||||
"identity:create_credential": "rule:admin_required",
|
||||
"identity:update_credential": "rule:admin_required",
|
||||
"identity:delete_credential": "rule:admin_required",
|
||||
|
||||
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
"identity:ec2_list_credentials": "rule:admin_or_owner",
|
||||
"identity:ec2_create_credential": "rule:admin_or_owner",
|
||||
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
|
||||
"identity:get_role": "rule:admin_required",
|
||||
"identity:list_roles": "rule:admin_required",
|
||||
"identity:create_role": "rule:admin_required",
|
||||
"identity:update_role": "rule:admin_required",
|
||||
"identity:delete_role": "rule:admin_required",
|
||||
"identity:get_domain_role": "rule:admin_required",
|
||||
"identity:list_domain_roles": "rule:admin_required",
|
||||
"identity:create_domain_role": "rule:admin_required",
|
||||
"identity:update_domain_role": "rule:admin_required",
|
||||
"identity:delete_domain_role": "rule:admin_required",
|
||||
|
||||
"identity:get_implied_role": "rule:admin_required ",
|
||||
"identity:list_implied_roles": "rule:admin_required",
|
||||
"identity:create_implied_role": "rule:admin_required",
|
||||
"identity:delete_implied_role": "rule:admin_required",
|
||||
"identity:list_role_inference_rules": "rule:admin_required",
|
||||
"identity:check_implied_role": "rule:admin_required",
|
||||
|
||||
"identity:check_grant": "rule:admin_required",
|
||||
"identity:list_grants": "rule:admin_required",
|
||||
"identity:create_grant": "rule:admin_required",
|
||||
"identity:revoke_grant": "rule:admin_required",
|
||||
|
||||
"identity:list_role_assignments": "rule:admin_required",
|
||||
"identity:list_role_assignments_for_tree": "rule:admin_required",
|
||||
|
||||
"identity:get_policy": "rule:admin_required",
|
||||
"identity:list_policies": "rule:admin_required",
|
||||
"identity:create_policy": "rule:admin_required",
|
||||
"identity:update_policy": "rule:admin_required",
|
||||
"identity:delete_policy": "rule:admin_required",
|
||||
|
||||
"identity:check_token": "rule:admin_or_token_subject",
|
||||
"identity:validate_token": "rule:service_admin_or_token_subject",
|
||||
"identity:validate_token_head": "rule:service_or_admin",
|
||||
"identity:revocation_list": "rule:service_or_admin",
|
||||
"identity:revoke_token": "rule:admin_or_token_subject",
|
||||
|
||||
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
||||
"identity:list_trusts": "",
|
||||
"identity:list_roles_for_trust": "",
|
||||
"identity:get_role_for_trust": "",
|
||||
"identity:delete_trust": "",
|
||||
|
||||
"identity:create_consumer": "rule:admin_required",
|
||||
"identity:get_consumer": "rule:admin_required",
|
||||
"identity:list_consumers": "rule:admin_required",
|
||||
"identity:delete_consumer": "rule:admin_required",
|
||||
"identity:update_consumer": "rule:admin_required",
|
||||
|
||||
"identity:authorize_request_token": "rule:admin_required",
|
||||
"identity:list_access_token_roles": "rule:admin_required",
|
||||
"identity:get_access_token_role": "rule:admin_required",
|
||||
"identity:list_access_tokens": "rule:admin_required",
|
||||
"identity:get_access_token": "rule:admin_required",
|
||||
"identity:delete_access_token": "rule:admin_required",
|
||||
|
||||
"identity:list_projects_for_endpoint": "rule:admin_required",
|
||||
"identity:add_endpoint_to_project": "rule:admin_required",
|
||||
"identity:check_endpoint_in_project": "rule:admin_required",
|
||||
"identity:list_endpoints_for_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_from_project": "rule:admin_required",
|
||||
|
||||
"identity:create_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoint_groups": "rule:admin_required",
|
||||
"identity:get_endpoint_group": "rule:admin_required",
|
||||
"identity:update_endpoint_group": "rule:admin_required",
|
||||
"identity:delete_endpoint_group": "rule:admin_required",
|
||||
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
|
||||
"identity:get_endpoint_group_in_project": "rule:admin_required",
|
||||
"identity:list_endpoint_groups_for_project": "rule:admin_required",
|
||||
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
||||
|
||||
"identity:create_identity_provider": "rule:admin_required",
|
||||
"identity:list_identity_providers": "rule:admin_required",
|
||||
"identity:get_identity_providers": "rule:admin_required",
|
||||
"identity:update_identity_provider": "rule:admin_required",
|
||||
"identity:delete_identity_provider": "rule:admin_required",
|
||||
|
||||
"identity:create_protocol": "rule:admin_required",
|
||||
"identity:update_protocol": "rule:admin_required",
|
||||
"identity:get_protocol": "rule:admin_required",
|
||||
"identity:list_protocols": "rule:admin_required",
|
||||
"identity:delete_protocol": "rule:admin_required",
|
||||
|
||||
"identity:create_mapping": "rule:admin_required",
|
||||
"identity:get_mapping": "rule:admin_required",
|
||||
"identity:list_mappings": "rule:admin_required",
|
||||
"identity:delete_mapping": "rule:admin_required",
|
||||
"identity:update_mapping": "rule:admin_required",
|
||||
|
||||
"identity:create_service_provider": "rule:admin_required",
|
||||
"identity:list_service_providers": "rule:admin_required",
|
||||
"identity:get_service_provider": "rule:admin_required",
|
||||
"identity:update_service_provider": "rule:admin_required",
|
||||
"identity:delete_service_provider": "rule:admin_required",
|
||||
|
||||
"identity:get_auth_catalog": "",
|
||||
"identity:get_auth_projects": "",
|
||||
"identity:get_auth_domains": "",
|
||||
|
||||
"identity:list_projects_for_user": "",
|
||||
"identity:list_domains_for_user": "",
|
||||
|
||||
"identity:list_revoke_events": "",
|
||||
|
||||
"identity:create_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:check_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:create_policy_association_for_service": "rule:admin_required",
|
||||
"identity:check_policy_association_for_service": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_service": "rule:admin_required",
