Avoid unrequired policy setup

OpenStack services already moved to use policy in code. No need to have policy file at this point, at least no need to put default policy rule to policy.yaml file anymore. To put in duplicate rules, will cause unnecessay logs and process. Also not healthy for policy in code maintain as the `default` rules in openstack-helm might override actual default rules in code which we might not even mean to change it at all. Change-Id: I29ea57aa80444ed64673818e597c9ca346ba7b2f
2022-11-23 22:43:10 +08:00 · 2022-11-23 22:43:10 +08:00 · b72f3d0f3c
commit b72f3d0f3c
parent 5ad407ab0e
33 changed files with 33 additions and 775 deletions
--- a/aodh/Chart.yaml
+++ b/aodh/Chart.yaml
@ -16,7 +16,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: Openstack-Helm Aodh
 name: aodh
-version: 0.2.5
+version: 0.2.6
 home: https://docs.openstack.org/aodh/latest/
 sources:
  - https://opendev.org/openstack/aodh
--- a/aodh/values.yaml
+++ b/aodh/values.yaml
@ -449,21 +449,7 @@ conf:
    filter:http_proxy_to_wsgi:
      paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
      oslo_config_project: aodh
-  policy:
-    context_is_admin: 'role:admin'
-    segregation: 'rule:context_is_admin'
-    admin_or_owner: 'rule:context_is_admin or project_id:%(project_id)s'
-    default: 'rule:admin_or_owner'
-    telemetry:get_alarm: 'rule:admin_or_owner'
-    telemetry:get_alarms: 'rule:admin_or_owner'
-    telemetry:query_alarm: 'rule:admin_or_owner'
-    telemetry:create_alarm: ''
-    telemetry:change_alarm: 'rule:admin_or_owner'
-    telemetry:delete_alarm: 'rule:admin_or_owner'
-    telemetry:get_alarm_state: 'rule:admin_or_owner'
-    telemetry:change_alarm_state: 'rule:admin_or_owner'
-    telemetry:alarm_history: 'rule:admin_or_owner'
-    telemetry:query_alarm_history: 'rule:admin_or_owner'
+  policy: {}
  aodh:
    DEFAULT:
      debug: false
--- a/ceilometer/Chart.yaml
+++ b/ceilometer/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ceilometer
 name: ceilometer
-version: 0.2.6
+version: 0.2.7
 home: https://docs.openstack.org/ceilometer/latest/
 sources:
  - https://opendev.org/openstack/ceilometer
--- a/ceilometer/values.yaml
+++ b/ceilometer/values.yaml
@ -1450,19 +1450,7 @@ conf:
                type: "gauge"
        publishers:
          - notifier://
-  policy:
-    'context_is_admin': 'role:admin'
-    'segregation': 'rule:context_is_admin'
-    'telemetry:compute_statistics': ''
-    'telemetry:create_samples': ''
-    'telemetry:events:index': ''
-    'telemetry:events:show': ''
-    'telemetry:get_meters': ''
-    'telemetry:get_resource': ''
-    'telemetry:get_resources': ''
-    'telemetry:get_sample': ''
-    'telemetry:get_samples': ''
-    'telemetry:query_sample': ''
+  policy: {}
  audit_api_map:
    DEFAULT:
      target_endpoint_type: None
--- a/cinder/Chart.yaml
+++ b/cinder/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Cinder
 name: cinder
-version: 0.3.1
+version: 0.3.2
 home: https://docs.openstack.org/cinder/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png
 sources:
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@ -468,122 +468,7 @@ conf:
    filter:audit:
      paste.filter_factory: keystonemiddleware.audit:filter_factory
      audit_map_file: /etc/cinder/api_audit_map.conf
-  policy:
-    context_is_admin: role:admin
-    admin_or_owner: is_admin:True or project_id:%(project_id)s
-    default: rule:admin_or_owner
-    admin_api: is_admin:True
-    volume:create: ''
-    volume:delete: rule:admin_or_owner
-    volume:get: rule:admin_or_owner
-    volume:get_all: rule:admin_or_owner
-    volume:get_volume_metadata: rule:admin_or_owner
-    volume:create_volume_metadata: rule:admin_or_owner
-    volume:delete_volume_metadata: rule:admin_or_owner
-    volume:update_volume_metadata: rule:admin_or_owner
-    volume:get_volume_admin_metadata: rule:admin_api
-    volume:update_volume_admin_metadata: rule:admin_api
-    volume:get_snapshot: rule:admin_or_owner
-    volume:get_all_snapshots: rule:admin_or_owner
-    volume:create_snapshot: rule:admin_or_owner
-    volume:delete_snapshot: rule:admin_or_owner
-    volume:update_snapshot: rule:admin_or_owner
-    volume:get_snapshot_metadata: rule:admin_or_owner
-    volume:delete_snapshot_metadata: rule:admin_or_owner
-    volume:update_snapshot_metadata: rule:admin_or_owner
-    volume:extend: rule:admin_or_owner
-    volume:update_readonly_flag: rule:admin_or_owner
-    volume:retype: rule:admin_or_owner
-    volume:update: rule:admin_or_owner
-    volume_extension:types_manage: rule:admin_api
-    volume_extension:types_extra_specs: rule:admin_api
-    volume_extension:access_types_qos_specs_id: rule:admin_api
-    volume_extension:access_types_extra_specs: rule:admin_api
-    volume_extension:volume_type_access: rule:admin_or_owner
-    volume_extension:volume_type_access:addProjectAccess: rule:admin_api
-    volume_extension:volume_type_access:removeProjectAccess: rule:admin_api
-    volume_extension:volume_type_encryption: rule:admin_api
-    volume_extension:volume_encryption_metadata: rule:admin_or_owner
-    volume_extension:extended_snapshot_attributes: rule:admin_or_owner
-    volume_extension:volume_image_metadata: rule:admin_or_owner
-    volume_extension:quotas:show: ''
-    volume_extension:quotas:update: rule:admin_api
-    volume_extension:quotas:delete: rule:admin_api
-    volume_extension:quota_classes: rule:admin_api
-    volume_extension:quota_classes:validate_setup_for_nested_quota_use: rule:admin_api
-    volume_extension:volume_admin_actions:reset_status: rule:admin_api
-    volume_extension:snapshot_admin_actions:reset_status: rule:admin_api
-    volume_extension:backup_admin_actions:reset_status: rule:admin_api
-    volume_extension:volume_admin_actions:force_delete: rule:admin_api
