diff --git a/enhanced-policies/.gitignore b/enhanced-policies/.gitignore new file mode 100644 index 00000000..70c3c409 --- /dev/null +++ b/enhanced-policies/.gitignore @@ -0,0 +1,55 @@ +*.py[cod] +.venv + +# C extensions +*.so + +# Packages +.eggs +*.egg +*.egg-info +dist +build +eggs +parts +bin +var +sdist +develop-eggs +.installed.cfg +lib +lib64 + +# Installer logs +pip-log.txt + +# Unit test / coverage reports +.coverage +cover/* +.tox +nosetests.xml +.testrepository +.stestr + +# Translations +*.mo + +# Mr Developer +.mr.developer.cfg +.project +.pydevproject + +# Complexity +output/*.html +output/*/index.html + +# Sphinx +doc/build + +# pbr generates these +AUTHORS +ChangeLog + +# Editors +*~ +.*.swp diff --git a/enhanced-policies/README.md b/enhanced-policies/README.md new file mode 100644 index 00000000..0ca31c04 --- /dev/null +++ b/enhanced-policies/README.md @@ -0,0 +1,147 @@ +Enhanced Policies +========================== + +This repository aims to provide enhanced policies for stx-openstack. + + +|Design|Roles|Permissions summary| +|:-------------|-------------|:-----| +|Default Role:|member|Users with 'member' can manage certain resources of the project.| +|New Role to add:|project_admin|Users with role 'project_admin' could manage all resources of the project| +|New Role to add:|project_readonly|Users with role 'project_readonly' can only get list and detail of resources of the project, and shared resources of other projects| + +Setting up the environment +-------------------------- + +Make sure you have access to the Openstack CLI, follow the instructions on [this doc.](https://docs.starlingx.io/deploy_install_guides/r5_release/openstack/access.html#id4) + +1. Transfer the policies to your cloud's controller: + ``` + rsync -avP *-policy-overrides.yml @:~/rbac + ``` +2. Log into your active controller +3. Create your clouds.yaml file + ```bash + cat <clouds.yaml + clouds: + openstack: + region_name: RegionOne + identity_api_version: 3 + endpoint_type: internalURL + auth: + username: 'admin' + password: '' + project_name: 'admin' + project_domain_name: 'default' + user_domain_name: 'default' + auth_url: 'http://keystone.openstack.svc.cluster.local/v3' + EOF + ``` +4. Create the custom roles: + ``` + # Assuming you are using method 1 + export OS_CLOUD=openstack + + openstack role create project_admin + openstack role create project_readonly + ``` +5. In order to enable the extensions required for some of the Neutron tests, include the following configuration to the Neutron helm override YML file: + ``` + conf: + neutron: + DEFAULT: + service_plugins: + - router + - network_segment_range + - qos + - segments + - port_forwarding + - trunk + plugins: + ml2_conf: + ml2: + extension_drivers: + - port_security + - qos + openvswitch_agent: + agent: + extensions: + - qos + - port_forwarding + ``` +6. Apply the policy overrides for each service to your cloud + ``` + source /etc/platform/openrc + + system helm-override-update stx-openstack keystone openstack --values=rbac/keystone-policy-overrides.yml + system helm-override-update stx-openstack cinder openstack --values=rbac/cinder-policy-overrides.yml + system helm-override-update stx-openstack nova openstack --values=rbac/nova-policy-overrides.yml + system helm-override-update stx-openstack neutron openstack --values=rbac/neutron-policy-overrides.yml + system helm-override-update stx-openstack glance openstack --values=rbac/glance-policy-overrides.yml + system helm-override-update stx-openstack horizon openstack --values=rbac/horizon-policy-overrides.yml + + system application-apply stx-openstack + ``` +7. Watch for application overrides to finish applying + ``` + watch system application-show stx-openstack + ``` + +Running tests +------------- + +Please follow the instructions below to test the enhanced policies on your system. We assume that the New Roles were created on you system and the overrides were successfully applied. + +1. Get to the rbac folder you transfered into your controller node + ``` + cd ~/rbac + ``` + +2. IMPORTANT: create a venv and install the test dependencies + ``` + if [ ! -d .venv ]; then + python3 -m venv .venv + fi + + source .venv/bin/activate + pip install --upgrade pip + pip install -r test-requirements.txt + ``` +3. Download CirrOS image (dependency for nova and cinder tests) + ``` + wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img + ``` +4. Execute the tests + On StarlingX: + ``` + export OS_CLOUD=openstack + pytest tests/ + ``` + + On WindRiver Openstack: + ``` + export OS_CLOUD=openstack + pytest tests/ --env wro + ``` + +If things go awry... +-------------------- + +**WARNING: The following script might DELETE some existing configuration if not used carefully!** + +One can use the run-cleanup-all.sh script to remove any leftovers from the test +on the environment: + +```bash +export OS_CLOUD=openstack +bash run-cleanup-all.sh +``` + +Role Permission Details +----------------------- + +|Role Permissions|identity(keystone)|compute(nova)|networking(neutron)|image(glance)|volume(cinder)| +|---|:---|:---|:---|:---|:---| +|member|All operations that legacy role '_member_' can do|1 - Can get list and detail of instances
2 - Can create instance/Can open console of instances
3 - Can access log of instance
4 - Can manage keypairs of his/her own|1 - Can only create/update/delete port
2 - Can get list and detail of resources: subnetpool, address scope, networks, subnets, etc.|1,can create and update image, upload image content
|1 - Can create volume
2 - Can create volume from image
3 - Can create volume snapshot
4 - Can create volume-backup| +|project_admin|all operations that legacy role '_member_' can do;|all operations that legacy role '_member_' can do
|1 - All operations that legacy role '_member_' can do
2 - Can create/update/delete 'shared' subnetpool
3 - Can create/update/delete address scope
4 - Can create/update/delete shared network
|1 - All operations that legacy role '_member_' can do
2 - Can publicize_image
|1 - All operations that legacy role '_member_' can do| +|project_readonly|all operations that legacy role '_member_' can do
|1 - Can only get list and detail of instances
2 - Can manage key-pairs of his/her own|1 - Can only get list and detail of resources: subnetpool, address scopes, networks, subnets,etc.|1 - Can only get list and detail of images|1 - Can only get list and detail of volumes, backups, snapshots| \ No newline at end of file diff --git a/enhanced-policies/cinder-policy-overrides.yml b/enhanced-policies/cinder-policy-overrides.yml new file mode 100644 index 00000000..9353a08a --- /dev/null +++ b/enhanced-policies/cinder-policy-overrides.yml @@ -0,0 +1,149 @@ +conf: + policy: + admin_api: is_admin:True or (role:admin and is_admin_project:True) + admin_or_owner: is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s + admin_or_projectadmin_owner: rule:admin_api or rule:projectadmin_and_owner + admin_or_projectadmin_required: rule:admin_api or rule:projectadmin_required + admin_or_projectmember_owner: rule:admin_api or rule:projectmember_and_owner + admin_or_projectmember_required: rule:admin_api or rule:projectmember_required + backup:backup-export: rule:admin_api + backup:backup-import: rule:admin_api + backup:backup_project_attribute: rule:admin_api + backup:create: rule:admin_or_projectmember_owner + backup:delete: rule:admin_or_projectadmin_owner + backup:get: rule:admin_or_owner + backup:get_all: rule:admin_or_owner + backup:restore: rule:admin_or_projectadmin_owner + backup:update: rule:admin_or_projectadmin_owner + clusters:get: rule:admin_api + clusters:get_all: rule:admin_api + clusters:update: rule:admin_api + consistencygroup:create: rule:admin_or_projectadmin_required + consistencygroup:create_cgsnapshot: rule:admin_or_projectadmin_required + consistencygroup:delete: rule:admin_or_projectadmin_required + consistencygroup:delete_cgsnapshot: rule:admin_or_projectadmin_required + consistencygroup:get: "" + consistencygroup:get_all: "" + consistencygroup:get_all_cgsnapshots: "" + consistencygroup:get_cgsnapshot: "" + consistencygroup:update: rule:admin_or_projectadmin_required + default: rule:admin_or_owner + group:access_group_types_specs: rule:admin_api + group:create: rule:admin_or_projectadmin_required + group:create_group_snapshot: rule:admin_or_projectadmin_required + group:delete: rule:admin_or_projectadmin_owner + group:delete_group_snapshot: rule:admin_or_projectadmin_owner + group:disable_replication: rule:admin_or_projectadmin_owner + group:enable_replication: rule:admin_or_projectadmin_owner + group:failover_replication: rule:admin_or_projectadmin_owner + group:get: rule:admin_or_owner + group:get_all: rule:admin_or_owner + group:get_all_group_snapshots: rule:admin_or_owner + group:get_group_snapshot: rule:admin_or_owner + group:group_type_access: rule:admin_or_projectadmin_owner + group:group_types_manage: rule:admin_api + group:group_types_specs: rule:admin_api + group:list_replication_targets: rule:admin_or_owner + group:reset_group_snapshot_status: rule:admin_api + group:reset_status: rule:admin_api + group:update: rule:admin_or_projectadmin_owner + group:update_group_snapshot: rule:admin_or_projectadmin_owner + message:delete: rule:admin_or_projectadmin_owner + message:get: rule:admin_or_owner + message:get_all: rule:admin_or_owner + owner: project_id:%(project_id)s + projectadmin_and_owner: rule:projectadmin_required and rule:owner + projectadmin_required: role:project_admin + projectmember_and_owner: rule:projectmember_required and rule:owner + projectmember_required: role:project_admin or role:member + scheduler_extension:scheduler_stats:get_pools: rule:admin_api + snapshot_extension:list_manageable: rule:admin_api + snapshot_extension:snapshot_actions:update_snapshot_status: rule:admin_or_projectmember_required + snapshot_extension:snapshot_manage: rule:admin_api + snapshot_extension:snapshot_unmanage: rule:admin_api + volume:accept_transfer: rule:admin_or_projectmember_required + volume:attachment_create: rule:admin_or_projectmember_required + volume:attachment_delete: rule:admin_or_projectmember_owner + volume:attachment_update: rule:admin_or_projectmember_owner + volume:create: rule:admin_or_projectmember_required + volume:create_from_image: rule:admin_or_projectmember_required + volume:create_snapshot: rule:admin_or_projectmember_owner + volume:create_transfer: rule:admin_or_projectadmin_owner + volume:create_volume_metadata: rule:admin_or_projectmember_owner + volume:delete: rule:admin_or_projectadmin_owner + volume:delete_snapshot: rule:admin_or_projectadmin_owner + volume:delete_snapshot_metadata: rule:admin_or_projectadmin_owner + volume:delete_transfer: rule:admin_or_projectadmin_owner + volume:delete_volume_metadata: rule:admin_or_projectadmin_owner + volume:extend: rule:admin_or_projectadmin_owner + volume:extend_attached_volume: rule:admin_or_projectadmin_owner + volume:failover_host: rule:admin_api + volume:force_delete: rule:admin_api + volume:freeze_host: rule:admin_api + volume:get: rule:admin_or_owner + volume:get_all: rule:admin_or_owner + volume:get_all_snapshots: rule:admin_or_owner + volume:get_all_transfers: rule:admin_or_owner + volume:get_snapshot: rule:admin_or_owner + volume:get_snapshot_metadata: rule:admin_or_owner + volume:get_transfer: rule:admin_or_owner + volume:get_volume_admin_metadata: rule:admin_api + volume:get_volume_metadata: rule:admin_or_owner + volume:retype: rule:admin_or_projectadmin_owner + volume:revert_to_snapshot: rule:admin_or_projectadmin_owner + volume:thaw_host: rule:admin_api + volume:update: rule:admin_or_projectadmin_owner + volume:update_readonly_flag: rule:admin_or_projectadmin_owner + volume:update_snapshot: rule:admin_or_projectadmin_owner + volume:update_snapshot_metadata: rule:admin_or_projectadmin_owner + volume:update_volume_admin_metadata: rule:admin_api + volume:update_volume_metadata: rule:admin_or_projectadmin_owner + volume_extension:access_types_extra_specs: rule:admin_api + volume_extension:access_types_qos_specs_id: rule:admin_api + volume_extension:backup_admin_actions:force_delete: rule:admin_api + volume_extension:backup_admin_actions:reset_status: rule:admin_api + volume_extension:capabilities: rule:admin_api + volume_extension:extended_snapshot_attributes: rule:admin_or_projectadmin_owner + volume_extension:hosts: rule:admin_api + volume_extension:list_manageable: rule:admin_api + volume_extension:qos_specs_manage:create: rule:admin_api + volume_extension:qos_specs_manage:delete: rule:admin_api + volume_extension:qos_specs_manage:get: rule:admin_api + volume_extension:qos_specs_manage:get_all: rule:admin_api + volume_extension:qos_specs_manage:update: rule:admin_api + volume_extension:quota_classes: rule:admin_api + volume_extension:quota_classes:validate_setup_for_nested_quota_use: rule:admin_api + volume_extension:quotas:delete: rule:admin_api + volume_extension:quotas:show: "" + volume_extension:quotas:update: rule:admin_api + volume_extension:services:index: rule:admin_api + volume_extension:services:update: rule:admin_api + volume_extension:snapshot_admin_actions:force_delete: rule:admin_api + volume_extension:snapshot_admin_actions:reset_status: rule:admin_api + volume_extension:snapshot_backup_status_attribute: rule:admin_or_projectadmin_owner + volume_extension:snapshot_export_attributes: rule:admin_or_projectadmin_owner + volume_extension:types_extra_specs:create: rule:admin_api + volume_extension:types_extra_specs:delete: rule:admin_api + volume_extension:types_extra_specs:index: rule:admin_api + volume_extension:types_extra_specs:show: rule:admin_api + volume_extension:types_extra_specs:update: rule:admin_api + volume_extension:types_manage: rule:admin_api + volume_extension:volume_actions:upload_image: rule:admin_or_projectadmin_owner + volume_extension:volume_actions:upload_public: rule:admin_api + volume_extension:volume_admin_actions:force_delete: rule:admin_api + volume_extension:volume_admin_actions:force_detach: rule:admin_api + volume_extension:volume_admin_actions:migrate_volume: rule:admin_api + volume_extension:volume_admin_actions:migrate_volume_completion: rule:admin_api + volume_extension:volume_admin_actions:reset_status: rule:admin_api + volume_extension:volume_encryption_metadata: rule:admin_or_projectadmin_owner + volume_extension:volume_host_attribute: rule:admin_api + volume_extension:volume_image_metadata: rule:admin_or_owner + volume_extension:volume_manage: rule:admin_api + volume_extension:volume_mig_status_attribute: rule:admin_api + volume_extension:volume_tenant_attribute: rule:admin_or_projectadmin_owner + volume_extension:volume_type_access: rule:admin_or_projectadmin_owner + volume_extension:volume_type_access:addProjectAccess: rule:admin_api + volume_extension:volume_type_access:removeProjectAccess: rule:admin_api + volume_extension:volume_type_encryption: rule:admin_api + volume_extension:volume_unmanage: rule:admin_api + workers:cleanup: rule:admin_api diff --git a/enhanced-policies/glance-policy-overrides.yml b/enhanced-policies/glance-policy-overrides.yml new file mode 100644 index 00000000..1fcfd7cd --- /dev/null +++ b/enhanced-policies/glance-policy-overrides.yml @@ -0,0 +1,65 @@ +conf: + policy: + owner: project_id:%(owner)s + admin_or_projectadmin_owner: rule:context_is_admin or rule:projectadmin_and_owner + admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required + admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner + admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required + projectadmin_required: role:project_admin + projectadmin_and_owner: rule:projectadmin_required and rule:owner + projectmember_and_owner: rule:projectmember_required and rule:owner + projectmember_required: role:project_admin or role:member + add_image: rule:admin_or_projectmember_required + add_member: rule:admin_or_projectadmin_owner + add_metadef_namespace: rule:admin_or_projectadmin_required + add_metadef_object: rule:admin_or_projectadmin_required + add_metadef_property: rule:admin_or_projectadmin_required + add_metadef_resource_type_association: rule:admin_or_projectadmin_required + add_metadef_tag: rule:admin_or_projectadmin_required + add_metadef_tags: rule:admin_or_projectadmin_required + add_task: rule:admin_or_projectadmin_owner + communitize_image: rule:admin_or_projectadmin_required + context_is_admin: role:admin + copy_from: rule:admin_or_projectadmin_owner + deactivate: rule:admin_or_projectadmin_owner + default: role:admin + delete_image: rule:admin_or_projectadmin_owner + delete_image_location: rule:admin_or_projectadmin_owner + delete_member: rule:admin_or_projectadmin_owner + delete_metadef_namespace: rule:admin_or_projectadmin_owner + delete_metadef_object: rule:admin_or_projectadmin_owner + delete_metadef_tag: rule:admin_or_projectadmin_owner + delete_metadef_tags: rule:admin_or_projectadmin_owner + download_image: "" + get_image: "" + get_image_location: "" + get_images: "" + get_member: "" + get_members: "" + get_metadef_namespace: "" + get_metadef_namespaces: "" + get_metadef_object: "" + get_metadef_objects: "" + get_metadef_properties: "" + get_metadef_property: "" + get_metadef_resource_type: "" + get_metadef_tag: "" + get_metadef_tags: "" + get_task: rule:admin_or_projectadmin_owner + get_tasks: rule:admin_or_projectadmin_owner + list_metadef_resource_types: "" + manage_image_cache: role:admin + modify_image: rule:admin_or_projectmember_owner + modify_member: rule:admin_or_projectmember_required + modify_metadef_namespace: rule:admin_or_projectadmin_owner + modify_metadef_object: rule:admin_or_projectadmin_owner + modify_metadef_property: rule:admin_or_projectadmin_owner + modify_metadef_tag: rule:admin_or_projectadmin_owner + modify_task: rule:admin_or_projectadmin_owner + publicize_image: rule:admin_or_projectadmin_required + reactivate: rule:admin_or_projectadmin_owner + remove_metadef_property: rule:admin_or_projectadmin_owner + remove_metadef_resource_type_association: rule:admin_or_projectadmin_owner + set_image_location: rule:admin_or_projectadmin_owner + tasks_api_access: role:admin + upload_image: rule:admin_or_projectmember_required diff --git a/enhanced-policies/horizon-policy-overrides.yml b/enhanced-policies/horizon-policy-overrides.yml new file mode 100644 index 00000000..913e00a3 --- /dev/null +++ b/enhanced-policies/horizon-policy-overrides.yml @@ -0,0 +1,1147 @@ +conf: + horizon: + policy: + keystone: + admin_or_owner: rule:admin_required or rule:owner + admin_or_token_subject: rule:admin_required or rule:token_subject + admin_required: role:admin or is_admin:1 or rule:project_admin_required + default: rule:admin_required + identity:add_endpoint_group_to_project: rule:admin_required + identity:add_endpoint_to_project: rule:admin_required + identity:add_user_to_group: rule:admin_required + identity:authorize_request_token: rule:admin_required + identity:change_password: rule:admin_or_owner + identity:check_endpoint_in_project: rule:admin_required + identity:check_grant: rule:admin_required + identity:check_implied_role: rule:admin_required + identity:check_policy_association_for_endpoint: rule:admin_required + identity:check_policy_association_for_region_and_service: rule:admin_required + identity:check_policy_association_for_service: rule:admin_required + identity:check_token: rule:admin_or_token_subject + identity:check_user_in_group: rule:admin_required + identity:create_consumer: rule:admin_required + identity:create_credential: rule:admin_required + identity:create_domain_config: rule:admin_required + identity:create_domain_role: rule:admin_required + identity:create_domain: rule:admin_required + identity:create_endpoint_group: rule:admin_required + identity:create_endpoint: rule:admin_required + identity:create_grant: rule:admin_required or rule:project_admin_required + identity:create_group: rule:admin_required + identity:create_identity_provider: rule:admin_required + identity:create_implied_role: rule:admin_required + identity:create_mapping: rule:admin_required + identity:create_policy_association_for_endpoint: rule:admin_required + identity:create_policy_association_for_region_and_service: rule:admin_required + identity:create_policy_association_for_service: rule:admin_required + identity:create_policy: rule:admin_required + identity:create_project: rule:admin_required + identity:create_protocol: rule:admin_required + identity:create_region: rule:admin_required + identity:create_role: rule:admin_required + identity:create_service_provider: rule:admin_required + identity:create_service: rule:admin_required + identity:create_trust: user_id:%(trust.trustor_user_id)s + identity:create_user: rule:admin_required or rule:project_admin_required + identity:delete_access_token: rule:admin_required + identity:delete_consumer: rule:admin_required + identity:delete_credential: rule:admin_required + identity:delete_domain_config: rule:admin_required + identity:delete_domain_role: rule:admin_required + identity:delete_domain: rule:admin_required + identity:delete_endpoint_group: rule:admin_required + identity:delete_endpoint: rule:admin_required + identity:delete_group: rule:admin_required + identity:delete_identity_provider: rule:admin_required + identity:delete_implied_role: rule:admin_required + identity:delete_mapping: rule:admin_required + identity:delete_policy_association_for_endpoint: rule:admin_required + identity:delete_policy_association_for_region_and_service: rule:admin_required + identity:delete_policy_association_for_service: rule:admin_required + identity:delete_policy: rule:admin_required + identity:delete_project: rule:admin_required + identity:delete_protocol: rule:admin_required + identity:delete_region: rule:admin_required + identity:delete_role: rule:admin_required + identity:delete_service_provider: rule:admin_required + identity:delete_service: rule:admin_required + identity:delete_trust: "" + identity:delete_user: rule:admin_required + identity:ec2_create_credential: rule:admin_or_owner + identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) + identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) + identity:ec2_list_credentials: rule:admin_or_owner + identity:get_access_token_role: rule:admin_required + identity:get_access_token: rule:admin_required + identity:get_auth_catalog: "" + identity:get_auth_domains: "" + identity:get_auth_projects: "" + identity:get_consumer: rule:admin_required + identity:get_credential: rule:admin_required + identity:get_domain_config_default: rule:admin_required or rule:project_admin_required + identity:get_domain_config: rule:admin_required or rule:project_admin_required + identity:get_domain_role: rule:admin_required or rule:project_admin_required + identity:get_domain: rule:admin_required or rule:project_admin_required + identity:get_endpoint_group_in_project: rule:admin_required + identity:get_endpoint_group: rule:admin_required + identity:get_endpoint: rule:admin_required + identity:get_group: rule:admin_required or rule:project_admin_required + identity:get_identity_providers: rule:admin_required + identity:get_implied_role: rule:admin_required or rule:project_admin_required + identity:get_mapping: rule:admin_required + identity:get_policy_for_endpoint: rule:admin_required + identity:get_policy: rule:admin_required + identity:get_project: rule:admin_required or project_id:%(target.project.id)s or rule:project_admin_required + identity:get_protocol: rule:admin_required + identity:get_region: "" + identity:get_role_for_trust: "" + identity:get_role: rule:admin_required or rule:project_admin_required + identity:get_service_provider: rule:admin_required + identity:get_service: rule:admin_required + identity:get_user: rule:admin_or_owner or rule:project_admin_required + identity:list_access_token_roles: rule:admin_required + identity:list_access_tokens: rule:admin_required + identity:list_consumers: rule:admin_required + identity:list_credentials: rule:admin_required + identity:list_domain_roles: rule:admin_required or rule:project_admin_required + identity:list_domains_for_groups: "" + identity:list_domains: rule:admin_required or rule:project_admin_required + identity:list_endpoint_groups_for_project: rule:admin_required + identity:list_endpoint_groups: rule:admin_required + identity:list_endpoints_associated_with_endpoint_group: rule:admin_required + identity:list_endpoints_for_policy: rule:admin_required + identity:list_endpoints_for_project: rule:admin_required + identity:list_endpoints: rule:admin_required + identity:list_grants: rule:admin_required or rule:project_admin_required + identity:list_groups_for_user: rule:admin_or_owner or rule:project_admin_required + identity:list_groups: rule:admin_required or rule:project_admin_required + identity:list_identity_providers: rule:admin_required + identity:list_implied_roles: rule:admin_required + identity:list_mappings: rule:admin_required + identity:list_policies: rule:admin_required + identity:list_projects_associated_with_endpoint_group: rule:admin_required + identity:list_projects_for_endpoint: rule:admin_required + identity:list_projects_for_groups: "" + identity:list_projects: rule:admin_required or rule:project_admin_required + identity:list_protocols: rule:admin_required + identity:list_regions: "" + identity:list_revoke_events: "" + identity:list_role_assignments_for_tree: rule:admin_required or rule:project_admin_required + identity:list_role_assignments: rule:admin_required or rule:project_admin_required + identity:list_role_inference_rules: rule:admin_required or rule:project_admin_required + identity:list_roles_for_trust: "" + identity:list_roles: rule:admin_required or rule:project_admin_required + identity:list_service_providers: rule:admin_required + identity:list_services: rule:admin_required + identity:list_trusts: "" + identity:list_user_projects: rule:admin_or_owner or rule:project_admin_required + identity:list_users_in_group: rule:admin_required or rule:project_admin_required + identity:list_users: rule:admin_required or rule:project_admin_required + identity:remove_endpoint_from_project: rule:admin_required + identity:remove_endpoint_group_from_project: rule:admin_required + identity:remove_user_from_group: rule:admin_required + identity:revocation_list: rule:service_or_admin + identity:revoke_grant: rule:admin_required or rule:project_admin_required + identity:revoke_token: rule:admin_or_token_subject + identity:update_consumer: rule:admin_required + identity:update_credential: rule:admin_required + identity:update_domain_config: rule:admin_required + identity:update_domain_role: rule:admin_required + identity:update_domain: rule:admin_required + identity:update_endpoint_group: rule:admin_required + identity:update_endpoint: rule:admin_required + identity:update_group: rule:admin_required + identity:update_identity_provider: rule:admin_required + identity:update_mapping: rule:admin_required + identity:update_policy: rule:admin_required + identity:update_project: rule:admin_required or (rule:project_admin_required and project_id:%(target.project.id)s) + identity:update_protocol: rule:admin_required + identity:update_region: rule:admin_required + identity:update_role: rule:admin_required + identity:update_service_provider: rule:admin_required + identity:update_service: rule:admin_required + identity:update_user: rule:admin_required + identity:validate_token_head: rule:service_or_admin + identity:validate_token: rule:service_admin_or_token_subject + owner: user_id:%(user_id)s + project_admin_required: role:project_admin + service_admin_or_token_subject: rule:service_or_admin or rule:token_subject + service_or_admin: rule:admin_required or rule:service_role + service_role: role:service + token_subject: user_id:%(target.token.user_id)s + cinder: + owner: project_id:%(project_id)s + context_is_admin: role:admin + admin_api: is_admin:True or (role:admin and is_admin_project:True) + admin_or_owner: is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s + admin_or_projectadmin_owner: rule:admin_api or rule:projectadmin_and_owner + admin_or_projectadmin_required: rule:admin_api or rule:projectadmin_required + admin_or_projectmember_owner: rule:admin_api or rule:projectmember_and_owner + admin_or_projectmember_required: rule:admin_api or rule:projectmember_required + projectadmin_and_owner: rule:projectadmin_required and rule:owner + projectadmin_required: role:project_admin + projectmember_and_owner: rule:projectmember_required and rule:owner + projectmember_required: role:project_admin or role:member + backup:backup-export: rule:admin_api + backup:backup-import: rule:admin_api + backup:backup_project_attribute: rule:admin_api + backup:create: rule:admin_or_projectmember_owner + backup:delete: rule:admin_or_projectadmin_owner + backup:get_all: "" + backup:get: "" + backup:restore: rule:admin_or_projectadmin_owner + backup:update: rule:admin_or_projectadmin_owner + clusters:get: rule:admin_api + clusters:get_all: rule:admin_api + clusters:update: rule:admin_api + consistencygroup:create_cgsnapshot: rule:admin_or_projectadmin_required + consistencygroup:create: rule:admin_or_projectadmin_required + consistencygroup:delete_cgsnapshot: rule:admin_or_projectadmin_required + consistencygroup:delete: rule:admin_or_projectadmin_required + consistencygroup:get_all_cgsnapshots: "" + consistencygroup:get_all: "" + consistencygroup:get_cgsnapshot: "" + consistencygroup:get: "" + consistencygroup:update: rule:admin_or_projectadmin_required + group:access_group_types_specs: rule:admin_api + group:create: rule:admin_or_projectadmin_required + group:create_group_snapshot: rule:admin_or_projectadmin_required + group:delete: rule:admin_or_projectadmin_owner + group:delete_group_snapshot: rule:admin_or_projectadmin_owner + group:disable_replication: rule:admin_or_projectadmin_owner + group:enable_replication: rule:admin_or_projectadmin_owner + group:failover_replication: rule:admin_or_projectadmin_owner + group:get: rule:admin_or_owner + group:get_all: "" + group:get_all_group_snapshots: "" + group:get_group_snapshot: "" + group:group_type_access: rule:admin_or_projectadmin_owner + group:group_types_manage: rule:admin_api + group:group_types_specs: rule:admin_api + group:list_replication_targets: rule:admin_or_owner + group:reset_group_snapshot_status: rule:admin_api + group:reset_status: rule:admin_api + group:update: rule:admin_or_projectadmin_owner + group:update_group_snapshot: rule:admin_or_projectadmin_owner + message:delete: "" + message:get_all: "" + message:get: "" + scheduler_extension:scheduler_stats:get_pools: rule:admin_api + snapshot_extension:list_manageable: rule:admin_api + snapshot_extension:snapshot_actions:update_snapshot_status: rule:admin_or_projectmember_required + snapshot_extension:snapshot_manage: rule:admin_api + snapshot_extension:snapshot_unmanage: rule:admin_api + volume_extension:access_types_extra_specs: rule:admin_api + volume_extension:access_types_qos_specs_id: rule:admin_api + volume_extension:backup_admin_actions:force_delete: rule:admin_api + volume_extension:backup_admin_actions:reset_status: rule:admin_api + volume_extension:capabilities: rule:admin_api + volume_extension:extended_snapshot_attributes: rule:admin_or_projectadmin_owner + volume_extension:hosts: rule:admin_api + volume_extension:list_manageable: rule:admin_api + volume_extension:qos_specs_manage:create: rule:admin_api + volume_extension:qos_specs_manage:delete: rule:admin_api + volume_extension:qos_specs_manage:get: rule:admin_api + volume_extension:qos_specs_manage:get_all: rule:admin_api + volume_extension:qos_specs_manage:update: rule:admin_api + volume_extension:quota_classes: rule:admin_api + volume_extension:quota_classes:validate_setup_for_nested_quota_use: rule:admin_api + volume_extension:quotas:delete: rule:admin_api + volume_extension:quotas:show: "" + volume_extension:quotas:update: rule:admin_api + volume_extension:replication:promote: rule:admin_api + volume_extension:replication:reenable: rule:admin_api + volume_extension:services:index: rule:admin_api + volume_extension:services:update: rule:admin_api + volume_extension:snapshot_admin_actions:force_delete: rule:admin_api + volume_extension:snapshot_admin_actions:reset_status: rule:admin_api + volume_extension:snapshot_backup_status_attribute: rule:admin_or_projectadmin_owner + volume_extension:snapshot_export_attributes: rule:admin_or_projectadmin_owner + volume_extension:types_extra_specs:create: rule:admin_api + volume_extension:types_extra_specs:delete: rule:admin_api + volume_extension:types_extra_specs:index: rule:admin_api + volume_extension:types_extra_specs:show: rule:admin_api + volume_extension:types_extra_specs:update: rule:admin_api + volume_extension:types_manage: rule:admin_api + volume_extension:volume_actions:upload_image: rule:admin_or_projectadmin_owner + volume_extension:volume_actions:upload_public: rule:admin_api + volume_extension:volume_admin_actions:force_delete: rule:admin_api + volume_extension:volume_admin_actions:force_detach: rule:admin_api + volume_extension:volume_admin_actions:migrate_volume_completion: rule:admin_api + volume_extension:volume_admin_actions:migrate_volume: rule:admin_api + volume_extension:volume_admin_actions:reset_status: rule:admin_api + volume_extension:volume_encryption_metadata: rule:admin_or_projectadmin_owner + volume_extension:volume_host_attribute: rule:admin_api + volume_extension:volume_image_metadata: rule:admin_or_owner + volume_extension:volume_manage: rule:admin_api + volume_extension:volume_mig_status_attribute: rule:admin_api + volume_extension:volume_tenant_attribute: rule:admin_or_projectadmin_owner + volume_extension:volume_type_access: rule:admin_or_projectadmin_owner + volume_extension:volume_type_access:addProjectAccess: rule:admin_api + volume_extension:volume_type_access:removeProjectAccess: rule:admin_api + volume_extension:volume_type_encryption: rule:admin_api + volume_extension:volume_unmanage: rule:admin_api + volume:accept_transfer: rule:admin_or_projectmember_required + volume:attachment_create: rule:admin_or_projectmember_required + volume:attachment_delete: rule:admin_or_projectmember_owner + volume:attachment_update: rule:admin_or_projectmember_owner + volume:create_from_image: rule:admin_or_projectmember_required + volume:create_snapshot: rule:admin_or_projectmember_owner + volume:create_transfer: rule:admin_or_projectadmin_owner + volume:create_volume_metadata: rule:admin_or_projectmember_owner + volume:create: rule:admin_or_projectmember_required + volume:delete_snapshot_metadata: rule:admin_or_projectadmin_owner + volume:delete_snapshot: rule:admin_or_projectadmin_owner + volume:delete_transfer: rule:admin_or_projectadmin_owner + volume:delete_volume_metadata: rule:admin_or_projectadmin_owner + volume:delete: rule:admin_or_projectadmin_owner + volume:extend_attached_volume: rule:admin_or_projectadmin_owner + volume:extend: rule:admin_or_projectadmin_owner + volume:failover_host: rule:admin_api + volume:force_delete: rule:admin_api + volume:freeze_host: rule:admin_api + volume:get_all_snapshots: "" + volume:get_all_transfers: "" + volume:get_all: "" + volume:get_snapshot_metadata: "" + volume:get_snapshot: "" + volume:get_transfer: "" + volume:get_volume_admin_metadata: "" + volume:get_volume_metadata: "" + volume:get: "" + volume:retype: rule:admin_or_projectadmin_owner + volume:revert_to_snapshot: rule:admin_or_projectadmin_owner + volume:thaw_host: rule:admin_api + volume:update_readonly_flag: rule:admin_or_projectadmin_owner + volume:update_snapshot_metadata: rule:admin_or_projectadmin_owner + volume:update_snapshot: rule:admin_or_projectadmin_owner + volume:update_volume_admin_metadata: rule:admin_api + volume:update_volume_metadata: rule:admin_or_projectmember_owner + volume:update: rule:admin_or_projectadmin_owner + workers:cleanup: rule:admin_api + default: rule:admin_or_owner + glance: + owner: project_id:%(owner)s + admin_or_projectadmin_owner: rule:context_is_admin or rule:projectadmin_and_owner + admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required + admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner + admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required + projectadmin_required: role:project_admin + projectadmin_and_owner: rule:projectadmin_required and rule:owner + projectmember_and_owner: rule:projectmember_required and rule:owner + projectmember_required: role:project_admin or role:member + add_image: rule:admin_or_projectmember_required + add_member: rule:admin_or_projectadmin_required + add_metadef_namespace: rule:admin_or_projectadmin_required + add_metadef_object: rule:admin_or_projectadmin_required + add_metadef_property: rule:admin_or_projectadmin_required + add_metadef_resource_type_association: rule:admin_or_projectadmin_required + add_metadef_tag: rule:admin_or_projectadmin_required + add_metadef_tags: rule:admin_or_projectadmin_required + add_task: rule:admin_or_projectadmin_required + communitize_image: rule:admin_or_projectadmin_required + context_is_admin: role:admin + copy_from: rule:admin_or_projectadmin_required + deactivate: rule:admin_or_projectadmin_required + default: role:admin + delete_image: rule:admin_or_projectadmin_required + delete_image_location: rule:admin_or_projectadmin_required + delete_member: rule:admin_or_projectadmin_required + delete_metadef_namespace: rule:admin_or_projectadmin_required + delete_metadef_object: rule:admin_or_projectadmin_required + delete_metadef_tag: rule:admin_or_projectadmin_required + delete_metadef_tags: rule:admin_or_projectadmin_required + download_image: "" + get_image: "" + get_image_location: "" + get_images: "" + get_member: "" + get_members: "" + get_metadef_namespace: "" + get_metadef_namespaces: "" + get_metadef_object: "" + get_metadef_objects: "" + get_metadef_properties: "" + get_metadef_property: "" + get_metadef_resource_type: "" + get_metadef_tag: "" + get_metadef_tags: "" + get_task: "" + get_tasks: "" + list_metadef_resource_types: "" + manage_image_cache: role:admin + modify_image: rule:admin_or_projectmember_required + modify_member: rule:admin_or_projectmember_required + modify_metadef_namespace: rule:admin_or_projectadmin_required + modify_metadef_object: rule:admin_or_projectadmin_required + modify_metadef_property: rule:admin_or_projectadmin_required + modify_metadef_tag: rule:admin_or_projectadmin_required + modify_task: rule:admin_or_projectadmin_required + publicize_image: rule:admin_or_projectadmin_required + reactivate: rule:admin_or_projectadmin_required + remove_metadef_property: rule:admin_or_projectadmin_required + remove_metadef_resource_type_association: rule:admin_or_projectadmin_required + set_image_location: rule:admin_or_projectadmin_required + tasks_api_access: role:admin + upload_image: rule:admin_or_projectmember_required + neutron: + owner: tenant_id:%(tenant_id)s + ext_parent_owner: tenant_id:%(ext_parent:tenant_id)s + generic_owner: rule:owner or rule:network_owner + network_owner: tenant_id:%(network:tenant_id)s + context_is_admin: role:admin + context_is_advsvc: role:advsvc + external: field:networks:router:external=True + admin_only: rule:context_is_admin + admin_or_data_plane_int: rule:context_is_admin or role:data_plane_integrator + admin_or_ext_parent_owner: rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s + admin_or_generic_owner: rule:context_is_admin or rule:generic_owner + admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s + admin_or_owner: rule:context_is_admin or rule:owner + admin_or_projectadmin_ext_owner: rule:context_is_admin or rule:projectadmin_and_ext_owner + admin_or_projectadmin_generic_owner: rule:context_is_admin or rule:projectadmin_and_generic_owner + admin_or_projectadmin_network_owner: rule:context_is_admin or rule:projectadmin_and_network_owner + admin_or_projectadmin_owner: rule:context_is_admin or rule:projectadmin_and_owner + admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required + admin_or_projectmember_generic_owner: rule:context_is_admin or rule:projectmember_and_generic_owner + admin_or_projectmember_network_owner: rule:context_is_admin or rule:projectmember_and_network_owner + admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner + admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required + admin_or_qos_owner: rule:context_is_admin or tenant_id:%(qos:tenant_id)s + admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner + projectadmin_and_ext_owner: rule:projectadmin_required and rule:ext_parent_owner + projectadmin_and_generic_owner: rule:projectadmin_required and rule:generic_owner + projectadmin_and_network_owner: rule:projectadmin_required and rule:network_owner + projectadmin_and_owner: rule:projectadmin_required and rule:owner + projectadmin_required: role:project_admin + projectmember_and_generic_owner: rule:projectmember_required and rule:generic_owner + projectmember_and_network_owner: rule:projectmember_required and rule:network_owner + projectmember_and_owner: rule:projectmember_required and rule:owner + projectmember_required: role:project_admin or role:member + regular_user: "" + network_device: 'field:port:device_owner=~^network:' + add_router_interface: rule:admin_or_projectadmin_owner + add_subports: rule:admin_or_projectadmin_owner + create_address_scope: rule:admin_or_projectadmin_required + create_address_scope:shared: rule:admin_or_projectadmin_required + create_dhcp-network: rule:admin_only + create_flavor_service_profile: rule:admin_only + create_flavor: rule:admin_only + create_floatingip_port_forwarding: rule:admin_or_projectadmin_required + create_floatingip: rule:admin_or_projectadmin_required + create_floatingip:floating_ip_address: rule:admin_or_projectadmin_required + create_l3-router: rule:admin_only + create_log: rule:admin_only + create_lsn: rule:admin_only + create_metering_label_rule: rule:admin_only + create_metering_label: rule:admin_only + create_network_profile: rule:admin_only + create_network: rule:admin_or_projectadmin_required + create_network:is_default: rule:admin_only + create_network:provider:network_type: rule:admin_only + create_network:provider:physical_network: rule:admin_only + create_network:provider:segmentation_id: rule:admin_only + create_network:router:external: rule:admin_only + create_network:segments: rule:admin_only + create_network:shared: rule:admin_or_projectadmin_required + create_network:wrs-tm:qos: rule:admin_or_qos_owner + create_policy_bandwidth_limit_rule: rule:admin_only + create_policy_dscp_marking_rule: rule:admin_only + create_policy_minimum_bandwidth_rule: rule:admin_only + create_policy: rule:admin_only + create_port: rule:admin_or_projectmember_required + create_port:allowed_address_pairs: rule:admin_or_network_owner + create_port:binding:host_id: rule:admin_only + create_port:binding:profile: rule:admin_only + create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner + create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner + create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner + create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner + create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner + create_port:wrs-binding:mac_filtering: rule:admin_only + create_port:wrs-binding:mtu: rule:admin_only + create_port:wrs-tm:qos: rule:admin_or_qos_owner + create_providernet_range: rule:admin_only + create_providernet: rule:admin_only + create_portforwarding: rule:admin_or_projectadmin_required + create_qos_queue: rule:admin_only + create_qos: rule:admin_only + create_rbac_policy: rule:admin_or_projectadmin_required + create_rbac_policy:target_tenant: rule:restrict_wildcard + create_router: rule:admin_or_projectadmin_required + create_router:distributed: rule:admin_or_projectadmin_required + create_router:external_gateway_info:enable_snat: rule:admin_or_projectadmin_required + create_router:external_gateway_info:external_fixed_ips: rule:admin_or_projectadmin_required + create_router:ha: rule:admin_or_projectadmin_required + create_security_group_rule: rule:admin_or_projectadmin_owner + create_security_group: rule:admin_or_projectadmin_owner + create_segment: rule:admin_only + create_service_profile: rule:admin_only + create_subnet: rule:admin_or_projectadmin_network_owner + create_subnet:segment_id: rule:admin_only + create_subnet:service_types: rule:admin_only + create_subnet:wrs-provider:segmentation_id: rule:admin_only + create_subnetpool: rule:admin_or_projectadmin_required + create_subnetpool:is_default: rule:admin_only + create_subnetpool:shared: rule:admin_or_projectadmin_required + create_trunk: rule:admin_or_projectadmin_required + delete_address_scope: rule:admin_or_projectadmin_owner + delete_agent: rule:admin_only + delete_dhcp-network: rule:admin_only + delete_flavor_service_profile: rule:admin_only + delete_flavor: rule:admin_only + delete_floatingip_port_forwarding: rule:admin_or_projectadmin_ext_owner + delete_floatingip: rule:admin_or_projectadmin_owner + delete_l3-router: rule:admin_only + delete_log: rule:admin_only + delete_metering_label_rule: rule:admin_only + delete_metering_label: rule:admin_only + delete_network_profile: rule:admin_only + delete_network: rule:admin_or_projectadmin_owner + delete_policy_bandwidth_limit_rule: rule:admin_only + delete_policy_dscp_marking_rule: rule:admin_only + delete_policy_minimum_bandwidth_rule: rule:admin_only + delete_policy: rule:admin_only + delete_port: rule:context_is_advsvc or rule:admin_or_projectmember_generic_owner + delete_providernet_range: rule:admin_only + delete_providernet: rule:admin_only + delete_qos: rule:admin_only + delete_portforwarding: rule:admin_or_projectadmin_owner + delete_rbac_policy: rule:admin_or_projectadmin_owner + delete_router: rule:admin_or_projectadmin_owner + delete_security_group_rule: rule:admin_or_projectadmin_owner + delete_security_group: rule:admin_or_projectadmin_owner + delete_segment: rule:admin_only + delete_service_profile: rule:admin_only + delete_subnet: rule:admin_or_projectadmin_network_owner + delete_subnetpool: rule:admin_or_projectadmin_owner + delete_trunk: rule:admin_or_projectadmin_owner + get_address_scope: rule:admin_or_owner or rule:shared_address_scopes + get_agent-loadbalancers: rule:admin_only + get_agent: rule:admin_only + get_auto_allocated_topology: rule:admin_or_owner + get_dhcp-agents: rule:admin_only + get_dhcp-networks: rule:admin_only + get_flavor_service_profile: rule:regular_user + get_flavor: rule:regular_user + get_flavors: rule:regular_user + get_floatingip_port_forwarding: rule:admin_or_ext_parent_owner or rule:context_is_advsvc + get_floatingip: rule:admin_or_owner + get_l3-agents: rule:admin_only + get_l3-routers: rule:admin_only + get_loadbalancer-agent: rule:admin_only + get_loadbalancer-hosting-agent: rule:admin_only + get_loadbalancer-pools: rule:admin_only + get_log: rule:admin_only + get_loggable_resources: rule:admin_only + get_logs: rule:admin_only + get_lsn: rule:admin_only + get_metering_label_rule: rule:admin_only + get_metering_label: rule:admin_only + get_network_ip_availabilities: rule:admin_or_projectadmin_owner + get_network_ip_availability: rule:admin_or_projectadmin_owner + get_network_profile: "" + get_network_profiles: "" + get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc + get_network:provider:network_type: rule:admin_only + get_network:provider:physical_network: rule:admin_only + get_network:provider:segmentation_id: rule:admin_only + get_network:queue_id: rule:admin_only + get_network:router:external: rule:regular_user + get_network:segments: rule:admin_only + get_network:wrs-tm:qos: rule:admin_or_qos_owner + get_policy_bandwidth_limit_rule: rule:regular_user + get_policy_dscp_marking_rule: rule:regular_user + get_policy_minimum_bandwidth_rule: rule:regular_user + get_policy_profile: "" + get_policy_profiles: "" + get_policy: rule:regular_user + get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner + get_port:binding:host_id: rule:admin_only + get_port:binding:profile: rule:admin_only + get_port:binding:vif_details: rule:admin_only + get_port:binding:vif_type: rule:admin_only + get_port:queue_id: rule:admin_only + get_portforwarding: rule:admin_or_owner + get_portforwardings: rule:admin_or_owner + get_providernet_range: rule:admin_only + get_providernet_ranges: rule:admin_only + get_providernet_types: rule:admin_only + get_providernet-bindings: rule:admin_only + get_providernet: rule:admin_only + get_providernets: rule:admin_only + get_qos_queue: rule:admin_only + get_qos: rule:admin_or_owner + get_rbac_policy: rule:admin_or_owner + get_router: rule:admin_or_owner + get_router:distributed: rule:admin_or_projectadmin_required + get_router:ha: rule:admin_or_projectadmin_required + get_router:wrs-net:host: rule:admin_only + get_routers:wrs-net:host: rule:admin_only + get_rule_type: rule:regular_user + get_security_group_rule: rule:admin_or_owner + get_security_group_rules: rule:admin_or_owner + get_security_group: rule:admin_or_owner + get_security_groups: rule:admin_or_owner + get_segment: rule:admin_only + get_service_profile: rule:admin_only + get_service_profiles: rule:admin_only + get_service_provider: rule:regular_user + get_subnet: rule:admin_or_owner or rule:shared + get_subnet:segment_id: rule:admin_only + get_subnet:wrs-provider:network_type: rule:admin_only + get_subnet:wrs-provider:physical_network: rule:admin_only + get_subnet:wrs-provider:segmentation_id: rule:admin_only + get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools + insert_rule: rule:admin_or_owner + get_subports: "" + get_trunk: rule:admin_or_owner + remove_router_interface: rule:admin_or_projectadmin_owner + remove_subports: rule:admin_or_projectadmin_owner + remove_rule: rule:admin_or_owner + restrict_wildcard: (not field:rbac_policy:target_tenant=*) or rule:admin_only + shared_address_scopes: field:address_scopes:shared=True + shared_subnetpools: field:subnetpools:shared=True + shared: field:networks:shared=True + update_address_scope: rule:admin_or_projectadmin_owner + update_address_scope:shared: rule:admin_or_projectadmin_owner + update_agent: rule:admin_only + update_flavor: rule:admin_only + update_floatingip_port_forwarding: rule:admin_or_projectadmin_ext_owner + update_floatingip: rule:admin_or_projectadmin_owner + update_log: rule:admin_only + update_network_profile: rule:admin_only + update_network: rule:admin_or_projectadmin_owner + update_network:provider:network_type: rule:admin_only + update_network:provider:physical_network: rule:admin_only + update_network:provider:segmentation_id: rule:admin_only + update_network:router:external: rule:admin_only + update_network:segments: rule:admin_only + update_network:shared: rule:admin_or_projectadmin_required + update_network:wrs-tm:qos: rule:admin_or_qos_owner + update_policy_bandwidth_limit_rule: rule:admin_only + update_policy_dscp_marking_rule: rule:admin_only + update_policy_minimum_bandwidth_rule: rule:admin_only + update_policy_profiles: rule:admin_only + update_policy: rule:admin_only + update_port: rule:admin_or_projectmember_owner or rule:context_is_advsvc + update_port:allowed_address_pairs: rule:admin_or_network_owner + update_port:binding:host_id: rule:admin_only + update_port:binding:profile: rule:admin_only + update_port:data_plane_status: rule:admin_or_data_plane_int + update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner + update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner + update_port:mac_address: rule:admin_only or rule:context_is_advsvc + update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner + update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner + update_port:wrs-binding:mac_filtering: rule:admin_only + update_port:wrs-binding:mtu: rule:admin_only + update_port:wrs-tm:qos: rule:admin_or_qos_owner + update_providernet_range: rule:admin_only + update_providernet: rule:admin_only + update_qos: rule:admin_only + update_portforwarding: rule:admin_or_projectadmin_owner + update_rbac_policy: rule:admin_or_projectadmin_owner + update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner + update_router: rule:admin_or_projectadmin_owner + update_router:distributed: rule:admin_or_projectadmin_required + update_router:external_gateway_info: rule:admin_or_projectadmin_owner + update_router:external_gateway_info:enable_snat: rule:admin_or_projectadmin_required + update_router:external_gateway_info:external_fixed_ips: rule:admin_or_projectadmin_required + update_router:external_gateway_info:network_id: rule:admin_or_projectadmin_owner + update_router:ha: rule:admin_or_projectadmin_required + update_security_group: rule:admin_or_projectadmin_owner + update_segment: rule:admin_only + update_service_profile: rule:admin_only + update_subnet: rule:admin_or_projectadmin_network_owner + update_subnet:service_types: rule:admin_only + update_subnet:wrs-provider:segmentation_id: rule:admin_only + update_subnetpool: rule:admin_or_projectadmin_owner + update_subnetpool:is_default: rule:admin_only + update_trunk: rule:admin_or_projectadmin_owner + default: rule:admin_or_owner + nova: + admin_api: is_admin:True + admin_or_owner: is_admin:True or project_id:%(project_id)s + admin_or_projectadmin_owner: rule:context_is_admin or rule:projectadmin_and_owner + admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required + admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner + admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required + owner: project_id:%(project_id)s + projectadmin_and_owner: rule:projectadmin_required and rule:owner + projectadmin_required: role:project_admin + projectmember_and_owner: rule:projectmember_required and rule:owner + projectmember_required: role:project_admin or role:member + cells_scheduler_filter:TargetCellFilter: is_admin:True + compute:add_fixed_ip: rule:admin_or_projectmember_owner + compute:attach_interface: rule:admin_or_projectadmin_owner + compute:attach_volume: rule:admin_or_projectmember_owner + compute:backup: rule:admin_or_projectmember_owner + compute:confirm_resize: rule:admin_or_projectadmin_owner + compute:create:attach_network: rule:admin_or_projectmember_owner + compute:create:attach_volume: rule:admin_or_projectmember_owner + compute:create:forced_host: is_admin:True + compute:create: rule:admin_or_projectmember_required + compute:delete_instance_metadata: rule:admin_or_projectadmin_owner + compute:delete: rule:admin_or_projectadmin_owner + compute:detach_interface: rule:admin_or_projectadmin_owner + compute:detach_volume: rule:admin_or_projectmember_owner + compute_extension:accounts: rule:admin_api + compute_extension:admin_actions:createBackup: rule:admin_or_projectmember_owner + compute_extension:admin_actions:injectNetworkInfo: rule:admin_api + compute_extension:admin_actions:lock: rule:admin_or_projectadmin_owner + compute_extension:admin_actions:migrateLive: rule:admin_api + compute_extension:admin_actions:migrate: rule:admin_api + compute_extension:admin_actions:pause: rule:admin_or_projectadmin_owner + compute_extension:admin_actions:resetNetwork: rule:admin_api + compute_extension:admin_actions:resetState: rule:admin_api + compute_extension:admin_actions:resume: rule:admin_or_projectadmin_owner + compute_extension:admin_actions: rule:admin_api + compute_extension:admin_actions:suspend: rule:admin_or_projectadmin_owner + compute_extension:admin_actions:unlock: rule:admin_or_projectadmin_owner + compute_extension:admin_actions:unpause: rule:admin_or_projectadmin_owner + compute_extension:agents: rule:admin_api + compute_extension:aggregates: rule:admin_api + compute_extension:attach_interfaces: rule:admin_or_projectadmin_owner + compute_extension:availability_zone:detail: rule:admin_api + compute_extension:availability_zone:list: rule:admin_or_projectadmin_owner + compute_extension:baremetal_nodes: rule:admin_api + compute_extension:cells:create: rule:admin_api + compute_extension:cells:delete: rule:admin_api + compute_extension:cells: rule:admin_api + compute_extension:cells:sync_instances: rule:admin_api + compute_extension:cells:update: rule:admin_api + compute_extension:certificates: rule:admin_or_projectadmin_owner + compute_extension:cloudpipe: rule:admin_api + compute_extension:cloudpipe_update: rule:admin_api + compute_extension:config_drive: rule:admin_or_projectadmin_owner + compute_extension:console_auth_tokens: rule:admin_api + compute_extension:console_output: rule:admin_or_projectmember_owner + compute_extension:consoles: rule:admin_or_projectmember_owner + compute_extension:createserverext: rule:admin_or_projectadmin_owner + compute_extension:deferred_delete: rule:admin_or_projectadmin_owner + compute_extension:disk_config: rule:admin_or_projectadmin_owner + compute_extension:evacuate: rule:admin_api + compute_extension:extended_availability_zone: rule:admin_or_projectadmin_owner + compute_extension:extended_ips_mac: rule:admin_or_projectadmin_owner + compute_extension:extended_ips: rule:admin_or_projectadmin_owner + compute_extension:extended_server_attributes: rule:admin_api + compute_extension:extended_status: rule:admin_or_projectadmin_owner + compute_extension:extended_vif_net: rule:admin_or_projectadmin_owner + compute_extension:extended_volumes: rule:admin_or_projectadmin_owner + compute_extension:fixed_ips: rule:admin_api + compute_extension:flavor_access:addTenantAccess: rule:admin_api + compute_extension:flavor_access:removeTenantAccess: rule:admin_api + compute_extension:flavor_access: rule:admin_or_owner + compute_extension:flavor_disabled: rule:admin_or_owner + compute_extension:flavorextradata: rule:admin_or_owner + compute_extension:flavorextraspecs:create: rule:admin_api + compute_extension:flavorextraspecs:delete: rule:admin_api + compute_extension:flavorextraspecs:index: rule:admin_or_owner + compute_extension:flavorextraspecs:show: rule:admin_or_owner + compute_extension:flavorextraspecs:update: rule:admin_api + compute_extension:flavormanage: rule:admin_api + compute_extension:flavor_rxtx: rule:admin_or_owner + compute_extension:flavor_swap: rule:admin_or_owner + compute_extension:floating_ip_dns: rule:admin_or_projectadmin_owner + compute_extension:floating_ip_pools: rule:admin_or_projectadmin_owner + compute_extension:floating_ips_bulk: rule:admin_api + compute_extension:floating_ips: rule:admin_or_projectmember_owner + compute_extension:fping:all_tenants: rule:admin_api + compute_extension:fping: rule:admin_or_projectmember_owner + compute_extension:hide_server_addresses: is_admin:False + compute_extension:hosts: rule:admin_api + compute_extension:hypervisors: rule:admin_api + compute_extension:image_size: rule:admin_or_owner + compute_extension:instance_actions:events: rule:admin_api + compute_extension:instance_actions: rule:admin_or_projectadmin_owner + compute_extension:instance_usage_audit_log: rule:admin_api + compute_extension:keypairs:create: rule:admin_or_projectadmin_owner + compute_extension:keypairs:delete: rule:admin_or_projectadmin_owner + compute_extension:keypairs:index: rule:admin_or_projectadmin_owner + compute_extension:keypairs: rule:admin_or_projectadmin_owner + compute_extension:keypairs:show: rule:admin_or_projectadmin_owner + compute_extension:migrations:index: rule:admin_api + compute_extension:multinic: rule:admin_or_projectadmin_owner + compute_extension:networks_associate: rule:admin_api + compute_extension:networks: rule:admin_api + compute_extension:networks:view: rule:admin_or_owner + compute_extension:os-assisted-volume-snapshots:create: rule:admin_api + compute_extension:os-assisted-volume-snapshots:delete: rule:admin_api + compute_extension:os-server-external-events:create: rule:admin_api + compute_extension:os-tenant-networks: rule:admin_or_projectadmin_owner + compute_extension:quota_classes: rule:admin_or_projectadmin_owner + compute_extension:quotas:delete: rule:admin_api + compute_extension:quotas:show: rule:admin_or_projectadmin_owner + compute_extension:quotas:update: rule:admin_api + compute_extension:rescue: rule:admin_or_projectadmin_owner + compute_extension:security_group_default_rules: rule:admin_api + compute_extension:security_groups: rule:admin_or_projectadmin_owner + compute_extension:server_diagnostics: rule:admin_api + compute_extension:server_groups: rule:admin_or_projectadmin_owner + compute_extension:server_password: rule:admin_or_projectadmin_owner + compute_extension:server_usage: rule:admin_or_owner + compute_extension:services: rule:admin_api + compute_extension:shelveOffload: rule:admin_api + compute_extension:shelve: rule:admin_or_projectadmin_owner + compute_extension:simple_tenant_usage:list: rule:admin_api + compute_extension:simple_tenant_usage:show: rule:admin_or_owner + compute_extension:unshelve: rule:admin_or_projectadmin_owner + compute_extension:used_limits_for_admin: rule:admin_api + compute_extension:users: rule:admin_api + compute_extension:virtual_interfaces: rule:admin_or_projectadmin_owner + compute_extension:virtual_storage_arrays: rule:admin_or_projectadmin_owner + compute_extension:volume_attachments:create: rule:admin_or_projectmember_owner + compute_extension:volume_attachments:delete: rule:admin_or_projectmember_owner + compute_extension:volume_attachments:index: rule:admin_or_owner + compute_extension:volume_attachments:show: rule:admin_or_owner + compute_extension:volume_attachments:update: rule:admin_api + compute_extension:volumes: rule:admin_or_owner + compute_extension:volumetypes: rule:admin_or_owner + compute:force_delete: rule:admin_or_projectadmin_owner + compute:get_all_instance_metadata: rule:admin_or_owner + compute:get_all_instance_system_metadata: rule:admin_or_projectadmin_owner + compute:get_all: rule:admin_or_owner + compute:get_all_tenants: is_admin:True + compute:get_console_output: rule:admin_or_projectmember_owner + compute:get_diagnostics: rule:admin_or_owner + compute:get_instance_diagnostics: rule:admin_or_owner + compute:get_instance_metadata: rule:admin_or_owner + compute:get_mks_console: rule:admin_or_projectmember_owner + compute:get_rdp_console: rule:admin_or_projectmember_owner + compute:get: rule:admin_or_owner + compute:get_serial_console: rule:admin_or_projectmember_owner + compute:get_spice_console: rule:admin_or_projectmember_owner + compute:get_vnc_console: rule:admin_or_projectmember_owner + compute:inject_network_info: rule:admin_or_projectmember_owner + compute:lock: rule:admin_or_projectadmin_owner + compute:pause: rule:admin_or_projectadmin_owner + compute:reboot: rule:admin_or_projectadmin_owner + compute:rebuild: rule:admin_or_projectadmin_owner + compute:remove_fixed_ip: rule:admin_or_projectadmin_owner + compute:rescue: rule:admin_or_projectadmin_owner + compute:reset_network: rule:admin_or_projectadmin_owner + compute:resize: rule:admin_or_projectadmin_owner + compute:restore: rule:admin_or_projectadmin_owner + compute:resume: rule:admin_or_projectadmin_owner + compute:revert_resize: rule:admin_or_projectadmin_owner + compute:security_groups:add_to_instance: rule:admin_or_projectadmin_owner + compute:security_groups:remove_from_instance: rule:admin_or_projectadmin_owner + compute:set_admin_password: rule:admin_or_projectadmin_owner + compute:shelve_offload: rule:admin_or_projectadmin_owner + compute:shelve: rule:admin_or_projectadmin_owner + compute:snapshot: rule:admin_or_projectmember_owner + compute:snapshot_volume_backed: rule:admin_or_projectmember_owner + compute:soft_delete: rule:admin_or_projectadmin_owner + compute:start: rule:admin_or_projectmember_owner + compute:stop: rule:admin_or_projectadmin_owner + compute:suspend: rule:admin_or_projectadmin_owner + compute:swap_volume: rule:admin_api + compute:unlock_override: rule:admin_api + compute:unlock: rule:admin_or_projectadmin_owner + compute:unpause: rule:admin_or_projectadmin_owner + compute:unrescue: rule:admin_or_projectadmin_owner + compute:unshelve: rule:admin_or_projectadmin_owner + compute:update_instance_metadata: rule:admin_or_projectadmin_owner + compute:update: rule:admin_or_projectadmin_owner + compute:volume_snapshot_create: rule:admin_or_projectmember_owner + compute:volume_snapshot_delete: rule:admin_or_projectadmin_owner + context_is_admin: role:admin + default: rule:admin_or_projectadmin_owner + network:add_dns_entry: rule:admin_or_projectadmin_owner + network:add_fixed_ip_to_instance: rule:admin_or_projectmember_owner + network:add_network_to_project: rule:admin_or_projectmember_owner + network:allocate_floating_ip: rule:admin_or_projectmember_owner + network:allocate_for_instance: rule:admin_or_projectmember_owner + network:associate_floating_ip: rule:admin_or_projectadmin_owner + network:associate: rule:admin_or_projectadmin_owner + network:attach_external_network: rule:admin_api + network:create_private_dns_domain: rule:admin_or_projectadmin_owner + network:create_public_dns_domain: rule:admin_or_projectadmin_owner + network:create: rule:admin_or_projectmember_owner + network:deallocate_for_instance: rule:admin_or_projectadmin_owner + network:delete_dns_domain: rule:admin_or_projectadmin_owner + network:delete_dns_entry: rule:admin_or_projectadmin_owner + network:delete: rule:admin_or_projectadmin_owner + network:disassociate_floating_ip: rule:admin_or_projectadmin_owner + network:disassociate: rule:admin_or_projectadmin_owner + network:get_all: rule:admin_or_owner + network:get_backdoor_port: rule:admin_or_owner + network:get_dns_domains: rule:admin_or_owner + network:get_dns_entries_by_address: rule:admin_or_owner + network:get_dns_entries_by_name: rule:admin_or_owner + network:get_fixed_ip_by_address: rule:admin_or_owner + network:get_fixed_ip: rule:admin_or_owner + network:get_floating_ip_by_address: rule:admin_or_owner + network:get_floating_ip_pools: rule:admin_or_owner + network:get_floating_ip: rule:admin_or_owner + network:get_floating_ips_by_fixed_address: rule:admin_or_owner + network:get_floating_ips_by_project: rule:admin_or_owner + network:get_instance_id_by_floating_address: rule:admin_or_owner + network:get_instance_nw_info: rule:admin_or_owner + network:get_instance_uuids_by_ip_filter: rule:admin_or_owner + network:get: rule:admin_or_owner + network:get_vif_by_mac_address: rule:admin_or_owner + network:get_vifs_by_instance: rule:admin_or_owner + network:migrate_instance_finish: rule:admin_or_projectmember_owner + network:migrate_instance_start: rule:admin_or_projectmember_owner + network:modify_dns_entry: rule:admin_or_projectadmin_owner + network:release_floating_ip: rule:admin_or_projectadmin_owner + network:remove_fixed_ip_from_instance: rule:admin_or_projectadmin_owner + network:setup_networks_on_host: rule:admin_or_projectadmin_owner + network:validate_networks: rule:admin_or_projectadmin_owner + os_compute_api:extension_info:discoverable: "" + os_compute_api:extensions:discoverable: "" + os_compute_api:extensions: rule:admin_or_projectadmin_owner + os_compute_api:flavors:discoverable: "" + os_compute_api:flavors: rule:admin_or_owner + os_compute_api:images:discoverable: "" + os_compute_api:image-size:discoverable: "" + os_compute_api:image-size: rule:admin_or_owner + os_compute_api:ips:discoverable: "" + os_compute_api:ips:index: rule:admin_or_owner + os_compute_api:ips:show: rule:admin_or_owner + os_compute_api:limits:discoverable: "" + os_compute_api:limits: rule:admin_or_owner + os_compute_api:os-access-ips:discoverable: "" + os_compute_api:os-access-ips: rule:admin_or_owner + os_compute_api:os-admin-actions:discoverable: "" + os_compute_api:os-admin-actions:inject_network_info: rule:admin_api + os_compute_api:os-admin-actions:reset_network: rule:admin_api + os_compute_api:os-admin-actions:reset_state: rule:admin_api + os_compute_api:os-admin-actions: rule:admin_api + os_compute_api:os-admin-password:discoverable: "" + os_compute_api:os-admin-password: rule:admin_or_projectadmin_owner + os_compute_api:os-agents:discoverable: "" + os_compute_api:os-agents: rule:admin_api + os_compute_api:os-aggregates:add_host: rule:admin_api + os_compute_api:os-aggregates:create: rule:admin_api + os_compute_api:os-aggregates:delete: rule:admin_api + os_compute_api:os-aggregates:discoverable: "" + os_compute_api:os-aggregates:index: rule:admin_api + os_compute_api:os-aggregates:remove_host: rule:admin_api + os_compute_api:os-aggregates:set_metadata: rule:admin_api + os_compute_api:os-aggregates:show: rule:admin_api + os_compute_api:os-aggregates:update: rule:admin_api + os_compute_api:os-assisted-volume-snapshots:create: rule:admin_api + os_compute_api:os-assisted-volume-snapshots:delete: rule:admin_api + os_compute_api:os-assisted-volume-snapshots:discoverable: "" + os_compute_api:os-attach-interfaces:create: rule:admin_or_projectadmin_owner + os_compute_api:os-attach-interfaces:delete: rule:admin_or_projectadmin_owner + os_compute_api:os-attach-interfaces:discoverable: "" + os_compute_api:os-attach-interfaces: rule:admin_or_projectadmin_owner + os_compute_api:os-availability-zone:detail: rule:admin_api + os_compute_api:os-availability-zone:discoverable: "" + os_compute_api:os-availability-zone:list: "" + os_compute_api:os-baremetal-nodes:discoverable: "" + os_compute_api:os-baremetal-nodes: rule:admin_api + os_compute_api:os-block-device-mapping-v1:discoverable: "" + os_compute_api:os-cells:create: rule:admin_api + os_compute_api:os-cells:delete: rule:admin_api + os_compute_api:os-cells:discoverable: "" + os_compute_api:os-cells: rule:admin_api + os_compute_api:os-cells:sync_instances: rule:admin_api + os_compute_api:os-cells:update: rule:admin_api + os_compute_api:os-certificates:create: rule:admin_or_projectadmin_owner + os_compute_api:os-certificates:discoverable: "" + os_compute_api:os-certificates:show: rule:admin_or_owner + os_compute_api:os-cloudpipe:discoverable: "" + os_compute_api:os-cloudpipe: rule:admin_api + os_compute_api:os-config-drive:discoverable: "" + os_compute_api:os-config-drive: rule:admin_or_projectadmin_owner + os_compute_api:os-console-auth-tokens:discoverable: "" + os_compute_api:os-console-auth-tokens: rule:admin_api + os_compute_api:os-console-output:discoverable: "" + os_compute_api:os-console-output: rule:admin_or_projectmember_owner + os_compute_api:os-consoles:create: rule:admin_or_projectmember_owner + os_compute_api:os-consoles:delete: rule:admin_or_projectmember_owner + os_compute_api:os-consoles:discoverable: "" + os_compute_api:os-consoles:index: rule:admin_or_projectmember_owner + os_compute_api:os-consoles:show: rule:admin_or_projectmember_owner + os_compute_api:os-create-backup:discoverable: "" + os_compute_api:os-create-backup: rule:admin_or_projectadmin_owner + os_compute_api:os-deferred-delete:discoverable: "" + os_compute_api:os-deferred-delete: rule:admin_or_projectadmin_owner + os_compute_api:os-disk-config:discoverable: "" + os_compute_api:os-disk-config: rule:admin_or_projectadmin_owner + os_compute_api:os-evacuate:discoverable: "" + os_compute_api:os-evacuate: rule:admin_api + os_compute_api:os-extended-availability-zone:discoverable: "" + os_compute_api:os-extended-availability-zone: rule:admin_or_projectadmin_owner + os_compute_api:os-extended-server-attributes:discoverable: "" + os_compute_api:os-extended-server-attributes: rule:admin_api + os_compute_api:os-extended-status:discoverable: "" + os_compute_api:os-extended-status: rule:admin_or_projectadmin_owner + os_compute_api:os-extended-volumes:discoverable: "" + os_compute_api:os-extended-volumes: rule:admin_or_projectadmin_owner + os_compute_api:os-fixed-ips:discoverable: "" + os_compute_api:os-fixed-ips: rule:admin_api + os_compute_api:os-flavor-access:add_tenant_access: rule:admin_api + os_compute_api:os-flavor-access:discoverable: "" + os_compute_api:os-flavor-access:remove_tenant_access: rule:admin_api + os_compute_api:os-flavor-access: rule:admin_or_owner + os_compute_api:os-flavor-extra-specs:create: rule:admin_api + os_compute_api:os-flavor-extra-specs:delete: rule:admin_api + os_compute_api:os-flavor-extra-specs:discoverable: "" + os_compute_api:os-flavor-extra-specs:index: rule:admin_or_owner + os_compute_api:os-flavor-extra-specs:show: rule:admin_or_owner + os_compute_api:os-flavor-extra-specs:update: rule:admin_api + os_compute_api:os-flavor-manage:discoverable: "" + os_compute_api:os-flavor-manage: rule:admin_api + os_compute_api:os-flavor-rxtx:discoverable: "" + os_compute_api:os-flavor-rxtx: rule:admin_or_owner + os_compute_api:os-floating-ip-dns:discoverable: "" + os_compute_api:os-floating-ip-dns:domain:delete: rule:admin_api + os_compute_api:os-floating-ip-dns:domain:update: rule:admin_api + os_compute_api:os-floating-ip-dns: rule:admin_or_projectadmin_owner + os_compute_api:os-floating-ip-pools:discoverable: "" + os_compute_api:os-floating-ip-pools: rule:admin_or_projectadmin_owner + os_compute_api:os-floating-ips-bulk:discoverable: "" + os_compute_api:os-floating-ips-bulk: rule:admin_api + os_compute_api:os-floating-ips:discoverable: "" + os_compute_api:os-floating-ips: rule:admin_or_projectadmin_owner + os_compute_api:os-fping:all_tenants: rule:admin_api + os_compute_api:os-fping:discoverable: "" + os_compute_api:os-fping: rule:admin_or_projectadmin_owner + os_compute_api:os-hide-server-addresses:discoverable: "" + os_compute_api:os-hide-server-addresses: is_admin:False + os_compute_api:os-hosts:discoverable: "" + os_compute_api:os-hosts: rule:admin_api + os_compute_api:os-hypervisors:discoverable: "" + os_compute_api:os-hypervisors: rule:admin_api + os_compute_api:os-instance-actions:discoverable: "" + os_compute_api:os-instance-actions:events: rule:admin_api + os_compute_api:os-instance-actions: rule:admin_or_projectadmin_owner + os_compute_api:os-instance-usage-audit-log:discoverable: "" + os_compute_api:os-instance-usage-audit-log: rule:admin_api + os_compute_api:os-keypairs:create: rule:admin_api or user_id:%(user_id)s + os_compute_api:os-keypairs:delete: rule:admin_api or user_id:%(user_id)s + os_compute_api:os-keypairs:discoverable: "" + os_compute_api:os-keypairs:index: rule:admin_api or user_id:%(user_id)s + os_compute_api:os-keypairs: rule:admin_or_owner + os_compute_api:os-keypairs:show: rule:admin_api or user_id:%(user_id)s + os_compute_api:os-lock-server:discoverable: "" + os_compute_api:os-lock-server:lock: rule:admin_or_projectadmin_owner + os_compute_api:os-lock-server:unlock: rule:admin_or_projectadmin_owner + os_compute_api:os-lock-server:unlock:unlock_override: rule:admin_api + os_compute_api:os-migrate-server:discoverable: "" + os_compute_api:os-migrate-server:migrate_live: rule:admin_api + os_compute_api:os-migrate-server:migrate: rule:admin_api + os_compute_api:os-migrations:discoverable: "" + os_compute_api:os-migrations:index: rule:admin_api + os_compute_api:os-multinic:discoverable: "" + os_compute_api:os-multinic: rule:admin_or_projectadmin_owner + os_compute_api:os-networks-associate:discoverable: "" + os_compute_api:os-networks-associate: rule:admin_api + os_compute_api:os-networks:discoverable: "" + os_compute_api:os-networks: rule:admin_api + os_compute_api:os-networks:view: rule:admin_or_owner + os_compute_api:os-pause-server:discoverable: "" + os_compute_api:os-pause-server:pause: rule:admin_or_projectadmin_owner + os_compute_api:os-pause-server:unpause: rule:admin_or_projectadmin_owner + os_compute_api:os-pci:detail: rule:admin_api + os_compute_api:os-pci:discoverable: "" + os_compute_api:os-pci:index: rule:admin_api + os_compute_api:os-pci:pci_servers: rule:admin_or_projectadmin_owner + os_compute_api:os-pci:show: rule:admin_api + os_compute_api:os-personality:discoverable: "" + os_compute_api:os-preserve-ephemeral-rebuild:discoverable: "" + os_compute_api:os-quota-class-sets:discoverable: "" + os_compute_api:os-quota-class-sets:show: is_admin:True or quota_class:%(quota_class)s + os_compute_api:os-quota-class-sets:update: rule:admin_api + os_compute_api:os-quota-sets:defaults: "" + os_compute_api:os-quota-sets:delete: rule:admin_api + os_compute_api:os-quota-sets:detail: rule:admin_api + os_compute_api:os-quota-sets:discoverable: "" + os_compute_api:os-quota-sets:show: rule:admin_or_projectadmin_owner + os_compute_api:os-quota-sets:update: rule:admin_api + os_compute_api:os-remote-consoles:discoverable: "" + os_compute_api:os-remote-consoles: rule:admin_or_projectmember_owner + os_compute_api:os-rescue:discoverable: rule:admin_or_projectadmin_owner + os_compute_api:os-rescue: rule:admin_or_projectadmin_owner + os_compute_api:os-scheduler-hints:discoverable: "" + os_compute_api:os-security-group-default-rules:discoverable: "" + os_compute_api:os-security-group-default-rules: rule:admin_api + os_compute_api:os-security-groups:discoverable: "" + os_compute_api:os-security-groups: rule:admin_or_projectadmin_owner + os_compute_api:os-server-diagnostics:discoverable: "" + os_compute_api:os-server-diagnostics: rule:admin_api + os_compute_api:os-server-external-events:create: rule:admin_api + os_compute_api:os-server-external-events:discoverable: "" + os_compute_api:os-server-groups:create: rule:admin_or_projectadmin_owner + os_compute_api:os-server-groups:delete: rule:admin_or_projectadmin_owner + os_compute_api:os-server-groups:discoverable: "" + os_compute_api:os-server-groups: rule:admin_or_projectadmin_owner + os_compute_api:os-server-password:discoverable: "" + os_compute_api:os-server-password: rule:admin_or_projectadmin_owner + os_compute_api:os-server-tags:delete_all: rule:admin_or_projectadmin_owner + os_compute_api:os-server-tags:delete: rule:admin_or_projectadmin_owner + os_compute_api:os-server-tags:discoverable: "" + os_compute_api:os-server-tags:index: "" + os_compute_api:os-server-tags:show: rule:admin_or_owner + os_compute_api:os-server-tags:update_all: rule:admin_or_projectadmin_owner + os_compute_api:os-server-tags:update: rule:admin_or_projectadmin_owner + os_compute_api:os-server-usage:discoverable: "" + os_compute_api:os-server-usage: rule:admin_or_projectadmin_owner + os_compute_api:os-services:discoverable: "" + os_compute_api:os-services: rule:admin_api + os_compute_api:os-shelve:shelve:discoverable: "" + os_compute_api:os-shelve:shelve_offload: rule:admin_api + os_compute_api:os-shelve:shelve: rule:admin_or_projectadmin_owner + os_compute_api:os-shelve:unshelve: rule:admin_or_projectadmin_owner + os_compute_api:os-simple-tenant-usage:discoverable: "" + os_compute_api:os-simple-tenant-usage:list: rule:admin_api + os_compute_api:os-simple-tenant-usage:show: rule:admin_or_projectadmin_owner + os_compute_api:os-suspend-server:discoverable: "" + os_compute_api:os-suspend-server:resume: rule:admin_or_projectadmin_owner + os_compute_api:os-suspend-server:suspend: rule:admin_or_projectadmin_owner + os_compute_api:os-tenant-networks:discoverable: "" + os_compute_api:os-tenant-networks: rule:admin_or_owner + os_compute_api:os-used-limits:discoverable: "" + os_compute_api:os-used-limits: rule:admin_api + os_compute_api:os-user-data:discoverable: "" + os_compute_api:os-virtual-interfaces:discoverable: "" + os_compute_api:os-virtual-interfaces: rule:admin_or_projectadmin_owner + os_compute_api:os-volumes-attachments:create: rule:admin_or_projectmember_owner + os_compute_api:os-volumes-attachments:delete: rule:admin_or_projectmember_owner + os_compute_api:os-volumes-attachments:discoverable: "" + os_compute_api:os-volumes-attachments:index: rule:admin_or_owner + os_compute_api:os-volumes-attachments:show: rule:admin_or_owner + os_compute_api:os-volumes-attachments:update: rule:admin_or_projectmember_owner + os_compute_api:os-volumes:discoverable: "" + os_compute_api:os-volumes: rule:admin_or_projectmember_owner + os_compute_api:server-metadata:create: rule:admin_or_projectadmin_owner + os_compute_api:server-metadata:delete: rule:admin_or_projectadmin_owner + os_compute_api:server-metadata:discoverable: "" + os_compute_api:server-metadata:index: rule:admin_or_owner + os_compute_api:server-metadata:show: rule:admin_or_owner + os_compute_api:server-metadata:update_all: rule:admin_or_projectadmin_owner + os_compute_api:server-metadata:update: rule:admin_or_projectadmin_owner + os_compute_api:servers:confirm_resize: rule:admin_or_projectadmin_owner + os_compute_api:servers:create:attach_network: rule:admin_or_projectmember_owner + os_compute_api:servers:create:attach_volume: rule:admin_or_projectmember_owner + os_compute_api:servers:create:forced_host: rule:admin_or_projectadmin_owner + os_compute_api:servers:create_image:allow_volume_backed: rule:admin_or_projectmember_owner + os_compute_api:servers:create_image: rule:admin_or_projectmember_owner + os_compute_api:servers:create: rule:admin_or_projectmember_owner + os_compute_api:servers:delete: rule:admin_or_projectadmin_owner + os_compute_api:servers:detail:get_all_tenants: rule:admin_api + os_compute_api:servers:detail: rule:admin_or_owner + os_compute_api:servers:discoverable: "" + os_compute_api:servers:index:get_all_tenants: rule:admin_api + os_compute_api:servers:index: rule:admin_or_owner + os_compute_api:servers:migrations:delete: rule:admin_api + os_compute_api:servers:migrations:force_complete: rule:admin_api + os_compute_api:servers:migrations:index: rule:admin_api + os_compute_api:servers:migrations:show: rule:admin_api + os_compute_api:servers:reboot: rule:admin_or_projectadmin_owner + os_compute_api:servers:rebuild: rule:admin_or_projectadmin_owner + os_compute_api:servers:resize: rule:admin_or_projectadmin_owner + os_compute_api:servers:revert_resize: rule:admin_or_projectadmin_owner + os_compute_api:servers:show:host_status: rule:admin_api + os_compute_api:servers:show: rule:admin_or_owner + os_compute_api:servers:start: rule:admin_or_projectadmin_owner + os_compute_api:servers:stop: rule:admin_or_projectadmin_owner + os_compute_api:servers:trigger_crash_dump: rule:admin_or_projectadmin_owner + os_compute_api:servers:update: rule:admin_or_projectadmin_owner + os_compute_api:versions:discoverable: "" diff --git a/enhanced-policies/keystone-policy-overrides.yml b/enhanced-policies/keystone-policy-overrides.yml new file mode 100644 index 00000000..e2627ffb --- /dev/null +++ b/enhanced-policies/keystone-policy-overrides.yml @@ -0,0 +1,174 @@ +conf: + policy: + admin_or_owner: rule:admin_required or rule:owner + admin_or_token_subject: rule:admin_required or rule:token_subject + admin_required: role:admin or is_admin:1 + default: rule:admin_required + identity:add_endpoint_group_to_project: rule:admin_required + identity:add_endpoint_to_project: rule:admin_required + identity:add_user_to_group: rule:admin_required + identity:authorize_request_token: rule:admin_required + identity:change_password: rule:admin_or_owner + identity:check_endpoint_in_project: rule:admin_required + identity:check_grant: rule:admin_required + identity:check_implied_role: rule:admin_required + identity:check_policy_association_for_endpoint: rule:admin_required + identity:check_policy_association_for_region_and_service: rule:admin_required + identity:check_policy_association_for_service: rule:admin_required + identity:check_token: rule:admin_or_token_subject + identity:check_user_in_group: rule:admin_required + identity:create_consumer: rule:admin_required + identity:create_credential: rule:admin_required + identity:create_domain: rule:admin_required + identity:create_domain_config: rule:admin_required + identity:create_domain_role: rule:admin_required + identity:create_endpoint: rule:admin_required + identity:create_endpoint_group: rule:admin_required + identity:create_grant: rule:admin_required + identity:create_group: rule:admin_required + identity:create_identity_provider: rule:admin_required + identity:create_implied_role: rule:admin_required + identity:create_mapping: rule:admin_required + identity:create_policy: rule:admin_required + identity:create_policy_association_for_endpoint: rule:admin_required + identity:create_policy_association_for_region_and_service: rule:admin_required + identity:create_policy_association_for_service: rule:admin_required + identity:create_project: rule:admin_required + identity:create_protocol: rule:admin_required + identity:create_region: rule:admin_required + identity:create_role: rule:admin_required + identity:create_service: rule:admin_required + identity:create_service_provider: rule:admin_required + identity:create_trust: user_id:%(trust.trustor_user_id)s + identity:create_user: rule:admin_required + identity:delete_access_token: rule:admin_required + identity:delete_consumer: rule:admin_required + identity:delete_credential: rule:admin_required + identity:delete_domain: rule:admin_required + identity:delete_domain_config: rule:admin_required + identity:delete_domain_role: rule:admin_required + identity:delete_endpoint: rule:admin_required + identity:delete_endpoint_group: rule:admin_required + identity:delete_group: rule:admin_required + identity:delete_identity_provider: rule:admin_required + identity:delete_implied_role: rule:admin_required + identity:delete_mapping: rule:admin_required + identity:delete_policy: rule:admin_required + identity:delete_policy_association_for_endpoint: rule:admin_required + identity:delete_policy_association_for_region_and_service: rule:admin_required + identity:delete_policy_association_for_service: rule:admin_required + identity:delete_project: rule:admin_required + identity:delete_protocol: rule:admin_required + identity:delete_region: rule:admin_required + identity:delete_role: rule:admin_required + identity:delete_service: rule:admin_required + identity:delete_service_provider: rule:admin_required + identity:delete_trust: "" + identity:delete_user: rule:admin_required + identity:ec2_create_credential: rule:admin_or_owner + identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) + identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) + identity:ec2_list_credentials: rule:admin_or_owner + identity:get_access_token: rule:admin_required + identity:get_access_token_role: rule:admin_required + identity:get_auth_catalog: "" + identity:get_auth_domains: "" + identity:get_auth_projects: "" + identity:get_consumer: rule:admin_required + identity:get_credential: rule:admin_required + identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s + identity:get_domain_config: rule:admin_required + identity:get_domain_config_default: rule:admin_required + identity:get_domain_role: rule:admin_required + identity:get_endpoint: rule:admin_required + identity:get_endpoint_group: rule:admin_required + identity:get_endpoint_group_in_project: rule:admin_required + identity:get_group: rule:admin_required + identity:get_identity_providers: rule:admin_required + identity:get_implied_role: 'rule:admin_required ' + identity:get_mapping: rule:admin_required + identity:get_policy: rule:admin_required + identity:get_policy_for_endpoint: rule:admin_required + identity:get_project: rule:admin_required or project_id:%(target.project.id)s + identity:get_protocol: rule:admin_required + identity:get_region: "" + identity:get_role: rule:admin_required + identity:get_role_for_trust: "" + identity:get_security_compliance_domain_config: "" + identity:get_service: rule:admin_required + identity:get_service_provider: rule:admin_required + identity:get_user: rule:admin_or_owner + identity:list_access_token_roles: rule:admin_required + identity:list_access_tokens: rule:admin_required + identity:list_consumers: rule:admin_required + identity:list_credentials: rule:admin_required + identity:list_domain_roles: rule:admin_required + identity:list_domains: rule:admin_required + identity:list_domains_for_user: "" + identity:list_endpoint_groups: rule:admin_required + identity:list_endpoint_groups_for_project: rule:admin_required + identity:list_endpoints: rule:admin_required + identity:list_endpoints_associated_with_endpoint_group: rule:admin_required + identity:list_endpoints_for_policy: rule:admin_required + identity:list_endpoints_for_project: rule:admin_required + identity:list_grants: rule:admin_required + identity:list_groups: rule:admin_required + identity:list_groups_for_user: rule:admin_or_owner + identity:list_identity_providers: rule:admin_required + identity:list_implied_roles: rule:admin_required + identity:list_mappings: rule:admin_required + identity:list_policies: rule:admin_required + identity:list_projects: rule:admin_required + identity:list_projects_associated_with_endpoint_group: rule:admin_required + identity:list_projects_for_endpoint: rule:admin_required + identity:list_projects_for_user: "" + identity:list_protocols: rule:admin_required + identity:list_regions: "" + identity:list_revoke_events: rule:service_or_admin + identity:list_role_assignments: rule:admin_required + identity:list_role_assignments_for_tree: rule:admin_required + identity:list_role_inference_rules: rule:admin_required + identity:list_roles: rule:admin_required + identity:list_roles_for_trust: "" + identity:list_service_providers: rule:admin_required + identity:list_services: rule:admin_required + identity:list_trusts: "" + identity:list_user_projects: rule:admin_or_owner + identity:list_users: rule:admin_required + identity:list_users_in_group: rule:admin_required + identity:project_users_access: rule:project_mod_or_admin + identity:remove_endpoint_from_project: rule:admin_required + identity:remove_endpoint_group_from_project: rule:admin_required + identity:remove_user_from_group: rule:admin_required + identity:revocation_list: rule:service_or_admin + identity:revoke_grant: rule:admin_required + identity:revoke_token: rule:admin_or_token_subject + identity:update_consumer: rule:admin_required + identity:update_credential: rule:admin_required + identity:update_domain: rule:admin_required + identity:update_domain_config: rule:admin_required + identity:update_domain_role: rule:admin_required + identity:update_endpoint: rule:admin_required + identity:update_endpoint_group: rule:admin_required + identity:update_group: rule:admin_required + identity:update_identity_provider: rule:admin_required + identity:update_mapping: rule:admin_required + identity:update_policy: rule:admin_required + identity:update_project: rule:admin_required + identity:update_protocol: rule:admin_required + identity:update_region: rule:admin_required + identity:update_role: rule:admin_required + identity:update_service: rule:admin_required + identity:update_service_provider: rule:admin_required + identity:update_user: rule:admin_required + identity:validate_token: rule:service_admin_or_token_subject + identity:validate_token_head: rule:service_or_admin + owner: user_id:%(user_id)s + project_admin: role:project_admin + project_admin_only: rule:admin_required or rule:project_admin + project_mod: role:project_mod + project_mod_or_admin: rule:admin_required or rule:project_mod or rule:project_admin + service_admin_or_token_subject: rule:service_or_admin or rule:token_subject + service_or_admin: rule:admin_required or rule:service_role + service_role: role:service + token_subject: user_id:%(target.token.user_id)s diff --git a/enhanced-policies/neutron-policy-overrides.yml b/enhanced-policies/neutron-policy-overrides.yml new file mode 100644 index 00000000..6820244a --- /dev/null +++ b/enhanced-policies/neutron-policy-overrides.yml @@ -0,0 +1,270 @@ +conf: + policy: + add_router_interface: rule:admin_or_projectadmin_owner + add_subports: rule:admin_or_projectadmin_owner + admin_only: rule:context_is_admin + admin_or_data_plane_int: rule:context_is_admin or role:data_plane_integrator + admin_or_generic_owner: rule:context_is_admin or rule:generic_owner + admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s + admin_or_ext_parent_owner: rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s + admin_or_owner: rule:context_is_admin or rule:owner + admin_or_projectadmin_generic_owner: rule:context_is_admin or rule:projectadmin_and_generic_owner + admin_or_projectadmin_network_owner: rule:context_is_admin or rule:projectadmin_and_network_owner + admin_or_projectadmin_ext_owner: rule:context_is_admin or rule:projectadmin_and_ext_owner + admin_or_projectadmin_owner: rule:context_is_admin or rule:projectadmin_and_owner + admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required + admin_or_projectmember_generic_owner: rule:context_is_admin or rule:projectmember_and_generic_owner + admin_or_projectmember_network_owner: rule:context_is_admin or rule:projectmember_and_network_owner + admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner + admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required + admin_or_qos_owner: rule:context_is_admin or tenant_id:%(qos:tenant_id)s + admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner + context_is_admin: role:admin + context_is_advsvc: role:advsvc + create_address_scope: rule:admin_or_projectadmin_required + create_address_scope:shared: rule:admin_or_projectadmin_required + create_dhcp-network: rule:admin_only + create_flavor: rule:admin_only + create_flavor_service_profile: rule:admin_only + create_floatingip: rule:admin_or_projectadmin_required + create_floatingip:floating_ip_address: rule:admin_or_projectadmin_required + create_floatingip_port_forwarding: rule:admin_or_projectadmin_required + create_l3-router: rule:admin_only + create_log: rule:admin_only + create_lsn: rule:admin_only + create_metering_label: rule:admin_only + create_metering_label_rule: rule:admin_only + create_network: rule:admin_or_projectadmin_required + create_network:is_default: rule:admin_only + create_network:provider:network_type: rule:admin_only + create_network:provider:physical_network: rule:admin_only + create_network:provider:segmentation_id: rule:admin_only + create_network:router:external: rule:admin_only + create_network:segments: rule:admin_only + create_network:shared: rule:admin_or_projectadmin_required + create_network:wrs-tm:qos: rule:admin_or_qos_owner + create_network_profile: rule:admin_only + create_policy: rule:admin_only + create_policy_bandwidth_limit_rule: rule:admin_only + create_policy_dscp_marking_rule: rule:admin_only + create_policy_minimum_bandwidth_rule: rule:admin_only + create_port: rule:admin_or_projectmember_required + create_port:allowed_address_pairs: rule:admin_or_network_owner + create_port:binding:host_id: rule:admin_only + create_port:binding:profile: rule:admin_only + create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner + create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner + create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner + create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner + create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner + create_port:wrs-binding:mac_filtering: rule:admin_only + create_port:wrs-binding:mtu: rule:admin_only + create_port:wrs-tm:qos: rule:admin_or_qos_owner + create_providernet: rule:admin_only + create_providernet_range: rule:admin_only + create_qos: rule:admin_only + create_qos_queue: rule:admin_only + create_rbac_policy: rule:admin_or_projectadmin_required + create_rbac_policy:target_tenant: rule:restrict_wildcard + create_router: rule:admin_or_projectadmin_required + create_router:distributed: rule:admin_or_projectadmin_required + create_router:external_gateway_info:enable_snat: rule:admin_or_projectadmin_required + create_router:external_gateway_info:external_fixed_ips: rule:admin_or_projectadmin_required + create_router:ha: rule:admin_or_projectadmin_required + create_security_group: rule:admin_or_projectadmin_owner + create_security_group_rule: rule:admin_or_projectadmin_owner + create_segment: rule:admin_only + create_service_profile: rule:admin_only + create_subnet: rule:admin_or_projectadmin_network_owner + create_subnet:segment_id: rule:admin_only + create_subnet:service_types: rule:admin_only + create_subnet:wrs-provider:segmentation_id: rule:admin_only + create_subnetpool: rule:admin_or_projectadmin_required + create_subnetpool:is_default: rule:admin_only + create_subnetpool:shared: rule:admin_or_projectadmin_required + create_trunk: rule:admin_or_projectadmin_required + default: rule:admin_or_owner + delete_address_scope: rule:admin_or_projectadmin_owner + delete_agent: rule:admin_only + delete_dhcp-network: rule:admin_only + delete_flavor: rule:admin_only + delete_flavor_service_profile: rule:admin_only + delete_floatingip: rule:admin_or_projectadmin_owner + delete_floatingip_port_forwarding: rule:admin_or_projectadmin_ext_owner + delete_l3-router: rule:admin_only + delete_log: rule:admin_only + delete_metering_label: rule:admin_only + delete_metering_label_rule: rule:admin_only + delete_network: rule:admin_or_projectadmin_owner + delete_network_profile: rule:admin_only + delete_policy: rule:admin_only + delete_policy_bandwidth_limit_rule: rule:admin_only + delete_policy_dscp_marking_rule: rule:admin_only + delete_policy_minimum_bandwidth_rule: rule:admin_only + delete_port: rule:context_is_advsvc or rule:admin_or_projectmember_generic_owner + delete_providernet: rule:admin_only + delete_providernet_range: rule:admin_only + delete_qos: rule:admin_only + delete_rbac_policy: rule:admin_or_projectadmin_owner + delete_router: rule:admin_or_projectadmin_owner + delete_security_group: rule:admin_or_projectadmin_owner + delete_security_group_rule: rule:admin_or_projectadmin_owner + delete_segment: rule:admin_only + delete_service_profile: rule:admin_only + delete_subnet: rule:admin_or_projectadmin_network_owner + delete_subnetpool: rule:admin_or_projectadmin_owner + delete_trunk: rule:admin_or_projectadmin_owner + external: field:networks:router:external=True + ext_parent_owner: tenant_id:%(ext_parent:tenant_id)s + generic_owner: rule:owner or rule:network_owner + get_address_scope: rule:admin_or_owner or rule:shared_address_scopes + get_agent: rule:admin_only + get_agent-loadbalancers: rule:admin_only + get_auto_allocated_topology: rule:admin_or_owner + get_dhcp-agents: rule:admin_only + get_dhcp-networks: rule:admin_only + get_flavor: rule:regular_user + get_flavor_service_profile: rule:regular_user + get_flavors: rule:regular_user + get_floatingip: rule:admin_or_owner + get_floatingip_port_forwarding: rule:admin_or_ext_parent_owner or rule:context_is_advsvc + get_l3-agents: rule:admin_only + get_l3-routers: rule:admin_only + get_loadbalancer-agent: rule:admin_only + get_loadbalancer-hosting-agent: rule:admin_only + get_loadbalancer-pools: rule:admin_only + get_log: rule:admin_only + get_loggable_resources: rule:admin_only + get_logs: rule:admin_only + get_lsn: rule:admin_only + get_metering_label: rule:admin_only + get_metering_label_rule: rule:admin_only + get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc + get_network:provider:network_type: rule:admin_only + get_network:provider:physical_network: rule:admin_only + get_network:provider:segmentation_id: rule:admin_only + get_network:queue_id: rule:admin_only + get_network:router:external: rule:regular_user + get_network:segments: rule:admin_only + get_network:wrs-tm:qos: rule:admin_or_qos_owner + get_network_ip_availabilities: rule:admin_or_projectadmin_owner + get_network_ip_availability: rule:admin_or_projectadmin_owner + get_network_profile: "" + get_network_profiles: "" + get_policy: rule:regular_user + get_policy_bandwidth_limit_rule: rule:regular_user + get_policy_dscp_marking_rule: rule:regular_user + get_policy_minimum_bandwidth_rule: rule:regular_user + get_policy_profile: "" + get_policy_profiles: "" + get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner + get_port:binding:host_id: rule:admin_only + get_port:binding:profile: rule:admin_only + get_port:binding:vif_details: rule:admin_only + get_port:binding:vif_type: rule:admin_only + get_port:queue_id: rule:admin_only + get_providernet: rule:admin_only + get_providernet-bindings: rule:admin_only + get_providernet_range: rule:admin_only + get_providernet_ranges: rule:admin_only + get_providernet_types: rule:admin_only + get_providernets: rule:admin_only + get_qos: rule:admin_or_owner + get_qos_queue: rule:admin_only + get_rbac_policy: rule:admin_or_owner + get_router: rule:admin_or_owner + get_router:distributed: rule:admin_or_projectadmin_required + get_router:ha: rule:admin_or_projectadmin_required + get_router:wrs-net:host: rule:admin_only + get_routers:wrs-net:host: rule:admin_only + get_rule_type: rule:regular_user + get_security_group: rule:admin_or_owner + get_security_group_rule: rule:admin_or_owner + get_security_group_rules: rule:admin_or_owner + get_security_groups: rule:admin_or_owner + get_segment: rule:admin_only + get_service_profile: rule:admin_only + get_service_profiles: rule:admin_only + get_service_provider: rule:regular_user + get_subnet: rule:admin_or_owner or rule:shared + get_subnet:segment_id: rule:admin_only + get_subnet:wrs-provider:network_type: rule:admin_only + get_subnet:wrs-provider:physical_network: rule:admin_only + get_subnet:wrs-provider:segmentation_id: rule:admin_only + get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools + get_subports: "" + get_trunk: rule:admin_or_owner + network_device: 'field:port:device_owner=~^network:' + network_owner: tenant_id:%(network:tenant_id)s + owner: tenant_id:%(tenant_id)s + projectadmin_and_ext_owner: rule:projectadmin_required and rule:ext_parent_owner + projectadmin_and_generic_owner: rule:projectadmin_required and rule:generic_owner + projectadmin_and_network_owner: rule:projectadmin_required and rule:network_owner + projectadmin_and_owner: rule:projectadmin_required and rule:owner + projectadmin_required: role:project_admin + projectmember_and_generic_owner: rule:projectmember_required and rule:generic_owner + projectmember_and_network_owner: rule:projectmember_required and rule:network_owner + projectmember_and_owner: rule:projectmember_required and rule:owner + projectmember_required: role:project_admin or role:member + regular_user: "" + remove_router_interface: rule:admin_or_projectadmin_owner + remove_subports: rule:admin_or_projectadmin_owner + restrict_wildcard: (not field:rbac_policy:target_tenant=*) or rule:admin_only + shared: field:networks:shared=True + shared_address_scopes: field:address_scopes:shared=True + shared_subnetpools: field:subnetpools:shared=True + update_address_scope: rule:admin_or_projectadmin_owner + update_address_scope:shared: rule:admin_or_projectadmin_owner + update_agent: rule:admin_only + update_flavor: rule:admin_only + update_floatingip: rule:admin_or_projectadmin_owner + update_log: rule:admin_only + update_network: rule:admin_or_projectadmin_owner + update_network:provider:network_type: rule:admin_only + update_network:provider:physical_network: rule:admin_only + update_network:provider:segmentation_id: rule:admin_only + update_network:router:external: rule:admin_only + update_network:segments: rule:admin_only + update_network:shared: rule:admin_or_projectadmin_required + update_network:wrs-tm:qos: rule:admin_or_qos_owner + update_network_profile: rule:admin_only + update_policy: rule:admin_only + update_policy_bandwidth_limit_rule: rule:admin_only + update_policy_dscp_marking_rule: rule:admin_only + update_policy_minimum_bandwidth_rule: rule:admin_only + update_policy_profiles: rule:admin_only + update_port: rule:admin_or_projectmember_owner or rule:context_is_advsvc + update_port:allowed_address_pairs: rule:admin_or_network_owner + update_port:binding:host_id: rule:admin_only + update_port:binding:profile: rule:admin_only + update_port:data_plane_status: rule:admin_or_data_plane_int + update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner + update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner + update_port:mac_address: rule:admin_only or rule:context_is_advsvc + update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner + update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner + update_port:wrs-binding:mac_filtering: rule:admin_only + update_port:wrs-binding:mtu: rule:admin_only + update_port:wrs-tm:qos: rule:admin_or_qos_owner + update_floatingip_port_forwarding: rule:admin_or_projectadmin_ext_owner + update_providernet: rule:admin_only + update_providernet_range: rule:admin_only + update_qos: rule:admin_only + update_rbac_policy: rule:admin_or_projectadmin_owner + update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner + update_router: rule:admin_or_projectadmin_owner + update_router:distributed: rule:admin_or_projectadmin_required + update_router:external_gateway_info: rule:admin_or_projectadmin_owner + update_router:external_gateway_info:enable_snat: rule:admin_or_projectadmin_required + update_router:external_gateway_info:external_fixed_ips: rule:admin_or_projectadmin_required + update_router:external_gateway_info:network_id: rule:admin_or_projectadmin_owner + update_router:ha: rule:admin_or_projectadmin_required + update_security_group: rule:admin_or_projectadmin_owner + update_segment: rule:admin_only + update_service_profile: rule:admin_only + update_subnet: rule:admin_or_projectadmin_network_owner + update_subnet:service_types: rule:admin_only + update_subnet:wrs-provider:segmentation_id: rule:admin_only + update_subnetpool: rule:admin_or_projectadmin_owner + update_subnetpool:is_default: rule:admin_only + update_trunk: rule:admin_or_projectadmin_owner diff --git a/enhanced-policies/nova-policy-overrides.yml b/enhanced-policies/nova-policy-overrides.yml new file mode 100644 index 00000000..8bfa2a06 --- /dev/null +++ b/enhanced-policies/nova-policy-overrides.yml @@ -0,0 +1,58 @@ +conf: + policy: + admin_or_projectadmin_owner: rule:context_is_admin or rule:projectadmin_and_owner + admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required + admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner + admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required + context_is_admin: role:admin + os_compute_api:os-admin-password: rule:admin_or_projectadmin_owner + os_compute_api:os-attach-interfaces:create: rule:admin_or_projectadmin_owner + os_compute_api:os-attach-interfaces:delete: rule:admin_or_projectadmin_owner + os_compute_api:os-console-output: rule:admin_or_projectmember_owner + os_compute_api:os-consoles:create: rule:admin_or_projectmember_owner + os_compute_api:os-consoles:delete: rule:admin_or_projectmember_owner + os_compute_api:os-create-backup: rule:admin_or_projectadmin_owner + os_compute_api:os-deferred-delete: rule:admin_or_projectadmin_owner + os_compute_api:os-lock-server:lock: rule:admin_or_projectadmin_owner + os_compute_api:os-lock-server:unlock: rule:admin_or_projectadmin_owner + os_compute_api:os-pause-server:pause: rule:admin_or_projectadmin_owner + os_compute_api:os-pause-server:unpause: rule:admin_or_projectadmin_owner + os_compute_api:os-remote-consoles: rule:admin_or_projectmember_owner + os_compute_api:os-rescue: rule:admin_or_projectadmin_owner + os_compute_api:os-security-groups: rule:admin_or_projectadmin_owner + os_compute_api:os-server-groups:create: rule:admin_or_projectadmin_owner + os_compute_api:os-server-groups:delete: rule:admin_or_projectadmin_owner + os_compute_api:os-server-password: rule:admin_or_projectadmin_owner + os_compute_api:os-server-tags:delete: rule:admin_or_projectadmin_owner + os_compute_api:os-server-tags:delete_all: rule:admin_or_projectadmin_owner + os_compute_api:os-server-tags:update: rule:admin_or_projectadmin_owner + os_compute_api:os-server-tags:update_all: rule:admin_or_projectadmin_owner + os_compute_api:os-shelve:shelve: rule:admin_or_projectadmin_owner + os_compute_api:os-shelve:unshelve: rule:admin_or_projectadmin_owner + os_compute_api:os-suspend-server:resume: rule:admin_or_projectadmin_owner + os_compute_api:os-suspend-server:suspend: rule:admin_or_projectadmin_owner + os_compute_api:os-volumes-attachments:create: rule:admin_or_projectmember_owner + os_compute_api:os-volumes-attachments:delete: rule:admin_or_projectmember_owner + os_compute_api:os-volumes-attachments:update: rule:admin_or_projectadmin_required + os_compute_api:server-metadata:create: rule:admin_or_projectadmin_owner + os_compute_api:server-metadata:delete: rule:admin_or_projectadmin_owner + os_compute_api:server-metadata:update: rule:admin_or_projectadmin_owner + os_compute_api:server-metadata:update_all: rule:admin_or_projectadmin_owner + os_compute_api:servers:confirm_resize: rule:admin_or_projectadmin_owner + os_compute_api:servers:create: rule:admin_or_projectmember_owner + os_compute_api:servers:create_image: rule:admin_or_projectadmin_owner + os_compute_api:servers:delete: rule:admin_or_projectadmin_owner + os_compute_api:servers:reboot: rule:admin_or_projectadmin_owner + os_compute_api:servers:rebuild: rule:admin_or_projectadmin_owner + os_compute_api:servers:resize: rule:admin_or_projectadmin_owner + os_compute_api:servers:revert_resize: rule:admin_or_projectadmin_owner + os_compute_api:servers:start: rule:admin_or_projectadmin_owner + os_compute_api:servers:stop: rule:admin_or_projectadmin_owner + os_compute_api:servers:trigger_crash_dump: rule:admin_or_projectadmin_owner + os_compute_api:servers:update: rule:admin_or_projectadmin_owner + owner: project_id:%(project_id)s + projectadmin_and_owner: rule:projectadmin_required and rule:owner + projectadmin_required: role:project_admin + projectmember_and_owner: rule:projectmember_required and rule:owner + projectmember_required: role:project_admin or role:member + diff --git a/enhanced-policies/tests/run-cleanup-all.sh b/enhanced-policies/tests/run-cleanup-all.sh new file mode 100644 index 00000000..5295b26a --- /dev/null +++ b/enhanced-policies/tests/run-cleanup-all.sh @@ -0,0 +1,74 @@ +# +# This script cleans up any remaining resource created by RBAC test scenarios +# +# Usage example: +# bash run-cleanup-all.sh +# + +printf "WARNING: This script might DELETE some existing configuration if not \ +used carefully, do you want to continue? \ +('yes' to continue, anything else to cancel): " +read CONFIRMATION +if [[ ${CONFIRMATION^^} != 'YES' ]]; then + echo "Script execution cancelled." + exit 0 +fi + +printf "Cleaning up test resources...\n" + +if [[ -z "${OS_CLOUD}" ]]; then + echo "\$OS_CLOUD needs to be set before running this script" + exit +else + echo "Running cleanup script using OS_CLOUD=$OS_CLOUD" +fi + +echo "removing security groups" +openstack security group list | grep "sg" | \ +awk '{ system("openstack security group delete " $2) }' + +echo "removing floating ips" +FIPS=$(openstack floating ip list | grep -vE "ID|---" | awk '{ print $2 }') +for FIP in $FIPS; do + FIP_PFS=$(openstack floating ip port forwarding list $FIP |\ + grep -vE "ID|---" | awk '{ print $2 }') + for FIP_PF in $FIP_PFS; do + openstack floating ip port forwarding delete $FIP $FIP_PF + done + openstack floating ip delete $FIP +done +echo "removing routers" +ROUTERS=$(openstack router list | grep "vr" | awk '{ print $2 }') +for ROUTER in $ROUTERS; do + SUBNET=$(openstack router show $ROUTER | grep interfaces_info | \ + awk '{ print $5 }' | sed 's/[",]//g') + openstack router remove subnet $ROUTER $SUBNET + openstack router delete $ROUTER +done +echo "removing servers" +openstack server list --all-projects | grep -E "vm[12]" | \ +awk '{ system("openstack server delete " $2 " --wait") }' +echo "removing trunks" +openstack network trunk list | grep -E "trunk" | \ +awk '{ system("openstack network trunk delete " $2) }' +echo "removing ports" +openstack port list | grep -E "port[12]" | \ +awk '{ system("openstack port delete " $2) }' +echo "removing subnets" +openstack subnet list | grep -E "[^-]subnet[12]" | \ +awk '{ system("openstack subnet delete " $2) }' +echo "removing networks" +openstack network list | grep -E "network[12]|extnet[12]" | \ +awk '{ system("openstack network delete " $2) }' +echo "removing subnet pools" +openstack subnet pool list | grep "subnetpool" | \ +awk '{ system("openstack subnet pool delete " $2) }' +echo "removing address scopes" +openstack address scope list | grep "addrscope" | \ +awk '{ system("openstack address scope delete " $2) }' + +openstack user delete user11 user12 user13 user21 user22 user23 +openstack project delete project1 project2 +openstack image delete cirros + +printf "Cleanup finished.\n"