diff --git a/enhanced-policies/README.md b/enhanced-policies/README.md
index 52515759..a2174048 100644
--- a/enhanced-policies/README.md
+++ b/enhanced-policies/README.md
@@ -14,7 +14,7 @@ It's important that all the overrides files get applied, some of the rules prese
Setting up the environment
--------------------------
-Make sure you have access to the Openstack CLI, follow the instructions on [this doc.](https://docs.starlingx.io/deploy_install_guides/r5_release/openstack/access.html#id4)
+Make sure you have access to the Openstack CLI, follow the instructions on [this doc.](https://docs.starlingx.io/system_configuration/openstack/enhanced-rbac-policies.html)
1. Transfer the policies to your cloud's controller:
```
@@ -120,10 +120,10 @@ Please follow the instructions below to test the enhanced policies on your syste
pytest tests/
```
- On WindRiver Openstack:
+ On Custom envs (Openstack):
```
export OS_CLOUD=openstack
- pytest tests/ --env wro
+ pytest tests/ --env custom-o
```
If things go awry...
@@ -146,4 +146,4 @@ Role Permission Details
|---|:---|:---|:---|:---|:---|
|member|All operations that legacy role '_member_' can do|1 - Can get list and detail of instances
2 - Can create instance/Can open console of instances
3 - Can access log of instance
4 - Can manage keypairs of his/her own|1 - Can only create/update/delete port
2 - Can get list and detail of resources: subnetpool, address scope, networks, subnets, etc.|1,can create and update image, upload image content
|1 - Can create volume
2 - Can create volume from image
3 - Can create volume snapshot
4 - Can create volume-backup|
|project_admin|all operations that legacy role '_member_' can do;|all operations that legacy role '_member_' can do
|1 - All operations that legacy role '_member_' can do
2 - Can create/update/delete 'shared' subnetpool
3 - Can create/update/delete address scope
4 - Can create/update/delete shared network
|1 - All operations that legacy role '_member_' can do
2 - Can publicize_image
|1 - All operations that legacy role '_member_' can do|
-|project_readonly|all operations that legacy role '_member_' can do
|1 - Can only get list and detail of instances
2 - Can manage key-pairs of his/her own|1 - Can only get list and detail of resources: subnetpool, address scopes, networks, subnets,etc.|1 - Can only get list and detail of images|1 - Can only get list and detail of volumes, backups, snapshots|
\ No newline at end of file
+|project_readonly|all operations that legacy role '_member_' can do
|1 - Can only get list and detail of instances
2 - Can manage key-pairs of his/her own|1 - Can only get list and detail of resources: subnetpool, address scopes, networks, subnets,etc.|1 - Can only get list and detail of images|1 - Can only get list and detail of volumes, backups, snapshots|
diff --git a/enhanced-policies/glance-policy-overrides.yml b/enhanced-policies/glance-policy-overrides.yml
index 1fcfd7cd..2eb1cbff 100644
--- a/enhanced-policies/glance-policy-overrides.yml
+++ b/enhanced-policies/glance-policy-overrides.yml
@@ -55,7 +55,6 @@ conf:
modify_metadef_object: rule:admin_or_projectadmin_owner
modify_metadef_property: rule:admin_or_projectadmin_owner
modify_metadef_tag: rule:admin_or_projectadmin_owner
- modify_task: rule:admin_or_projectadmin_owner
publicize_image: rule:admin_or_projectadmin_required
reactivate: rule:admin_or_projectadmin_owner
remove_metadef_property: rule:admin_or_projectadmin_owner
diff --git a/enhanced-policies/nova-policy-overrides.yml b/enhanced-policies/nova-policy-overrides.yml
index 8bfa2a06..88504cd6 100644
--- a/enhanced-policies/nova-policy-overrides.yml
+++ b/enhanced-policies/nova-policy-overrides.yml
@@ -4,6 +4,7 @@ conf:
admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required
admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner
admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required
+ admin_or_projectreadonly_required: rule:context_is_admin or rule:projectreadonly_required
context_is_admin: role:admin