|
||||
"identity:create_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:get_policy_for_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints_for_policy": "rule:admin_required",
|
||||
|
||||
"identity:create_domain_config": "rule:admin_required",
|
||||
"identity:get_domain_config": "rule:admin_required",
|
||||
"identity:update_domain_config": "rule:admin_required",
|
||||
"identity:delete_domain_config": "rule:admin_required",
|
||||
"identity:get_domain_config_default": "rule:admin_required"
|
||||
|
||||
}
|
@ -248,8 +248,172 @@ conf:
|
||||
override:
|
||||
append:
|
||||
policy:
|
||||
override:
|
||||
append:
|
||||
admin_required: role:admin or is_admin:1
|
||||
service_role: role:service
|
||||
service_or_admin: rule:admin_required or rule:service_role
|
||||
owner: user_id:%(user_id)s
|
||||
admin_or_owner: rule:admin_required or rule:owner
|
||||
token_subject: user_id:%(target.token.user_id)s
|
||||
admin_or_token_subject: rule:admin_required or rule:token_subject
|
||||
service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
|
||||
default: rule:admin_required
|
||||
identity:get_region: ''
|
||||
identity:list_regions: ''
|
||||
identity:create_region: rule:admin_required
|
||||
identity:update_region: rule:admin_required
|
||||
identity:delete_region: rule:admin_required
|
||||
identity:get_service: rule:admin_required
|
||||
identity:list_services: rule:admin_required
|
||||
identity:create_service: rule:admin_required
|
||||
identity:update_service: rule:admin_required
|
||||
identity:delete_service: rule:admin_required
|
||||
identity:get_endpoint: rule:admin_required
|
||||
identity:list_endpoints: rule:admin_required
|
||||
identity:create_endpoint: rule:admin_required
|
||||
identity:update_endpoint: rule:admin_required
|
||||
identity:delete_endpoint: rule:admin_required
|
||||
identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s
|
||||
identity:list_domains: rule:admin_required
|
||||
identity:create_domain: rule:admin_required
|
||||
identity:update_domain: rule:admin_required
|
||||
identity:delete_domain: rule:admin_required
|
||||
identity:get_project: rule:admin_required or project_id:%(target.project.id)s
|
||||
identity:list_projects: rule:admin_required
|
||||
identity:list_user_projects: rule:admin_or_owner
|
||||
identity:create_project: rule:admin_required
|
||||
identity:update_project: rule:admin_required
|
||||
identity:delete_project: rule:admin_required
|
||||
identity:get_user: rule:admin_or_owner
|
||||
identity:list_users: rule:admin_required
|
||||
identity:create_user: rule:admin_required
|
||||
identity:update_user: rule:admin_required
|
||||
identity:delete_user: rule:admin_required
|
||||
identity:change_password: rule:admin_or_owner
|
||||
identity:get_group: rule:admin_required
|
||||
identity:list_groups: rule:admin_required
|
||||
identity:list_groups_for_user: rule:admin_or_owner
|
||||
identity:create_group: rule:admin_required
|
||||
identity:update_group: rule:admin_required
|
||||
identity:delete_group: rule:admin_required
|
||||
identity:list_users_in_group: rule:admin_required
|
||||
identity:remove_user_from_group: rule:admin_required
|
||||
identity:check_user_in_group: rule:admin_required
|
||||
identity:add_user_to_group: rule:admin_required
|
||||
identity:get_credential: rule:admin_required
|
||||
identity:list_credentials: rule:admin_required
|
||||
identity:create_credential: rule:admin_required
|
||||
identity:update_credential: rule:admin_required
|
||||
identity:delete_credential: rule:admin_required
|
||||
identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
||||
identity:ec2_list_credentials: rule:admin_or_owner
|
||||
identity:ec2_create_credential: rule:admin_or_owner
|
||||
identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
||||
identity:get_role: rule:admin_required
|
||||
identity:list_roles: rule:admin_required
|
||||
identity:create_role: rule:admin_required
|
||||
identity:update_role: rule:admin_required
|
||||
identity:delete_role: rule:admin_required
|
||||
identity:get_domain_role: rule:admin_required
|
||||
identity:list_domain_roles: rule:admin_required
|
||||
identity:create_domain_role: rule:admin_required
|
||||
identity:update_domain_role: rule:admin_required
|
||||
identity:delete_domain_role: rule:admin_required
|
||||
identity:get_implied_role: 'rule:admin_required '
|
||||
identity:list_implied_roles: rule:admin_required
|
||||
identity:create_implied_role: rule:admin_required
|
||||
identity:delete_implied_role: rule:admin_required
|
||||
identity:list_role_inference_rules: rule:admin_required
|
||||
identity:check_implied_role: rule:admin_required
|
||||
identity:check_grant: rule:admin_required
|
||||
identity:list_grants: rule:admin_required
|
||||
identity:create_grant: rule:admin_required
|
||||
identity:revoke_grant: rule:admin_required
|
||||
identity:list_role_assignments: rule:admin_required
|
||||
identity:list_role_assignments_for_tree: rule:admin_required
|
||||
identity:get_policy: rule:admin_required
|
||||
identity:list_policies: rule:admin_required
|
||||
identity:create_policy: rule:admin_required
|
||||
identity:update_policy: rule:admin_required
|
||||
identity:delete_policy: rule:admin_required
|
||||
identity:check_token: rule:admin_or_token_subject
|
||||
identity:validate_token: rule:service_admin_or_token_subject
|
||||
identity:validate_token_head: rule:service_or_admin
|
||||
identity:revocation_list: rule:service_or_admin
|
||||
identity:revoke_token: rule:admin_or_token_subject
|
||||
identity:create_trust: user_id:%(trust.trustor_user_id)s
|
||||
identity:list_trusts: ''
|
||||
identity:list_roles_for_trust: ''
|
||||
identity:get_role_for_trust: ''
|
||||
identity:delete_trust: ''
|
||||
identity:create_consumer: rule:admin_required
|
||||
identity:get_consumer: rule:admin_required
|
||||
identity:list_consumers: rule:admin_required
|
||||
identity:delete_consumer: rule:admin_required
|
||||
identity:update_consumer: rule:admin_required
|
||||