-    volume_extension:volume_admin_actions:force_detach: rule:admin_api
-    volume_extension:snapshot_admin_actions:force_delete: rule:admin_api
-    volume_extension:backup_admin_actions:force_delete: rule:admin_api
-    volume_extension:volume_admin_actions:migrate_volume: rule:admin_api
-    volume_extension:volume_admin_actions:migrate_volume_completion: rule:admin_api
-    volume_extension:volume_actions:upload_public: rule:admin_api
-    volume_extension:volume_actions:upload_image: rule:admin_or_owner
-    volume_extension:volume_host_attribute: rule:admin_api
-    volume_extension:volume_tenant_attribute: rule:admin_or_owner
-    volume_extension:volume_mig_status_attribute: rule:admin_api
-    volume_extension:hosts: rule:admin_api
-    volume_extension:services:index: rule:admin_api
-    volume_extension:services:update: rule:admin_api
-    volume_extension:volume_manage: rule:admin_api
-    volume_extension:volume_unmanage: rule:admin_api
-    volume_extension:list_manageable: rule:admin_api
-    volume_extension:capabilities: rule:admin_api
-    volume:create_transfer: rule:admin_or_owner
-    volume:accept_transfer: ''
-    volume:delete_transfer: rule:admin_or_owner
-    volume:get_transfer: rule:admin_or_owner
-    volume:get_all_transfers: rule:admin_or_owner
-    volume_extension:replication:promote: rule:admin_api
-    volume_extension:replication:reenable: rule:admin_api
-    volume:failover_host: rule:admin_api
-    volume:freeze_host: rule:admin_api
-    volume:thaw_host: rule:admin_api
-    backup:create: ''
-    backup:delete: rule:admin_or_owner
-    backup:get: rule:admin_or_owner
-    backup:get_all: rule:admin_or_owner
-    backup:restore: rule:admin_or_owner
-    backup:backup-import: rule:admin_api
-    backup:backup-export: rule:admin_api
-    backup:update: rule:admin_or_owner
-    snapshot_extension:snapshot_actions:update_snapshot_status: ''
-    snapshot_extension:snapshot_manage: rule:admin_api
-    snapshot_extension:snapshot_unmanage: rule:admin_api
-    snapshot_extension:list_manageable: rule:admin_api
-    consistencygroup:create: group:nobody
-    consistencygroup:delete: group:nobody
-    consistencygroup:update: group:nobody
-    consistencygroup:get: group:nobody
-    consistencygroup:get_all: group:nobody
-    consistencygroup:create_cgsnapshot: group:nobody
-    consistencygroup:delete_cgsnapshot: group:nobody
-    consistencygroup:get_cgsnapshot: group:nobody
-    consistencygroup:get_all_cgsnapshots: group:nobody
-    group:group_types_manage: rule:admin_api
-    group:group_types_specs: rule:admin_api
-    group:access_group_types_specs: rule:admin_api
-    group:group_type_access: rule:admin_or_owner
-    group:create: ''
-    group:delete: rule:admin_or_owner
-    group:update: rule:admin_or_owner
-    group:get: rule:admin_or_owner
-    group:get_all: rule:admin_or_owner
-    group:create_group_snapshot: ''
-    group:delete_group_snapshot: rule:admin_or_owner
-    group:update_group_snapshot: rule:admin_or_owner
-    group:get_group_snapshot: rule:admin_or_owner
-    group:get_all_group_snapshots: rule:admin_or_owner
-    scheduler_extension:scheduler_stats:get_pools: rule:admin_api
-    message:delete: rule:admin_or_owner
-    message:get: rule:admin_or_owner
-    message:get_all: rule:admin_or_owner
-    clusters:get: rule:admin_api
-    clusters:get_all: rule:admin_api
-    clusters:update: rule:admin_api
+  policy: {}
  api_audit_map:
    DEFAULT:
      target_endpoint_type: None
--- a/designate/Chart.yaml
+++ b/designate/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Designate
 name: designate
-version: 0.2.7
+version: 0.2.8
 home: https://docs.openstack.org/designate/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Designate/OpenStack_Project_Designate_vertical.jpg
 sources:
--- a/designate/values.yaml
+++ b/designate/values.yaml
@ -441,112 +441,7 @@ conf:
      paste.filter_factory: designate.api.middleware:FaultWrapperMiddleware.factory
    filter:validation_API_v2:
      paste.filter_factory: designate.api.middleware:APIv2ValidationErrorMiddleware.factory
-  policy:
-    admin: role:admin or is_admin:True
-    primary_zone: target.zone_type:SECONDARY
-    owner: tenant:%(tenant_id)s
-    admin_or_owner: rule:admin or rule:owner
-    target: tenant:%(target_tenant_id)s
-    owner_or_target: rule:target or rule:owner
-    admin_or_owner_or_target: rule:owner_or_target or rule:admin
-    admin_or_target: rule:admin or rule:target
-    zone_primary_or_admin: ('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)
-    default: rule:admin_or_owner
-    all_tenants: rule:admin
-    edit_managed_records: rule:admin
-    use_low_ttl: rule:admin
-    get_quotas: rule:admin_or_owner
-    get_quota: rule:admin_or_owner
-    set_quota: rule:admin
-    reset_quotas: rule:admin
-    create_tld: rule:admin
-    find_tlds: rule:admin
-    get_tld: rule:admin
-    update_tld: rule:admin
-    delete_tld: rule:admin
-    create_tsigkey: rule:admin
-    find_tsigkeys: rule:admin
-    get_tsigkey: rule:admin
-    update_tsigkey: rule:admin
-    delete_tsigkey: rule:admin
-    find_tenants: rule:admin
-    get_tenant: rule:admin
-    count_tenants: rule:admin
-    create_zone: rule:admin_or_owner
-    get_zones: rule:admin_or_owner
-    get_zone: rule:admin_or_owner
-    get_zone_servers: rule:admin_or_owner
-    find_zones: rule:admin_or_owner
-    find_zone: rule:admin_or_owner
-    update_zone: rule:admin_or_owner
-    delete_zone: rule:admin_or_owner
-    xfr_zone: rule:admin_or_owner
-    abandon_zone: rule:admin
-    count_zones: rule:admin_or_owner
-    count_zones_pending_notify: rule:admin_or_owner
-    purge_zones: rule:admin
-    touch_zone: rule:admin_or_owner
-    create_recordset: rule:zone_primary_or_admin