os_compute_api:os-admin-password: rule:admin_or_projectadmin_owner
os_compute_api:os-attach-interfaces:create: rule:admin_or_projectadmin_owner
@@ -12,17 +13,25 @@ conf:
os_compute_api:os-consoles:create: rule:admin_or_projectmember_owner
os_compute_api:os-consoles:delete: rule:admin_or_projectmember_owner
os_compute_api:os-create-backup: rule:admin_or_projectadmin_owner
- os_compute_api:os-deferred-delete: rule:admin_or_projectadmin_owner
+ os_compute_api:os-deferred-delete:force: rule:admin_or_projectadmin_owner
+ os_compute_api:os-deferred-delete:restore: rule:admin_or_projectadmin_owner
os_compute_api:os-lock-server:lock: rule:admin_or_projectadmin_owner
os_compute_api:os-lock-server:unlock: rule:admin_or_projectadmin_owner
os_compute_api:os-pause-server:pause: rule:admin_or_projectadmin_owner
os_compute_api:os-pause-server:unpause: rule:admin_or_projectadmin_owner
os_compute_api:os-remote-consoles: rule:admin_or_projectmember_owner
- os_compute_api:os-rescue: rule:admin_or_projectadmin_owner
- os_compute_api:os-security-groups: rule:admin_or_projectadmin_owner
+ os_compute_api:os-security-groups:add: rule:admin_or_projectadmin_owner
+ os_compute_api:os-security-groups:create: rule:admin_or_projectadmin_owner
+ os_compute_api:os-security-groups:delete: rule:admin_or_projectadmin_owner
+ os_compute_api:os-security-groups:get: rule:admin_or_projectadmin_owner
+ os_compute_api:os-security-groups:list: rule:admin_or_projectadmin_owner
+ os_compute_api:os-security-groups:remove: rule:admin_or_projectadmin_owner
+ os_compute_api:os-security-groups:show: rule:admin_or_projectadmin_owner
+ os_compute_api:os-security-groups:update: rule:admin_or_projectadmin_owner
os_compute_api:os-server-groups:create: rule:admin_or_projectadmin_owner
os_compute_api:os-server-groups:delete: rule:admin_or_projectadmin_owner
- os_compute_api:os-server-password: rule:admin_or_projectadmin_owner
+ os_compute_api:os-server-password:clear: rule:admin_or_projectadmin_owner
+ os_compute_api:os-server-password:show: rule:admin_or_projectadmin_owner
os_compute_api:os-server-tags:delete: rule:admin_or_projectadmin_owner
os_compute_api:os-server-tags:delete_all: rule:admin_or_projectadmin_owner
os_compute_api:os-server-tags:update: rule:admin_or_projectadmin_owner
@@ -31,6 +40,7 @@ conf:
os_compute_api:os-shelve:unshelve: rule:admin_or_projectadmin_owner
os_compute_api:os-suspend-server:resume: rule:admin_or_projectadmin_owner
os_compute_api:os-suspend-server:suspend: rule:admin_or_projectadmin_owner
+ os_compute_api:os-unrescue: rule:admin_or_projectadmin_owner
os_compute_api:os-volumes-attachments:create: rule:admin_or_projectmember_owner
os_compute_api:os-volumes-attachments:delete: rule:admin_or_projectmember_owner
os_compute_api:os-volumes-attachments:update: rule:admin_or_projectadmin_required
@@ -42,10 +52,13 @@ conf:
os_compute_api:servers:create: rule:admin_or_projectmember_owner
os_compute_api:servers:create_image: rule:admin_or_projectadmin_owner
os_compute_api:servers:delete: rule:admin_or_projectadmin_owner
+ os_compute_api:servers:detail: rule:admin_or_projectreadonly_required
+ os_compute_api:servers:index: rule:admin_or_projectreadonly_required
os_compute_api:servers:reboot: rule:admin_or_projectadmin_owner
os_compute_api:servers:rebuild: rule:admin_or_projectadmin_owner
os_compute_api:servers:resize: rule:admin_or_projectadmin_owner
os_compute_api:servers:revert_resize: rule:admin_or_projectadmin_owner
+ os_compute_api:servers:show: rule:admin_or_projectreadonly_required
os_compute_api:servers:start: rule:admin_or_projectadmin_owner
os_compute_api:servers:stop: rule:admin_or_projectadmin_owner
os_compute_api:servers:trigger_crash_dump: rule:admin_or_projectadmin_owner
@@ -55,4 +68,5 @@ conf:
projectadmin_required: role:project_admin
projectmember_and_owner: rule:projectmember_required and rule:owner
projectmember_required: role:project_admin or role:member
+ projectreadonly_required: role:project_admin or role:member or role:project_readonly