identity:authorize_request_token: rule:admin_required
|
||||
identity:list_access_token_roles: rule:admin_required
|
||||
identity:get_access_token_role: rule:admin_required
|
||||
identity:list_access_tokens: rule:admin_required
|
||||
identity:get_access_token: rule:admin_required
|
||||
identity:delete_access_token: rule:admin_required
|
||||
identity:list_projects_for_endpoint: rule:admin_required
|
||||
identity:add_endpoint_to_project: rule:admin_required
|
||||
identity:check_endpoint_in_project: rule:admin_required
|
||||
identity:list_endpoints_for_project: rule:admin_required
|
||||
identity:remove_endpoint_from_project: rule:admin_required
|
||||
identity:create_endpoint_group: rule:admin_required
|
||||
identity:list_endpoint_groups: rule:admin_required
|
||||
identity:get_endpoint_group: rule:admin_required
|
||||
identity:update_endpoint_group: rule:admin_required
|
||||
identity:delete_endpoint_group: rule:admin_required
|
||||
identity:list_projects_associated_with_endpoint_group: rule:admin_required
|
||||
identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
|
||||
identity:get_endpoint_group_in_project: rule:admin_required
|
||||
identity:list_endpoint_groups_for_project: rule:admin_required
|
||||
identity:add_endpoint_group_to_project: rule:admin_required
|
||||
identity:remove_endpoint_group_from_project: rule:admin_required
|
||||
identity:create_identity_provider: rule:admin_required
|
||||
identity:list_identity_providers: rule:admin_required
|
||||
identity:get_identity_providers: rule:admin_required
|
||||
identity:update_identity_provider: rule:admin_required
|
||||
identity:delete_identity_provider: rule:admin_required
|
||||
identity:create_protocol: rule:admin_required
|
||||
identity:update_protocol: rule:admin_required
|
||||
identity:get_protocol: rule:admin_required
|
||||
identity:list_protocols: rule:admin_required
|
||||
identity:delete_protocol: rule:admin_required
|
||||
identity:create_mapping: rule:admin_required
|
||||
identity:get_mapping: rule:admin_required
|
||||
identity:list_mappings: rule:admin_required
|
||||
identity:delete_mapping: rule:admin_required
|
||||
identity:update_mapping: rule:admin_required
|
||||
identity:create_service_provider: rule:admin_required
|
||||
identity:list_service_providers: rule:admin_required
|
||||
identity:get_service_provider: rule:admin_required
|
||||
identity:update_service_provider: rule:admin_required
|
||||
identity:delete_service_provider: rule:admin_required
|
||||
identity:get_auth_catalog: ''
|
||||
identity:get_auth_projects: ''
|
||||
identity:get_auth_domains: ''
|
||||
identity:list_projects_for_user: ''
|
||||
identity:list_domains_for_user: ''
|
||||
identity:list_revoke_events: ''
|
||||
identity:create_policy_association_for_endpoint: rule:admin_required
|
||||
identity:check_policy_association_for_endpoint: rule:admin_required
|
||||
identity:delete_policy_association_for_endpoint: rule:admin_required
|
||||
identity:create_policy_association_for_service: rule:admin_required
|
||||
identity:check_policy_association_for_service: rule:admin_required
|
||||
identity:delete_policy_association_for_service: rule:admin_required
|
||||
identity:create_policy_association_for_region_and_service: rule:admin_required
|
||||
identity:check_policy_association_for_region_and_service: rule:admin_required
|
||||
identity:delete_policy_association_for_region_and_service: rule:admin_required
|
||||
identity:get_policy_for_endpoint: rule:admin_required
|
||||
identity:list_endpoints_for_policy: rule:admin_required
|
||||
identity:create_domain_config: rule:admin_required
|
||||
identity:get_domain_config: rule:admin_required
|
||||
identity:update_domain_config: rule:admin_required
|
||||
identity:delete_domain_config: rule:admin_required
|
||||
identity:get_domain_config_default: rule:admin_required
|
||||
mpm_event:
|
||||
override:
|
||||
append:
|
||||
|
@ -75,5 +75,5 @@ data:
|
||||
api-paste.ini: |+
|
||||
{{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
policy.json: |+
|
||||
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{ toJson .Values.conf.policy | indent 4 }}
|
||||
{{- end }}
|
||||
|
@ -1,51 +0,0 @@
|
||||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
"admin_api": "rule:context_is_admin",
|
||||
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
|
||||
"cluster_user": "user_id:%(trustee_user_id)s",
|
||||
"deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
|
||||
|
||||
"bay:create": "rule:deny_cluster_user",
|
||||
"bay:delete": "rule:deny_cluster_user",
|
||||
"bay:detail": "rule:deny_cluster_user",
|
||||
"bay:get": "rule:deny_cluster_user",
|
||||
"bay:get_all": "rule:deny_cluster_user",
|
||||
"bay:update": "rule:deny_cluster_user",
|
||||
|
||||
"baymodel:create": "rule:deny_cluster_user",
|
||||
"baymodel:delete": "rule:deny_cluster_user",
|
||||
"baymodel:detail": "rule:deny_cluster_user",
|
||||
"baymodel:get": "rule:deny_cluster_user",
|
||||
"baymodel:get_all": "rule:deny_cluster_user",
|
||||
"baymodel:update": "rule:deny_cluster_user",
|
||||
"baymodel:publish": "rule:admin_or_owner",
|
||||
|
||||
"cluster:create": "rule:deny_cluster_user",
|
||||
"cluster:delete": "rule:deny_cluster_user",
|
||||
"cluster:detail": "rule:deny_cluster_user",
|
||||
"cluster:get": "rule:deny_cluster_user",
|
||||
"cluster:get_all": "rule:deny_cluster_user",
|
||||
"cluster:update": "rule:deny_cluster_user",
|
||||
|
||||
"clustertemplate:create": "rule:deny_cluster_user",
|
||||
"clustertemplate:delete": "rule:deny_cluster_user",
|
||||
"clustertemplate:detail": "rule:deny_cluster_user",
|
||||
"clustertemplate:get": "rule:deny_cluster_user",
|
||||
"clustertemplate:get_all": "rule:deny_cluster_user",
|
||||
"clustertemplate:update": "rule:deny_cluster_user",
|
||||
"clustertemplate:publish": "rule:admin_or_owner",
|
||||
|
||||
"rc:create": "rule:default",
|
||||
"rc:delete": "rule:default",
|
||||
"rc:detail": "rule:default",
|
||||
"rc:get": "rule:default",
|
||||
"rc:get_all": "rule:default",