-    get_recordsets: rule:admin_or_owner
-    get_recordset: rule:admin_or_owner
-    find_recordsets: rule:admin_or_owner
-    find_recordset: rule:admin_or_owner
-    update_recordset: rule:zone_primary_or_admin
-    delete_recordset: rule:zone_primary_or_admin
-    count_recordset: rule:admin_or_owner
-    create_record: rule:admin_or_owner
-    get_records: rule:admin_or_owner
-    get_record: rule:admin_or_owner
-    find_records: rule:admin_or_owner
-    find_record: rule:admin_or_owner
-    update_record: rule:admin_or_owner
-    delete_record: rule:admin_or_owner
-    count_records: rule:admin_or_owner
-    use_sudo: rule:admin
-    create_blacklist: rule:admin
-    find_blacklist: rule:admin
-    find_blacklists: rule:admin
-    get_blacklist: rule:admin
-    update_blacklist: rule:admin
-    delete_blacklist: rule:admin
-    use_blacklisted_zone: rule:admin
-    create_pool: rule:admin
-    find_pools: rule:admin
-    find_pool: rule:admin
-    get_pool: rule:admin
-    update_pool: rule:admin
-    delete_pool: rule:admin
-    zone_create_forced_pool: rule:admin
-    diagnostics_ping: rule:admin
-    diagnostics_sync_zones: rule:admin
-    diagnostics_sync_zone: rule:admin
-    diagnostics_sync_record: rule:admin
-    create_zone_transfer_request: rule:admin_or_owner
-    get_zone_transfer_request: rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s
-    get_zone_transfer_request_detailed: rule:admin_or_owner
-    find_zone_transfer_requests: '@'
-    find_zone_transfer_request: '@'
-    update_zone_transfer_request: rule:admin_or_owner
-    delete_zone_transfer_request: rule:admin_or_owner
-    create_zone_transfer_accept: rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s
-    get_zone_transfer_accept: rule:admin_or_owner
-    find_zone_transfer_accepts: rule:admin
-    find_zone_transfer_accept: rule:admin
-    update_zone_transfer_accept: rule:admin
-    delete_zone_transfer_accept: rule:admin
-    create_zone_import: rule:admin_or_owner
-    find_zone_imports: rule:admin_or_owner
-    get_zone_import: rule:admin_or_owner
-    update_zone_import: rule:admin_or_owner
-    delete_zone_import: rule:admin_or_owner
-    zone_export: rule:admin_or_owner
-    create_zone_export: rule:admin_or_owner
-    find_zone_exports: rule:admin_or_owner
-    get_zone_export: rule:admin_or_owner
-    update_zone_export: rule:admin_or_owner
-    find_service_status: rule:admin
-    find_service_statuses: rule:admin
-    update_service_service_status: rule:admin
+  policy: {}
  designate:
    DEFAULT:
      debug: false
--- a/glance/Chart.yaml
+++ b/glance/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Glance
 name: glance
-version: 0.4.0
+version: 0.4.1
 home: https://docs.openstack.org/glance/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
 sources:
--- a/glance/values.yaml
+++ b/glance/values.yaml
@ -189,61 +189,7 @@ conf:
      oslo_config_program: glance-api
    filter:http_proxy_to_wsgi:
      paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
-  policy:
-    metadef_default: ''
-    metadef_admin: 'role:admin'
-    context_is_admin: role:admin
-    default: role:admin
-    add_image: ''
-    delete_image: ''
-    get_image: ''
-    get_images: ''
-    modify_image: ''
-    publicize_image: role:admin
-    copy_from: ''
-    download_image: ''
-    upload_image: ''
-    delete_image_location: ''
-    get_image_location: ''
-    set_image_location: ''
-    add_member: ''
-    delete_member: ''
-    get_member: ''
-    get_members: ''
-    modify_member: ''
-    manage_image_cache: role:admin
-    get_task: role:admin
-    get_tasks: role:admin
-    add_task: role:admin
-    modify_task: role:admin
-    deactivate: ''
-    reactivate: ''
-    get_metadef_namespace: rule:metadef_default
-    get_metadef_namespaces: rule:metadef_default
-    modify_metadef_namespace: rule:metadef_admin
-    add_metadef_namespace: rule:metadef_admin
-    delete_metadef_namespace: rule:metadef_admin
-    get_metadef_object: rule:metadef_default
-    get_metadef_objects: rule:metadef_default
-    modify_metadef_object: rule:metadef_admin
-    add_metadef_object: rule:metadef_admin
-    delete_metadef_object: rule:metadef_admin
-    list_metadef_resource_types: rule:metadef_default
-    get_metadef_resource_type: rule:metadef_default
-    add_metadef_resource_type_association: rule:metadef_admin
-    remove_metadef_resource_type_association: rule:metadef_admin
-    get_metadef_property: rule:metadef_default
-    get_metadef_properties: rule:metadef_default
-    modify_metadef_property: rule:metadef_admin
-    add_metadef_property: rule:metadef_admin
-    remove_metadef_property: rule:metadef_admin
-    get_metadef_tag: rule:metadef_default
-    get_metadef_tags: rule:metadef_default
-    modify_metadef_tag: rule:metadef_admin
-    add_metadef_tag: rule:metadef_admin
-    add_metadef_tags: rule:metadef_admin
-    delete_metadef_tag: rule:metadef_admin
-    delete_metadef_tags: rule:metadef_admin
+  policy: {}
  glance_sudoers: |
    # This sudoers file supports rootwrap for both Kolla and LOCI Images.
    Defaults !requiretty
--- a/heat/Chart.yaml
+++ b/heat/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Heat
 name: heat
-version: 0.3.0
+version: 0.3.1
 home: https://docs.openstack.org/heat/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
 sources:
--- a/heat/values.yaml
+++ b/heat/values.yaml
@ -340,95 +340,7 @@ conf:
      paste.filter_factory: oslo_middleware.request_id:RequestId.factory
    filter:osprofiler:
      paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
-  policy:
-    context_is_admin: role:admin and is_admin_project:True
-    project_admin: role:admin
-    deny_stack_user: not role:heat_stack_user
-    deny_everybody: "!"