|
||||
"rc:update": "rule:default",
|
||||
|
||||
"certificate:create": "rule:admin_or_user or rule:cluster_user",
|
||||
"certificate:get": "rule:admin_or_user or rule:cluster_user",
|
||||
|
||||
"magnum-service:get_all": "rule:admin_api"
|
||||
}
|
@ -40,8 +40,48 @@ conf:
|
||||
override:
|
||||
append:
|
||||
policy:
|
||||
override:
|
||||
append:
|
||||
context_is_admin: role:admin
|
||||
admin_or_owner: is_admin:True or project_id:%(project_id)s
|
||||
default: rule:admin_or_owner
|
||||
admin_api: rule:context_is_admin
|
||||
admin_or_user: is_admin:True or user_id:%(user_id)s
|
||||
cluster_user: user_id:%(trustee_user_id)s
|
||||
deny_cluster_user: not domain_id:%(trustee_domain_id)s
|
||||
bay:create: rule:deny_cluster_user
|
||||
bay:delete: rule:deny_cluster_user
|
||||
bay:detail: rule:deny_cluster_user
|
||||
bay:get: rule:deny_cluster_user
|
||||
bay:get_all: rule:deny_cluster_user
|
||||
bay:update: rule:deny_cluster_user
|
||||
baymodel:create: rule:deny_cluster_user
|
||||
baymodel:delete: rule:deny_cluster_user
|
||||
baymodel:detail: rule:deny_cluster_user
|
||||
baymodel:get: rule:deny_cluster_user
|
||||
baymodel:get_all: rule:deny_cluster_user
|
||||
baymodel:update: rule:deny_cluster_user
|
||||
baymodel:publish: rule:admin_or_owner
|
||||
cluster:create: rule:deny_cluster_user
|
||||
cluster:delete: rule:deny_cluster_user
|
||||
cluster:detail: rule:deny_cluster_user
|
||||
cluster:get: rule:deny_cluster_user
|
||||
cluster:get_all: rule:deny_cluster_user
|
||||
cluster:update: rule:deny_cluster_user
|
||||
clustertemplate:create: rule:deny_cluster_user
|
||||
clustertemplate:delete: rule:deny_cluster_user
|
||||
clustertemplate:detail: rule:deny_cluster_user
|
||||
clustertemplate:get: rule:deny_cluster_user
|
||||
clustertemplate:get_all: rule:deny_cluster_user
|
||||
clustertemplate:update: rule:deny_cluster_user
|
||||
clustertemplate:publish: rule:admin_or_owner
|
||||
rc:create: rule:default
|
||||
rc:delete: rule:default
|
||||
rc:detail: rule:default
|
||||
rc:get: rule:default
|
||||
rc:get_all: rule:default
|
||||
rc:update: rule:default
|
||||
certificate:create: rule:admin_or_user or rule:cluster_user
|
||||
certificate:get: rule:admin_or_user or rule:cluster_user
|
||||
magnum-service:get_all: rule:admin_api
|
||||
magnum:
|
||||
override:
|
||||
append:
|
||||
|
@ -72,5 +72,5 @@ data:
|
||||
mistral.conf: |+
|
||||
{{- tuple .Values.conf.mistral "etc/_mistral.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
policy.json: |+
|
||||
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{ toJson .Values.conf.policy | indent 4 }}
|
||||
{{- end }}
|
||||
|
@ -1,65 +0,0 @@
|
||||
|
||||
{
|
||||
"admin_only": "is_admin:True",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"action_executions:delete": "rule:admin_or_owner",
|
||||
"action_execution:create": "rule:admin_or_owner",
|
||||
"action_executions:get": "rule:admin_or_owner",
|
||||
"action_executions:list": "rule:admin_or_owner",
|
||||
"action_executions:update": "rule:admin_or_owner",
|
||||
|
||||
"actions:create": "rule:admin_or_owner",
|
||||
"actions:delete": "rule:admin_or_owner",
|
||||
"actions:get": "rule:admin_or_owner",
|
||||
"actions:list": "rule:admin_or_owner",
|
||||
"actions:update": "rule:admin_or_owner",
|
||||
|
||||
"cron_triggers:create": "rule:admin_or_owner",
|
||||
"cron_triggers:delete": "rule:admin_or_owner",
|
||||
"cron_triggers:get": "rule:admin_or_owner",
|
||||
"cron_triggers:list": "rule:admin_or_owner",
|
||||
|
||||
"environments:create": "rule:admin_or_owner",
|
||||
"environments:delete": "rule:admin_or_owner",
|
||||
"environments:get": "rule:admin_or_owner",
|
||||
"environments:list": "rule:admin_or_owner",
|
||||
"environments:update": "rule:admin_or_owner",
|
||||
|
||||
"executions:create": "rule:admin_or_owner",
|
||||
"executions:delete": "rule:admin_or_owner",
|
||||
"executions:get": "rule:admin_or_owner",
|
||||
"executions:list": "rule:admin_or_owner",
|
||||
"executions:update": "rule:admin_or_owner",
|
||||
|
||||
"members:create": "rule:admin_or_owner",
|
||||
"members:delete": "rule:admin_or_owner",
|
||||
"members:get": "rule:admin_or_owner",
|
||||
"members:list": "rule:admin_or_owner",
|
||||
"members:update": "rule:admin_or_owner",
|
||||
|
||||
"services:list": "rule:admin_or_owner",
|
||||
|
||||
"tasks:get": "rule:admin_or_owner",
|
||||
"tasks:list": "rule:admin_or_owner",
|
||||
"tasks:update": "rule:admin_or_owner",
|
||||
|
||||
"workbooks:create": "rule:admin_or_owner",
|
||||
"workbooks:delete": "rule:admin_or_owner",
|
||||
"workbooks:get": "rule:admin_or_owner",
|
||||
"workbooks:list": "rule:admin_or_owner",
|
||||
"workbooks:update": "rule:admin_or_owner",
|
||||
|
||||
"workflows:create": "rule:admin_or_owner",
|
||||
"workflows:delete": "rule:admin_or_owner",
|
||||
"workflows:get": "rule:admin_or_owner",
|
||||
"workflows:list": "rule:admin_or_owner",
|
||||
"workflows:update": "rule:admin_or_owner",
|
||||
|
||||
"event_triggers:create": "rule:admin_or_owner",
|
||||
"event_triggers:delete": "rule:admin_or_owner",
|
||||
"event_triggers:get": "rule:admin_or_owner",
|
||||
"event_triggers:list": "rule:admin_or_owner",
|
||||
"event_triggers:update": "rule:admin_or_owner"
|
||||
}
|
@ -211,8 +211,57 @@ endpoints:
|
||||
|
||||
conf:
|
||||
policy:
|
||||
override:
|
||||
append:
|
||||
admin_only: is_admin:True
|
||||
admin_or_owner: is_admin:True or project_id:%(project_id)s
|
||||
default: rule:admin_or_owner
|
||||
action_executions:delete: rule:admin_or_owner
|
||||
action_execution:create: rule:admin_or_owner
|
||||
action_executions:get: rule:admin_or_owner
|
||||
action_executions:list: rule:admin_or_owner
|
||||
action_executions:update: rule:admin_or_owner
|
||||
actions:create: rule:admin_or_owner
|
||||
actions:delete: rule:admin_or_owner
|
||||
actions:get: rule:admin_or_owner
|
||||
actions:list: rule:admin_or_owner
|
||||
actions:update: rule:admin_or_owner
|
||||
cron_triggers:create: rule:admin_or_owner
|
||||
cron_triggers:delete: rule:admin_or_owner
|
||||
cron_triggers:get: rule:admin_or_owner
|
||||
cron_triggers:list: rule:admin_or_owner
|
||||
environments:create: rule:admin_or_owner
|
||||
environments:delete: rule:admin_or_owner
|
||||
environments:get: rule:admin_or_owner
|
||||
environments:list: rule:admin_or_owner
|
||||
environments:update: rule:admin_or_owner
|
||||
executions:create: rule:admin_or_owner
|
||||
executions:delete: rule:admin_or_owner
|
||||
executions:get: rule:admin_or_owner
|
||||
executions:list: rule:admin_or_owner
|
||||
executions:update: rule:admin_or_owner
|
||||
members:create: rule:admin_or_owner
|
||||
members:delete: rule:admin_or_owner
|
||||
members:get: rule:admin_or_owner
|
||||
members:list: rule:admin_or_owner
|
||||
members:update: rule:admin_or_owner
|
||||
services:list: rule:admin_or_owner
|
||||
tasks:get: rule:admin_or_owner
|
||||
tasks:list: rule:admin_or_owner
|
||||
tasks:update: rule:admin_or_owner
|
||||
workbooks:create: rule:admin_or_owner
|
||||
workbooks:delete: rule:admin_or_owner
|
||||
workbooks:get: rule:admin_or_owner
|
||||
workbooks:list: rule:admin_or_owner
|
||||
workbooks:update: rule:admin_or_owner
|
||||
workflows:create: rule:admin_or_owner
|
||||
workflows:delete: rule:admin_or_owner
|
||||
workflows:get: rule:admin_or_owner
|
||||
workflows:list: rule:admin_or_owner
|
||||
workflows:update: rule:admin_or_owner
|
||||
event_triggers:create: rule:admin_or_owner
|
||||
event_triggers:delete: rule:admin_or_owner
|
||||
event_triggers:get: rule:admin_or_owner
|
||||
event_triggers:list: rule:admin_or_owner
|
||||
event_triggers:update: rule:admin_or_owner
|
||||
mistral:
|
||||
override:
|
||||
append:
|
||||
|
@ -93,7 +93,7 @@ data:
|
||||
api-paste.ini: |+
|
||||
{{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
policy.json: |+
|
||||
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{ toJson .Values.conf.policy | indent 4 }}
|
||||
dhcp_agent.ini: |+
|
||||
{{- tuple .Values.conf.dhcp_agent "etc/_dhcp_agent.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
l3_agent.ini: |+
|
||||
|
@ -1,214 +0,0 @@
|
||||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"owner": "tenant_id:%(tenant_id)s",
|
||||
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
||||
"context_is_advsvc": "role:advsvc",
|
||||
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
||||
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
||||
"admin_only": "rule:context_is_admin",
|
||||
"regular_user": "",
|
||||
"shared": "field:networks:shared=True",
|
||||
"shared_subnetpools": "field:subnetpools:shared=True",
|
||||
"shared_address_scopes": "field:address_scopes:shared=True",
|
||||
"external": "field:networks:router:external=True",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"create_subnet": "rule:admin_or_network_owner",
|
||||
"create_subnet:segment_id": "rule:admin_only",
|
||||
"create_subnet:service_types": "rule:admin_only",
|
||||
"get_subnet": "rule:admin_or_owner or rule:shared",
|
||||
"get_subnet:segment_id": "rule:admin_only",
|
||||
"update_subnet": "rule:admin_or_network_owner",
|
||||
"update_subnet:service_types": "rule:admin_only",
|
||||
"delete_subnet": "rule:admin_or_network_owner",
|
||||
|
||||
"create_subnetpool": "",
|
||||
"create_subnetpool:shared": "rule:admin_only",
|
||||
"create_subnetpool:is_default": "rule:admin_only",
|
||||
"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
|
||||
"update_subnetpool": "rule:admin_or_owner",
|
||||
"update_subnetpool:is_default": "rule:admin_only",
|
||||
"delete_subnetpool": "rule:admin_or_owner",
|
||||
|
||||
"create_address_scope": "",
|
||||
"create_address_scope:shared": "rule:admin_only",
|
||||
"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
|
||||
"update_address_scope": "rule:admin_or_owner",
|
||||
"update_address_scope:shared": "rule:admin_only",
|
||||
"delete_address_scope": "rule:admin_or_owner",
|
||||
|
||||
"create_network": "",
|
||||
"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
|
||||
"get_network:router:external": "rule:regular_user",
|
||||
"get_network:segments": "rule:admin_only",
|
||||
"get_network:provider:network_type": "rule:admin_only",
|
||||
"get_network:provider:physical_network": "rule:admin_only",
|
||||
"get_network:provider:segmentation_id": "rule:admin_only",
|
||||
"get_network:queue_id": "rule:admin_only",
|
||||
"get_network_ip_availabilities": "rule:admin_only",
|
||||
"get_network_ip_availability": "rule:admin_only",
|
||||
"create_network:shared": "rule:admin_only",
|
||||
"create_network:router:external": "rule:admin_only",
|
||||
"create_network:is_default": "rule:admin_only",
|
||||
"create_network:segments": "rule:admin_only",
|
||||
"create_network:provider:network_type": "rule:admin_only",
|
||||
"create_network:provider:physical_network": "rule:admin_only",
|
||||
"create_network:provider:segmentation_id": "rule:admin_only",
|
||||
"update_network": "rule:admin_or_owner",
|
||||
"update_network:segments": "rule:admin_only",
|
||||
"update_network:shared": "rule:admin_only",
|
||||
"update_network:provider:network_type": "rule:admin_only",
|
||||
"update_network:provider:physical_network": "rule:admin_only",
|
||||
"update_network:provider:segmentation_id": "rule:admin_only",
|
||||
"update_network:router:external": "rule:admin_only",
|
||||
"delete_network": "rule:admin_or_owner",
|
||||
|
||||
"create_segment": "rule:admin_only",
|
||||
"get_segment": "rule:admin_only",
|
||||
"update_segment": "rule:admin_only",
|
||||
"delete_segment": "rule:admin_only",
|
||||
|
||||
"network_device": "field:port:device_owner=~^network:",
|
||||
"create_port": "",
|
||||
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:binding:host_id": "rule:admin_only",
|
||||
"create_port:binding:profile": "rule:admin_only",
|
||||
"create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||
"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
|
||||
"get_port:queue_id": "rule:admin_only",
|
||||
"get_port:binding:vif_type": "rule:admin_only",
|
||||