-    cloudformation:ListStacks: rule:deny_stack_user
-    cloudformation:CreateStack: rule:deny_stack_user
-    cloudformation:DescribeStacks: rule:deny_stack_user
-    cloudformation:DeleteStack: rule:deny_stack_user
-    cloudformation:UpdateStack: rule:deny_stack_user
-    cloudformation:CancelUpdateStack: rule:deny_stack_user
-    cloudformation:DescribeStackEvents: rule:deny_stack_user
-    cloudformation:ValidateTemplate: rule:deny_stack_user
-    cloudformation:GetTemplate: rule:deny_stack_user
-    cloudformation:EstimateTemplateCost: rule:deny_stack_user
-    cloudformation:DescribeStackResource: ''
-    cloudformation:DescribeStackResources: rule:deny_stack_user
-    cloudformation:ListStackResources: rule:deny_stack_user
-    cloudwatch:DeleteAlarms: rule:deny_stack_user
-    cloudwatch:DescribeAlarmHistory: rule:deny_stack_user
-    cloudwatch:DescribeAlarms: rule:deny_stack_user
-    cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user
-    cloudwatch:DisableAlarmActions: rule:deny_stack_user
-    cloudwatch:EnableAlarmActions: rule:deny_stack_user
-    cloudwatch:GetMetricStatistics: rule:deny_stack_user
-    cloudwatch:ListMetrics: rule:deny_stack_user
-    cloudwatch:PutMetricAlarm: rule:deny_stack_user
-    cloudwatch:PutMetricData: ''
-    cloudwatch:SetAlarmState: rule:deny_stack_user
-    actions:action: rule:deny_stack_user
-    build_info:build_info: rule:deny_stack_user
-    events:index: rule:deny_stack_user
-    events:show: rule:deny_stack_user
-    resource:index: rule:deny_stack_user
-    resource:metadata: ''
-    resource:signal: ''
-    resource:mark_unhealthy: rule:deny_stack_user
-    resource:show: rule:deny_stack_user
-    stacks:abandon: rule:deny_stack_user
-    stacks:create: rule:deny_stack_user
-    stacks:delete: rule:deny_stack_user
-    stacks:detail: rule:deny_stack_user
-    stacks:export: rule:deny_stack_user
-    stacks:generate_template: rule:deny_stack_user
-    stacks:global_index: rule:deny_everybody
-    stacks:index: rule:deny_stack_user
-    stacks:list_resource_types: rule:deny_stack_user
-    stacks:list_template_versions: rule:deny_stack_user
-    stacks:list_template_functions: rule:deny_stack_user
-    stacks:lookup: ''
-    stacks:preview: rule:deny_stack_user
-    stacks:resource_schema: rule:deny_stack_user
-    stacks:show: rule:deny_stack_user
-    stacks:template: rule:deny_stack_user
-    stacks:environment: rule:deny_stack_user
-    stacks:files: rule:deny_stack_user
-    stacks:update: rule:deny_stack_user
-    stacks:update_patch: rule:deny_stack_user
-    stacks:preview_update: rule:deny_stack_user
-    stacks:preview_update_patch: rule:deny_stack_user
-    stacks:validate_template: rule:deny_stack_user
-    stacks:snapshot: rule:deny_stack_user
-    stacks:show_snapshot: rule:deny_stack_user
-    stacks:delete_snapshot: rule:deny_stack_user
-    stacks:list_snapshots: rule:deny_stack_user
-    stacks:restore_snapshot: rule:deny_stack_user
-    stacks:list_outputs: rule:deny_stack_user
-    stacks:show_output: rule:deny_stack_user
-    software_configs:global_index: rule:deny_everybody
-    software_configs:index: rule:deny_stack_user
-    software_configs:create: rule:deny_stack_user
-    software_configs:show: rule:deny_stack_user
-    software_configs:delete: rule:deny_stack_user
-    software_deployments:index: rule:deny_stack_user
-    software_deployments:create: rule:deny_stack_user
-    software_deployments:show: rule:deny_stack_user
-    software_deployments:update: rule:deny_stack_user
-    software_deployments:delete: rule:deny_stack_user
-    software_deployments:metadata: ''
-    service:index: rule:context_is_admin
-    resource_types:OS::Nova::Flavor: rule:project_admin
-    resource_types:OS::Cinder::EncryptedVolumeType: rule:project_admin
-    resource_types:OS::Cinder::VolumeType: rule:project_admin
-    resource_types:OS::Cinder::Quota: rule:project_admin
-    resource_types:OS::Manila::ShareType: rule:project_admin
-    resource_types:OS::Neutron::QoSPolicy: rule:project_admin
-    resource_types:OS::Neutron::QoSBandwidthLimitRule: rule:project_admin
-    resource_types:OS::Nova::HostAggregate: rule:project_admin
-    resource_types:OS::Cinder::QoSSpecs: rule:project_admin
+  policy: {}
  heat:
    DEFAULT:
      log_config_append: /etc/heat/logging.conf
--- a/magnum/Chart.yaml
+++ b/magnum/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Magnum
 name: magnum
-version: 0.2.7
+version: 0.2.8
 home: https://docs.openstack.org/magnum/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Magnum/OpenStack_Project_Magnum_vertical.png
 sources:
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@ -68,49 +68,7 @@ conf:
      paste.filter_factory: oslo_middleware:Healthcheck.factory
      backends: disable_by_file
      disable_by_file_path: /etc/magnum/healthcheck_disable
-  policy:
-    context_is_admin: role:admin
-    admin_or_owner: is_admin:True or project_id:%(project_id)s
-    default: rule:admin_or_owner
-    admin_api: rule:context_is_admin
-    admin_or_user: is_admin:True or user_id:%(user_id)s
-    cluster_user: user_id:%(trustee_user_id)s
-    deny_cluster_user: not domain_id:%(trustee_domain_id)s
-    bay:create: rule:deny_cluster_user
-    bay:delete: rule:deny_cluster_user
-    bay:detail: rule:deny_cluster_user
-    bay:get: rule:deny_cluster_user
-    bay:get_all: rule:deny_cluster_user
-    bay:update: rule:deny_cluster_user
-    baymodel:create: rule:deny_cluster_user
-    baymodel:delete: rule:deny_cluster_user