"get_port:binding:vif_details": "rule:admin_only",
|
||||
"get_port:binding:host_id": "rule:admin_only",
|
||||
"get_port:binding:profile": "rule:admin_only",
|
||||
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
|
||||
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:binding:host_id": "rule:admin_only",
|
||||
"update_port:binding:profile": "rule:admin_only",
|
||||
"update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||
"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
|
||||
|
||||
"get_router:ha": "rule:admin_only",
|
||||
"create_router": "rule:regular_user",
|
||||
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
|
||||
"create_router:distributed": "rule:admin_only",
|
||||
"create_router:ha": "rule:admin_only",
|
||||
"get_router": "rule:admin_or_owner",
|
||||
"get_router:distributed": "rule:admin_only",
|
||||
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
|
||||
"update_router:distributed": "rule:admin_only",
|
||||
"update_router:ha": "rule:admin_only",
|
||||
"delete_router": "rule:admin_or_owner",
|
||||
|
||||
"add_router_interface": "rule:admin_or_owner",
|
||||
"remove_router_interface": "rule:admin_or_owner",
|
||||
|
||||
"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
||||
"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
||||
|
||||
"insert_rule": "rule:admin_or_owner",
|
||||
"remove_rule": "rule:admin_or_owner",
|
||||
|
||||
"create_qos_queue": "rule:admin_only",
|
||||
"get_qos_queue": "rule:admin_only",
|
||||
|
||||
"update_agent": "rule:admin_only",
|
||||
"delete_agent": "rule:admin_only",
|
||||
"get_agent": "rule:admin_only",
|
||||
|
||||
"create_dhcp-network": "rule:admin_only",
|
||||
"delete_dhcp-network": "rule:admin_only",
|
||||
"get_dhcp-networks": "rule:admin_only",
|
||||
"create_l3-router": "rule:admin_only",
|
||||
"delete_l3-router": "rule:admin_only",
|
||||
"get_l3-routers": "rule:admin_only",
|
||||
"get_dhcp-agents": "rule:admin_only",
|
||||
"get_l3-agents": "rule:admin_only",
|
||||
"get_loadbalancer-agent": "rule:admin_only",
|
||||
"get_loadbalancer-pools": "rule:admin_only",
|
||||
"get_agent-loadbalancers": "rule:admin_only",
|
||||
"get_loadbalancer-hosting-agent": "rule:admin_only",
|
||||
|
||||
"create_floatingip": "rule:regular_user",
|
||||
"create_floatingip:floating_ip_address": "rule:admin_only",
|
||||
"update_floatingip": "rule:admin_or_owner",
|
||||
"delete_floatingip": "rule:admin_or_owner",
|
||||
"get_floatingip": "rule:admin_or_owner",
|
||||
|
||||
"create_network_profile": "rule:admin_only",
|
||||
"update_network_profile": "rule:admin_only",
|
||||
"delete_network_profile": "rule:admin_only",
|
||||
"get_network_profiles": "",
|
||||
"get_network_profile": "",
|
||||
"update_policy_profiles": "rule:admin_only",
|
||||
"get_policy_profiles": "",
|
||||
"get_policy_profile": "",
|
||||
|
||||
"create_metering_label": "rule:admin_only",
|
||||
"delete_metering_label": "rule:admin_only",
|
||||
"get_metering_label": "rule:admin_only",
|
||||
|
||||
"create_metering_label_rule": "rule:admin_only",
|
||||
"delete_metering_label_rule": "rule:admin_only",
|
||||
"get_metering_label_rule": "rule:admin_only",
|
||||
|
||||
"get_service_provider": "rule:regular_user",
|
||||
"get_lsn": "rule:admin_only",
|
||||
"create_lsn": "rule:admin_only",
|
||||
|
||||
"create_flavor": "rule:admin_only",
|
||||
"update_flavor": "rule:admin_only",
|
||||
"delete_flavor": "rule:admin_only",
|
||||
"get_flavors": "rule:regular_user",
|
||||
"get_flavor": "rule:regular_user",
|
||||
"create_service_profile": "rule:admin_only",
|
||||
"update_service_profile": "rule:admin_only",
|
||||
"delete_service_profile": "rule:admin_only",
|
||||
"get_service_profiles": "rule:admin_only",
|
||||
"get_service_profile": "rule:admin_only",
|
||||
|
||||
"get_policy": "rule:regular_user",
|
||||
"create_policy": "rule:admin_only",
|
||||
"update_policy": "rule:admin_only",
|
||||
"delete_policy": "rule:admin_only",
|
||||
"get_policy_bandwidth_limit_rule": "rule:regular_user",
|
||||
"create_policy_bandwidth_limit_rule": "rule:admin_only",
|
||||
"delete_policy_bandwidth_limit_rule": "rule:admin_only",
|
||||
"update_policy_bandwidth_limit_rule": "rule:admin_only",
|
||||
"get_policy_dscp_marking_rule": "rule:regular_user",
|
||||
"create_policy_dscp_marking_rule": "rule:admin_only",
|
||||
"delete_policy_dscp_marking_rule": "rule:admin_only",
|
||||
"update_policy_dscp_marking_rule": "rule:admin_only",
|
||||
"get_rule_type": "rule:regular_user",
|
||||
"get_policy_minimum_bandwidth_rule": "rule:regular_user",
|
||||
"create_policy_minimum_bandwidth_rule": "rule:admin_only",
|
||||
"delete_policy_minimum_bandwidth_rule": "rule:admin_only",
|
||||
"update_policy_minimum_bandwidth_rule": "rule:admin_only",
|
||||
|
||||
"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
|
||||
"create_rbac_policy": "",
|
||||
"create_rbac_policy:target_tenant": "rule:restrict_wildcard",
|
||||
"update_rbac_policy": "rule:admin_or_owner",
|
||||
"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
|
||||
"get_rbac_policy": "rule:admin_or_owner",
|
||||
"delete_rbac_policy": "rule:admin_or_owner",
|
||||
|
||||
"create_flavor_service_profile": "rule:admin_only",
|
||||
"delete_flavor_service_profile": "rule:admin_only",
|
||||
"get_flavor_service_profile": "rule:regular_user",
|
||||
"get_auto_allocated_topology": "rule:admin_or_owner",
|
||||
|
||||
"create_trunk": "rule:regular_user",
|
||||
"get_trunk": "rule:admin_or_owner",
|
||||
"delete_trunk": "rule:admin_or_owner",
|
||||
"get_subports": "",
|
||||
"add_subports": "rule:admin_or_owner",
|
||||
"remove_subports": "rule:admin_or_owner"
|
||||
}
|
@ -365,8 +365,195 @@ conf:
|
||||
override:
|
||||
append:
|
||||
policy:
|
||||
override:
|
||||
append:
|
||||
context_is_admin: role:admin
|
||||
owner: tenant_id:%(tenant_id)s
|
||||
admin_or_owner: rule:context_is_admin or rule:owner
|
||||
context_is_advsvc: role:advsvc
|
||||
admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s
|
||||
admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner
|
||||
admin_only: rule:context_is_admin
|
||||
regular_user: ''
|
||||
shared: field:networks:shared=True
|
||||
shared_subnetpools: field:subnetpools:shared=True
|
||||
shared_address_scopes: field:address_scopes:shared=True
|
||||
external: field:networks:router:external=True
|
||||
default: rule:admin_or_owner
|
||||
create_subnet: rule:admin_or_network_owner
|
||||
create_subnet:segment_id: rule:admin_only
|
||||
create_subnet:service_types: rule:admin_only
|
||||
get_subnet: rule:admin_or_owner or rule:shared
|
||||
get_subnet:segment_id: rule:admin_only
|
||||
update_subnet: rule:admin_or_network_owner
|
||||
update_subnet:service_types: rule:admin_only
|
||||
delete_subnet: rule:admin_or_network_owner
|
||||
create_subnetpool: ''
|
||||
create_subnetpool:shared: rule:admin_only
|
||||
create_subnetpool:is_default: rule:admin_only
|
||||
get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools
|
||||
update_subnetpool: rule:admin_or_owner
|
||||
update_subnetpool:is_default: rule:admin_only
|
||||
delete_subnetpool: rule:admin_or_owner
|
||||
create_address_scope: ''
|
||||
create_address_scope:shared: rule:admin_only
|
||||
get_address_scope: rule:admin_or_owner or rule:shared_address_scopes
|
||||
update_address_scope: rule:admin_or_owner
|
||||
update_address_scope:shared: rule:admin_only
|
||||
delete_address_scope: rule:admin_or_owner
|
||||
create_network: ''
|
||||
get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc
|
||||
get_network:router:external: rule:regular_user
|
||||
get_network:segments: rule:admin_only
|
||||
get_network:provider:network_type: rule:admin_only
|
||||
get_network:provider:physical_network: rule:admin_only
|
||||
get_network:provider:segmentation_id: rule:admin_only
|
||||
get_network:queue_id: rule:admin_only
|
||||
get_network_ip_availabilities: rule:admin_only
|
||||
get_network_ip_availability: rule:admin_only
|
||||
create_network:shared: rule:admin_only
|
||||
create_network:router:external: rule:admin_only
|
||||
create_network:is_default: rule:admin_only
|
||||
create_network:segments: rule:admin_only
|
||||
create_network:provider:network_type: rule:admin_only
|
||||
create_network:provider:physical_network: rule:admin_only
|
||||
create_network:provider:segmentation_id: rule:admin_only
|
||||
update_network: rule:admin_or_owner
|
||||
update_network:segments: rule:admin_only
|
||||
update_network:shared: rule:admin_only
|
||||
update_network:provider:network_type: rule:admin_only
|
||||
update_network:provider:physical_network: rule:admin_only
|
||||
update_network:provider:segmentation_id: rule:admin_only
|
||||
update_network:router:external: rule:admin_only
|
||||
delete_network: rule:admin_or_owner
|
||||
create_segment: rule:admin_only
|
||||
get_segment: rule:admin_only
|
||||
update_segment: rule:admin_only
|
||||
delete_segment: rule:admin_only
|
||||
network_device: 'field:port:device_owner=~^network:'
|
||||
create_port: ''
|
||||
create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
create_port:binding:host_id: rule:admin_only
|
||||
create_port:binding:profile: rule:admin_only
|
||||
create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
create_port:allowed_address_pairs: rule:admin_or_network_owner
|
||||
get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
|
||||
get_port:queue_id: rule:admin_only
|
||||
get_port:binding:vif_type: rule:admin_only
|
||||
get_port:binding:vif_details: rule:admin_only
|
||||
get_port:binding:host_id: rule:admin_only
|
||||
get_port:binding:profile: rule:admin_only
|
||||
update_port: rule:admin_or_owner or rule:context_is_advsvc
|
||||
update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
update_port:mac_address: rule:admin_only or rule:context_is_advsvc
|
||||
update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
update_port:binding:host_id: rule:admin_only
|
||||
update_port:binding:profile: rule:admin_only
|
||||
update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
update_port:allowed_address_pairs: rule:admin_or_network_owner
|
||||
delete_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
|
||||
get_router:ha: rule:admin_only
|
||||
create_router: rule:regular_user
|
||||
create_router:external_gateway_info:enable_snat: rule:admin_only
|
||||
create_router:distributed: rule:admin_only
|
||||
create_router:ha: rule:admin_only
|
||||
get_router: rule:admin_or_owner
|
||||
get_router:distributed: rule:admin_only
|
||||
update_router:external_gateway_info:enable_snat: rule:admin_only
|
||||
update_router:distributed: rule:admin_only
|
||||
update_router:ha: rule:admin_only
|
||||
delete_router: rule:admin_or_owner
|
||||
add_router_interface: rule:admin_or_owner
|
||||
remove_router_interface: rule:admin_or_owner
|
||||
create_router:external_gateway_info:external_fixed_ips: rule:admin_only
|
||||
update_router:external_gateway_info:external_fixed_ips: rule:admin_only
|
||||
insert_rule: rule:admin_or_owner
|
||||
remove_rule: rule:admin_or_owner
|
||||
create_qos_queue: rule:admin_only
|
||||
get_qos_queue: rule:admin_only
|
||||
update_agent: rule:admin_only
|
||||
delete_agent: rule:admin_only
|
||||
get_agent: rule:admin_only
|
||||
create_dhcp-network: rule:admin_only
|
||||
delete_dhcp-network: rule:admin_only
|
||||
get_dhcp-networks: rule:admin_only
|
||||
create_l3-router: rule:admin_only
|
||||
delete_l3-router: rule:admin_only
|
||||
get_l3-routers: rule:admin_only
|
||||
get_dhcp-agents: rule:admin_only
|
||||
get_l3-agents: rule:admin_only
|
||||
get_loadbalancer-agent: rule:admin_only
|
||||
get_loadbalancer-pools: rule:admin_only
|
||||
get_agent-loadbalancers: rule:admin_only
|
||||
get_loadbalancer-hosting-agent: rule:admin_only
|
||||
create_floatingip: rule:regular_user
|
||||
create_floatingip:floating_ip_address: rule:admin_only
|
||||
update_floatingip: rule:admin_or_owner
|
||||
delete_floatingip: rule:admin_or_owner
|
||||
get_floatingip: rule:admin_or_owner
|
||||
create_network_profile: rule:admin_only
|
||||
update_network_profile: rule:admin_only
|
||||
delete_network_profile: rule:admin_only
|
||||
get_network_profiles: ''
|
||||
get_network_profile: ''
|
||||
update_policy_profiles: rule:admin_only
|
||||
get_policy_profiles: ''
|
||||
get_policy_profile: ''
|
||||
create_metering_label: rule:admin_only
|
||||
delete_metering_label: rule:admin_only
|
||||
get_metering_label: rule:admin_only
|
||||
create_metering_label_rule: rule:admin_only
|
||||
delete_metering_label_rule: rule:admin_only
|
||||
get_metering_label_rule: rule:admin_only
|
||||
get_service_provider: rule:regular_user
|
||||
get_lsn: rule:admin_only
|
||||
create_lsn: rule:admin_only
|
||||
create_flavor: rule:admin_only
|
||||
update_flavor: rule:admin_only
|
||||
delete_flavor: rule:admin_only
|
||||
get_flavors: rule:regular_user
|
||||
get_flavor: rule:regular_user
|
||||
create_service_profile: rule:admin_only
|
||||
update_service_profile: rule:admin_only
|
||||
delete_service_profile: rule:admin_only
|
||||
get_service_profiles: rule:admin_only
|
||||
get_service_profile: rule:admin_only
|
||||
get_policy: rule:regular_user
|
||||
create_policy: rule:admin_only
|
||||
update_policy: rule:admin_only
|
||||
delete_policy: rule:admin_only
|
||||
get_policy_bandwidth_limit_rule: rule:regular_user
|
||||
create_policy_bandwidth_limit_rule: rule:admin_only
|
||||
delete_policy_bandwidth_limit_rule: rule:admin_only
|
||||
update_policy_bandwidth_limit_rule: rule:admin_only
|
||||
get_policy_dscp_marking_rule: rule:regular_user
|
||||
create_policy_dscp_marking_rule: rule:admin_only
|
||||
delete_policy_dscp_marking_rule: rule:admin_only
|
||||
update_policy_dscp_marking_rule: rule:admin_only
|
||||
get_rule_type: rule:regular_user
|
||||
get_policy_minimum_bandwidth_rule: rule:regular_user
|
||||
create_policy_minimum_bandwidth_rule: rule:admin_only
|
||||
delete_policy_minimum_bandwidth_rule: rule:admin_only
|
||||
update_policy_minimum_bandwidth_rule: rule:admin_only
|
||||
restrict_wildcard: "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
|
||||
create_rbac_policy: ''
|
||||
create_rbac_policy:target_tenant: rule:restrict_wildcard
|
||||
update_rbac_policy: rule:admin_or_owner
|
||||
update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner
|
||||
get_rbac_policy: rule:admin_or_owner
|
||||
delete_rbac_policy: rule:admin_or_owner
|
||||
create_flavor_service_profile: rule:admin_only
|
||||
delete_flavor_service_profile: rule:admin_only
|
||||
get_flavor_service_profile: rule:regular_user
|
||||
get_auto_allocated_topology: rule:admin_or_owner
|
||||
create_trunk: rule:regular_user
|
||||
get_trunk: rule:admin_or_owner
|
||||
delete_trunk: rule:admin_or_owner
|
||||
get_subports: ''
|
||||
add_subports: rule:admin_or_owner
|
||||
remove_subports: rule:admin_or_owner
|
||||
neutron_sudoers:
|
||||
override:
|
||||
append:
|
||||
|
@ -75,5 +75,5 @@ data:
|
||||
api-paste.ini: |+
|
||||
{{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
policy.json: |+
|
||||
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{ toJson .Values.conf.policy | indent 4 }}
|
||||
{{- end }}
|
||||
|
@ -1,49 +0,0 @@
|
||||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"deny_everybody": "!",
|
||||
|
||||
"build_info:build_info": "",
|
||||
"profile_types:index": "",
|
||||
"profile_types:get": "",
|
||||
"policy_types:index": "",
|
||||
"policy_types:get": "",
|
||||
"clusters:index": "",
|
||||
"clusters:create": "",
|
||||
"clusters:delete": "",
|
||||
"clusters:get": "",
|
||||
"clusters:action": "",
|
||||
"clusters:update": "",
|
||||
"clusters:collect": "",
|
||||
"profiles:index": "",
|
||||
"profiles:create": "",
|
||||
"profiles:get": "",
|
||||
"profiles:delete": "",
|
||||
"profiles:update": "",
|
||||
"profiles:validate": "",
|
||||
"nodes:index": "",
|
||||
"nodes:create": "",
|
||||
"nodes:get": "",
|
||||
"nodes:action": "",
|
||||
"nodes:update": "",
|
||||
"nodes:delete": "",
|
||||
"policies:index": "",
|
||||
"policies:create": "",
|
||||
"policies:get": "",
|
||||
"policies:update": "",
|
||||
"policies:delete": "",
|
||||
"policies:validate": "",
|
||||
"cluster_policies:index": "",
|
||||
"cluster_policies:attach": "",
|
||||
"cluster_policies:detach": "",
|
||||
"cluster_policies:update": "",
|
||||
"cluster_policies:get": "",
|
||||
"receivers:index": "",
|
||||
"receivers:create": "",
|
||||
"receivers:get": "",
|
||||
"receivers:delete": "",
|
||||
"actions:index": "",
|
||||
"actions:get": "",
|
||||
"events:index": "",
|
||||
"events:get": "",
|
||||
"webhooks:trigger": ""
|
||||
}
|
@ -40,8 +40,52 @@ conf:
|
||||
override:
|
||||
append:
|
||||
policy:
|
||||
override:
|
||||
append:
|
||||
context_is_admin: role:admin
|
||||
deny_everybody: "!"
|
||||
build_info:build_info: ''
|
||||
profile_types:index: ''
|
||||
profile_types:get: ''
|
||||
policy_types:index: ''
|
||||
policy_types:get: ''
|
||||
clusters:index: ''
|
||||
clusters:create: ''
|
||||
clusters:delete: ''
|
||||
clusters:get: ''
|
||||
clusters:action: ''
|
||||
clusters:update: ''
|
||||
clusters:collect: ''
|
||||
profiles:index: ''
|
||||
profiles:create: ''
|
||||
profiles:get: ''
|
||||
profiles:delete: ''
|
||||
profiles:update: ''
|
||||
profiles:validate: ''
|
||||
nodes:index: ''
|
||||
nodes:create: ''
|
||||
nodes:get: ''
|
||||
nodes:action: ''
|
||||
nodes:update: ''
|
||||
nodes:delete: ''
|
||||
policies:index: ''
|
||||
policies:create: ''
|
||||
policies:get: ''
|
||||
policies:update: ''
|
||||
policies:delete: ''
|
||||
policies:validate: ''
|
||||
cluster_policies:index: ''
|
||||
cluster_policies:attach: ''
|
||||
cluster_policies:detach: ''
|
||||
cluster_policies:update: ''
|
||||
cluster_policies:get: ''
|
||||
receivers:index: ''
|
||||
receivers:create: ''
|
||||
receivers:get: ''
|
||||
receivers:delete: ''
|
||||
actions:index: ''
|
||||
actions:get: ''
|
||||
events:index: ''
|
||||
events:get: ''
|
||||
webhooks:trigger: ''
|
||||
senlin:
|
||||
override:
|
||||
append:
|
||||
|
Loading…
x
Reference in New Issue
Block a user