-    baymodel:detail: rule:deny_cluster_user
-    baymodel:get: rule:deny_cluster_user
-    baymodel:get_all: rule:deny_cluster_user
-    baymodel:update: rule:deny_cluster_user
-    baymodel:publish: rule:admin_or_owner
-    cluster:create: rule:deny_cluster_user
-    cluster:delete: rule:deny_cluster_user
-    cluster:detail: rule:deny_cluster_user
-    cluster:get: rule:deny_cluster_user
-    cluster:get_all: rule:deny_cluster_user
-    cluster:update: rule:deny_cluster_user
-    clustertemplate:create: rule:deny_cluster_user
-    clustertemplate:delete: rule:deny_cluster_user
-    clustertemplate:detail: rule:deny_cluster_user
-    clustertemplate:get: rule:deny_cluster_user
-    clustertemplate:get_all: rule:deny_cluster_user
-    clustertemplate:update: rule:deny_cluster_user
-    clustertemplate:publish: rule:admin_or_owner
-    rc:create: rule:default
-    rc:delete: rule:default
-    rc:detail: rule:default
-    rc:get: rule:default
-    rc:get_all: rule:default
-    rc:update: rule:default
-    certificate:create: rule:admin_or_user or rule:cluster_user
-    certificate:get: rule:admin_or_user or rule:cluster_user
-    magnum-service:get_all: rule:admin_api
+  policy: {}
  magnum:
    DEFAULT:
      log_config_append: /etc/magnum/logging.conf
--- a/mistral/Chart.yaml
+++ b/mistral/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Mistral
 name: mistral
-version: 0.2.6
+version: 0.2.7
 home: https://docs.openstack.org/mistral/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Mistral/OpenStack_Project_Mistral_vertical.png
 sources:
--- a/mistral/values.yaml
+++ b/mistral/values.yaml
@ -416,58 +416,7 @@ conf:
      - name: /tmp/rally-jobs/mistral_params.json
        template: |
          {"env": {"env_param": "env_param_value"}}
-  policy:
-    admin_only: is_admin:True
-    admin_or_owner: is_admin:True or project_id:%(project_id)s
-    default: rule:admin_or_owner
-    action_executions:delete: rule:admin_or_owner
-    action_execution:create: rule:admin_or_owner
-    action_executions:get: rule:admin_or_owner
-    action_executions:list: rule:admin_or_owner
-    action_executions:update: rule:admin_or_owner
-    actions:create: rule:admin_or_owner
-    actions:delete: rule:admin_or_owner
-    actions:get: rule:admin_or_owner
-    actions:list: rule:admin_or_owner
-    actions:update: rule:admin_or_owner
-    cron_triggers:create: rule:admin_or_owner
-    cron_triggers:delete: rule:admin_or_owner
-    cron_triggers:get: rule:admin_or_owner
-    cron_triggers:list: rule:admin_or_owner
-    environments:create: rule:admin_or_owner
-    environments:delete: rule:admin_or_owner
-    environments:get: rule:admin_or_owner
-    environments:list: rule:admin_or_owner
-    environments:update: rule:admin_or_owner
-    executions:create: rule:admin_or_owner
-    executions:delete: rule:admin_or_owner
-    executions:get: rule:admin_or_owner
-    executions:list: rule:admin_or_owner
-    executions:update: rule:admin_or_owner
-    members:create: rule:admin_or_owner
-    members:delete: rule:admin_or_owner
-    members:get: rule:admin_or_owner
-    members:list: rule:admin_or_owner
-    members:update: rule:admin_or_owner
-    services:list: rule:admin_or_owner
-    tasks:get: rule:admin_or_owner
-    tasks:list: rule:admin_or_owner
-    tasks:update: rule:admin_or_owner
-    workbooks:create: rule:admin_or_owner
-    workbooks:delete: rule:admin_or_owner
-    workbooks:get: rule:admin_or_owner
-    workbooks:list: rule:admin_or_owner
-    workbooks:update: rule:admin_or_owner
-    workflows:create: rule:admin_or_owner
-    workflows:delete: rule:admin_or_owner
-    workflows:get: rule:admin_or_owner
-    workflows:list: rule:admin_or_owner
-    workflows:update: rule:admin_or_owner
-    event_triggers:create: rule:admin_or_owner
-    event_triggers:delete: rule:admin_or_owner
-    event_triggers:get: rule:admin_or_owner
-    event_triggers:list: rule:admin_or_owner
-    event_triggers:update: rule:admin_or_owner
+  policy: {}
  mistral:
    DEFAULT:
      log_config_append: /etc/mistral/logging.conf
--- a/neutron/Chart.yaml
+++ b/neutron/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Neutron
 name: neutron
-version: 0.3.0
+version: 0.3.1
 home: https://docs.openstack.org/neutron/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png
 sources:
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -1163,196 +1163,7 @@ conf:
      paste.app_factory: neutron.api.v2.router:APIRouter.factory
    filter:osprofiler:
      paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
-  policy:
-    context_is_admin: role:admin
-    owner: tenant_id:%(tenant_id)s
-    admin_or_owner: rule:context_is_admin or rule:owner
-    context_is_advsvc: role:advsvc
-    admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s
-    admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner
-    admin_only: rule:context_is_admin
-    regular_user: ''
-    shared: field:networks:shared=True
-    shared_subnetpools: field:subnetpools:shared=True
-    shared_address_scopes: field:address_scopes:shared=True
-    external: field:networks:router:external=True
-    default: rule:admin_or_owner
-    create_subnet: rule:admin_or_network_owner
-    create_subnet:segment_id: rule:admin_only
-    create_subnet:service_types: rule:admin_only
-    get_subnet: rule:admin_or_owner or rule:shared
-    get_subnet:segment_id: rule:admin_only
-    update_subnet: rule:admin_or_network_owner
-    update_subnet:service_types: rule:admin_only
-    delete_subnet: rule:admin_or_network_owner
-    create_subnetpool: ''
-    create_subnetpool:shared: rule:admin_only
-    create_subnetpool:is_default: rule:admin_only
-    get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools
-    update_subnetpool: rule:admin_or_owner
-    update_subnetpool:is_default: rule:admin_only
-    delete_subnetpool: rule:admin_or_owner
-    create_address_scope: ''
-    create_address_scope:shared: rule:admin_only
-    get_address_scope: rule:admin_or_owner or rule:shared_address_scopes
-    update_address_scope: rule:admin_or_owner
-    update_address_scope:shared: rule:admin_only
-    delete_address_scope: rule:admin_or_owner
-    create_network: ''
-    get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc
-    get_network:router:external: rule:regular_user
-    get_network:segments: rule:admin_only
-    get_network:provider:network_type: rule:admin_only
-    get_network:provider:physical_network: rule:admin_only
-    get_network:provider:segmentation_id: rule:admin_only
-    get_network:queue_id: rule:admin_only
-    get_network_ip_availabilities: rule:admin_only
-    get_network_ip_availability: rule:admin_only
-    create_network:shared: rule:admin_only
-    create_network:router:external: rule:admin_only
-    create_network:is_default: rule:admin_only
-    create_network:segments: rule:admin_only
-    create_network:provider:network_type: rule:admin_only
-    create_network:provider:physical_network: rule:admin_only
-    create_network:provider:segmentation_id: rule:admin_only
-    update_network: rule:admin_or_owner
-    update_network:segments: rule:admin_only
-    update_network:shared: rule:admin_only
-    update_network:provider:network_type: rule:admin_only
-    update_network:provider:physical_network: rule:admin_only
-    update_network:provider:segmentation_id: rule:admin_only
-    update_network:router:external: rule:admin_only
-    delete_network: rule:admin_or_owner
-    create_segment: rule:admin_only
-    get_segment: rule:admin_only
-    update_segment: rule:admin_only
-    delete_segment: rule:admin_only
-    network_device: 'field:port:device_owner=~^network:'
-    create_port: ''
-    create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
-    create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner
-    create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
-    create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
-    create_port:binding:host_id: rule:admin_only
-    create_port:binding:profile: rule:admin_only
-    create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
-    create_port:allowed_address_pairs: rule:admin_or_network_owner
-    get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
-    get_port:queue_id: rule:admin_only
-    get_port:binding:vif_type: rule:admin_only
-    get_port:binding:vif_details: rule:admin_only
-    get_port:binding:host_id: rule:admin_only
-    get_port:binding:profile: rule:admin_only
-    update_port: rule:admin_or_owner or rule:context_is_advsvc
-    update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
-    update_port:mac_address: rule:admin_only or rule:context_is_advsvc
-    update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
-    update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
-    update_port:binding:host_id: rule:admin_only
-    update_port:binding:profile: rule:admin_only
-    update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
-    update_port:allowed_address_pairs: rule:admin_or_network_owner
-    delete_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
-    get_router:ha: rule:admin_only
-    create_router: rule:regular_user
-    create_router:external_gateway_info:enable_snat: rule:admin_only
-    create_router:distributed: rule:admin_only
-    create_router:ha: rule:admin_only
-    get_router: rule:admin_or_owner
-    get_router:distributed: rule:admin_only
-    update_router:external_gateway_info:enable_snat: rule:admin_only
-    update_router:distributed: rule:admin_only
-    update_router:ha: rule:admin_only
-    delete_router: rule:admin_or_owner
-    add_router_interface: rule:admin_or_owner
-    remove_router_interface: rule:admin_or_owner
-    create_router:external_gateway_info:external_fixed_ips: rule:admin_only
-    update_router:external_gateway_info:external_fixed_ips: rule:admin_only
-    insert_rule: rule:admin_or_owner
-    remove_rule: rule:admin_or_owner
-    create_qos_queue: rule:admin_only
-    get_qos_queue: rule:admin_only
-    update_agent: rule:admin_only
-    delete_agent: rule:admin_only
-    get_agent: rule:admin_only
-    create_dhcp-network: rule:admin_only
-    delete_dhcp-network: rule:admin_only
-    get_dhcp-networks: rule:admin_only
-    create_l3-router: rule:admin_only
-    delete_l3-router: rule:admin_only
-    get_l3-routers: rule:admin_only
-    get_dhcp-agents: rule:admin_only
-    get_l3-agents: rule:admin_only
-    get_loadbalancer-agent: rule:admin_only
-    get_loadbalancer-pools: rule:admin_only
-    get_agent-loadbalancers: rule:admin_only
-    get_loadbalancer-hosting-agent: rule:admin_only
-    create_floatingip: rule:regular_user
-    create_floatingip:floating_ip_address: rule:admin_only
-    update_floatingip: rule:admin_or_owner
-    delete_floatingip: rule:admin_or_owner
-    get_floatingip: rule:admin_or_owner
-    create_network_profile: rule:admin_only
-    update_network_profile: rule:admin_only
-    delete_network_profile: rule:admin_only
-    get_network_profiles: ''
-    get_network_profile: ''
-    update_policy_profiles: rule:admin_only
-    get_policy_profiles: ''
-    get_policy_profile: ''
-    create_metering_label: rule:admin_only
-    delete_metering_label: rule:admin_only
-    get_metering_label: rule:admin_only
-    create_metering_label_rule: rule:admin_only
-    delete_metering_label_rule: rule:admin_only
-    get_metering_label_rule: rule:admin_only
-    get_service_provider: rule:regular_user
-    get_lsn: rule:admin_only
-    create_lsn: rule:admin_only
-    create_flavor: rule:admin_only
-    update_flavor: rule:admin_only
-    delete_flavor: rule:admin_only
-    get_flavors: rule:regular_user
-    get_flavor: rule:regular_user
-    create_service_profile: rule:admin_only
-    update_service_profile: rule:admin_only
-    delete_service_profile: rule:admin_only
-    get_service_profiles: rule:admin_only
-    get_service_profile: rule:admin_only
-    get_policy: rule:regular_user
-    create_policy: rule:admin_only
-    update_policy: rule:admin_only
-    delete_policy: rule:admin_only
-    get_policy_bandwidth_limit_rule: rule:regular_user
-    create_policy_bandwidth_limit_rule: rule:admin_only
-    delete_policy_bandwidth_limit_rule: rule:admin_only
-    update_policy_bandwidth_limit_rule: rule:admin_only
-    get_policy_dscp_marking_rule: rule:regular_user
-    create_policy_dscp_marking_rule: rule:admin_only
-    delete_policy_dscp_marking_rule: rule:admin_only
-    update_policy_dscp_marking_rule: rule:admin_only
-    get_rule_type: rule:regular_user
-    get_policy_minimum_bandwidth_rule: rule:regular_user
-    create_policy_minimum_bandwidth_rule: rule:admin_only
-    delete_policy_minimum_bandwidth_rule: rule:admin_only
-    update_policy_minimum_bandwidth_rule: rule:admin_only
-    restrict_wildcard: "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
-    create_rbac_policy: ''
-    create_rbac_policy:target_tenant: rule:restrict_wildcard
-    update_rbac_policy: rule:admin_or_owner
-    update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner
-    get_rbac_policy: rule:admin_or_owner
-    delete_rbac_policy: rule:admin_or_owner
-    create_flavor_service_profile: rule:admin_only
-    delete_flavor_service_profile: rule:admin_only
-    get_flavor_service_profile: rule:regular_user
-    get_auto_allocated_topology: rule:admin_or_owner
-    create_trunk: rule:regular_user
-    get_trunk: rule:admin_or_owner
-    delete_trunk: rule:admin_or_owner
-    get_subports: ''
-    add_subports: rule:admin_or_owner
-    remove_subports: rule:admin_or_owner
+  policy: {}
  api_audit_map:
    DEFAULT:
      target_endpoint_type: None
--- a/placement/Chart.yaml
+++ b/placement/Chart.yaml
@ -16,7 +16,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Placement
 name: placement
-version: 0.3.1
+version: 0.3.2
 home: https://docs.openstack.org/placement/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png
 sources:
--- a/placement/values.yaml
+++ b/placement/values.yaml
@ -73,44 +73,7 @@ conf:
      #   - status
      a2enmod: null
      a2dismod: null
-  policy:
-    "context_is_admin": "role:admin"
-    "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s"
-    "default": "rule:admin_or_owner"
-    "admin_api": "role:admin"
-    "placement:resource_providers:list": "rule:admin_api"
-    "placement:resource_providers:create": "rule:admin_api"
-    "placement:resource_providers:show": "rule:admin_api"
-    "placement:resource_providers:update": "rule:admin_api"
-    "placement:resource_providers:delete": "rule:admin_api"
-    "placement:resource_classes:list": "rule:admin_api"
-    "placement:resource_classes:create": "rule:admin_api"
-    "placement:resource_classes:show": "rule:admin_api"
-    "placement:resource_classes:update": "rule:admin_api"
-    "placement:resource_classes:delete": "rule:admin_api"
-    "placement:resource_providers:inventories:list": "rule:admin_api"
-    "placement:resource_providers:inventories:create": "rule:admin_api"
-    "placement:resource_providers:inventories:show": "rule:admin_api"
-    "placement:resource_providers:inventories:update": "rule:admin_api"
-    "placement:resource_providers:inventories:delete": "rule:admin_api"
-    "placement:resource_providers:aggregates:list": "rule:admin_api"
-    "placement:resource_providers:aggregates:update": "rule:admin_api"
-    "placement:resource_providers:usages": "rule:admin_api"
-    "placement:usages": "rule:admin_api"
-    "placement:traits:list": "rule:admin_api"
-    "placement:traits:show": "rule:admin_api"
-    "placement:traits:update": "rule:admin_api"
-    "placement:traits:delete": "rule:admin_api"
-    "placement:resource_providers:traits:list": "rule:admin_api"
-    "placement:resource_providers:traits:update": "rule:admin_api"
-    "placement:resource_providers:traits:delete": "rule:admin_api"
-    "placement:allocations:manage": "rule:admin_api"
-    "placement:allocations:list": "rule:admin_api"
-    "placement:allocations:update": "rule:admin_api"
-    "placement:allocations:delete": "rule:admin_api"
-    "placement:resource_providers:allocations:list": "rule:admin_api"
-    "placement:allocation_candidates:list": "rule:admin_api"
-    "placement:reshaper:reshape": "rule:admin_api"
+  policy: {}
  placement:
    DEFAULT:
      debug: false
--- a/releasenotes/notes/aodh.yaml
+++ b/releasenotes/notes/aodh.yaml
@ -8,4 +8,5 @@ aodh:
  - 0.2.3 Enable taint toleration for Openstack services
  - 0.2.4 Migrated CronJob resource to batch/v1 API version & PodDisruptionBudget to policy/v1
  - 0.2.5 Added OCI registry authentication
+  - 0.2.6 Remove default policy rules
 ...
--- a/releasenotes/notes/ceilometer.yaml
+++ b/releasenotes/notes/ceilometer.yaml
@ -9,4 +9,5 @@ ceilometer:
  - 0.2.4 Update default image values to Wallaby
  - 0.2.5 Migrated PodDisruptionBudget resource to policy/v1 API version
  - 0.2.6 Added OCI registry authentication
+  - 0.2.7 Remove default policy rules
 ...
--- a/releasenotes/notes/cinder.yaml
+++ b/releasenotes/notes/cinder.yaml
@ -51,4 +51,5 @@ cinder:
  - 0.2.32 Revert "Remove fixed node name from default values and add service cleaner cronjob"
  - 0.3.0 Remove support for Train and Ussuri
  - 0.3.1 Change ceph-config-helper image tag
+  - 0.3.2 Remove default policy rules
 ...
--- a/releasenotes/notes/designate.yaml
+++ b/releasenotes/notes/designate.yaml
@ -11,4 +11,5 @@ designate:
  - 0.2.5 Migrated PodDisruptionBudget resource to policy/v1 API version
  - 0.2.6 Added OCI registry authentication
  - 0.2.7 Use HTTP probe instead of TCP probe
+  - 0.2.8 Remove default policy rules
 ...
--- a/releasenotes/notes/glance.yaml
+++ b/releasenotes/notes/glance.yaml
@ -34,4 +34,5 @@ glance:
  - 0.3.11 Use HTTP probe instead of TCP probe
  - 0.3.12 Add support for using Cinder as backend
  - 0.4.0 Remove support for Train and Ussuri
+  - 0.4.1 Remove default policy rules
 ...
--- a/releasenotes/notes/heat.yaml
+++ b/releasenotes/notes/heat.yaml
@ -26,4 +26,5 @@ heat:
  - 0.2.17 Use HTTP probe instead of TCP probe
  - 0.2.18 Change hook weight for bootstrap job
  - 0.3.0 Remove support for Train and Ussuri
+  - 0.3.1 Remove default policy rules
 ...
--- a/releasenotes/notes/magnum.yaml
+++ b/releasenotes/notes/magnum.yaml
@ -11,4 +11,5 @@ magnum:
  - 0.2.5 Update default image values to wallaby
  - 0.2.6 Migrated PodDisruptionBudget resource to policy/v1 API version
  - 0.2.7 Added OCI registry authentication
+  - 0.2.8 Remove default policy rules
 ...
--- a/releasenotes/notes/mistral.yaml
+++ b/releasenotes/notes/mistral.yaml
@ -10,4 +10,5 @@ mistral:
  - 0.2.4 Migrated PodDisruptionBudget resource to policy/v1 API version
  - 0.2.5 Added OCI registry authentication
  - 0.2.6 Use HTTP probe instead of TCP probe
+  - 0.2.7 Remove default policy rules
 ...
--- a/releasenotes/notes/neutron.yaml
+++ b/releasenotes/notes/neutron.yaml
@ -42,4 +42,5 @@ neutron:
  - 0.2.26 Use HTTP probe instead of TCP probe
  - 0.2.27 Distinguish between port number of internal endpoint and binding port number
  - 0.3.0 Remove support for Train and Ussuri
+  - 0.3.1 Remove default policy rules
 ...
--- a/releasenotes/notes/placement.yaml
+++ b/releasenotes/notes/placement.yaml
@ -24,4 +24,5 @@ placement:
  - 0.2.13 Support TLS endpoints
  - 0.3.0 Remove placement-migrate
  - 0.3.1 Remove support for Train and Ussuri
+  - 0.3.2 Remove default policy rules
 ...
--- a/releasenotes/notes/senlin.yaml
+++ b/releasenotes/notes/senlin.yaml
@ -10,4 +10,5 @@ senlin:
  - 0.2.5 Migrated CronJob resource to batch/v1 API version & PodDisruptionBudget to policy/v1
  - 0.2.6 Add helm.sh/hook annotations for Jobs
  - 0.2.7 Added OCI registry authentication
+  - 0.2.8 Remove default policy rules
 ...
--- a/senlin/Chart.yaml
+++ b/senlin/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Senlin
 name: senlin
-version: 0.2.7
+version: 0.2.8
 home: https://docs.openstack.org/senlin/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Senlin/OpenStack_Project_Senlin_vertical.png
 sources:
--- a/senlin/values.yaml
+++ b/senlin/values.yaml
@ -123,53 +123,7 @@ conf:
      senlin.filter_factory: senlin.api.middleware:webhook_filter
    filter:authtoken:
      paste.filter_factory: keystonemiddleware.auth_token:filter_factory
-  policy:
-    context_is_admin: role:admin
-    deny_everybody: "!"
-    build_info:build_info: ''
-    profile_types:index: ''
-    profile_types:get: ''
-    policy_types:index: ''
-    policy_types:get: ''
-    clusters:index: ''
-    clusters:create: ''
-    clusters:delete: ''
-    clusters:get: ''
-    clusters:action: ''
-    clusters:update: ''
-    clusters:collect: ''
-    profiles:index: ''
-    profiles:create: ''
-    profiles:get: ''
-    profiles:delete: ''
-    profiles:update: ''
-    profiles:validate: ''
-    nodes:index: ''
-    nodes:create: ''
-    nodes:get: ''
-    nodes:action: ''
-    nodes:update: ''
-    nodes:delete: ''
-    policies:index: ''
-    policies:create: ''
-    policies:get: ''
-    policies:update: ''
-    policies:delete: ''
-    policies:validate: ''
-    cluster_policies:index: ''
-    cluster_policies:attach: ''
-    cluster_policies:detach: ''
-    cluster_policies:update: ''
-    cluster_policies:get: ''
-    receivers:index: ''
-    receivers:create: ''
-    receivers:get: ''
-    receivers:delete: ''
-    actions:index: ''
-    actions:get: ''
-    events:index: ''
-    events:get: ''
-    webhooks:trigger: ''
+  policy: {}
  senlin:
    DEFAULT:
      log_config_append: /etc/senlin/logging.conf