ff3bed6e77
As a side-effect of the migration from the migration
from helm v2 to v3 and Armada to FluxCD, the helm
override of the horizon rbac policy was failing to
apply this file because it was too large. By splitting
this file and making two helm overrides the apply can
finish successfully.
Test plan:
PASS: system helm-override-update stx-openstack horizon openstack --reuse-values --values=rbac/horizon-policy-overrides.yml
system helm-override-update stx-openstack horizon openstack --reuse-values --values=rbac/horizon-nova-policy-overrides.yml
PASS: Reapply the app and check the helm overrides succeed
Closes bug: 2040165
Change-Id: Ib1c82544cd1f2335554f740bc3fe733ce57370ab
Signed-off-by: Romulo Leite <romulo.leite@windriver.com>
663 lines
44 KiB
YAML
663 lines
44 KiB
YAML
conf:
|
|
horizon:
|
|
policy:
|
|
keystone:
|
|
admin_or_owner: rule:admin_required or rule:owner
|
|
admin_or_token_subject: rule:admin_required or rule:token_subject
|
|
admin_required: role:admin or is_admin:1 or rule:project_admin_required
|
|
default: rule:admin_required
|
|
identity:add_endpoint_group_to_project: rule:admin_required
|
|
identity:add_endpoint_to_project: rule:admin_required
|
|
identity:add_user_to_group: rule:admin_required
|
|
identity:authorize_request_token: rule:admin_required
|
|
identity:change_password: rule:admin_or_owner
|
|
identity:check_endpoint_in_project: rule:admin_required
|
|
identity:check_grant: rule:admin_required
|
|
identity:check_implied_role: rule:admin_required
|
|
identity:check_policy_association_for_endpoint: rule:admin_required
|
|
identity:check_policy_association_for_region_and_service: rule:admin_required
|
|
identity:check_policy_association_for_service: rule:admin_required
|
|
identity:check_token: rule:admin_or_token_subject
|
|
identity:check_user_in_group: rule:admin_required
|
|
identity:create_consumer: rule:admin_required
|
|
identity:create_credential: rule:admin_required
|
|
identity:create_domain_config: rule:admin_required
|
|
identity:create_domain_role: rule:admin_required
|
|
identity:create_domain: rule:admin_required
|
|
identity:create_endpoint_group: rule:admin_required
|
|
identity:create_endpoint: rule:admin_required
|
|
identity:create_grant: rule:admin_required or rule:project_admin_required
|
|
identity:create_group: rule:admin_required
|
|
identity:create_identity_provider: rule:admin_required
|
|
identity:create_implied_role: rule:admin_required
|
|
identity:create_mapping: rule:admin_required
|
|
identity:create_policy_association_for_endpoint: rule:admin_required
|
|
identity:create_policy_association_for_region_and_service: rule:admin_required
|
|
identity:create_policy_association_for_service: rule:admin_required
|
|
identity:create_policy: rule:admin_required
|
|
identity:create_project: rule:admin_required
|
|
identity:create_protocol: rule:admin_required
|
|
identity:create_region: rule:admin_required
|
|
identity:create_role: rule:admin_required
|
|
identity:create_service_provider: rule:admin_required
|
|
identity:create_service: rule:admin_required
|
|
identity:create_trust: user_id:%(trust.trustor_user_id)s
|
|
identity:create_user: rule:admin_required or rule:project_admin_required
|
|
identity:delete_access_token: rule:admin_required
|
|
identity:delete_consumer: rule:admin_required
|
|
identity:delete_credential: rule:admin_required
|
|
identity:delete_domain_config: rule:admin_required
|
|
identity:delete_domain_role: rule:admin_required
|
|
identity:delete_domain: rule:admin_required
|
|
identity:delete_endpoint_group: rule:admin_required
|
|
identity:delete_endpoint: rule:admin_required
|
|
identity:delete_group: rule:admin_required
|
|
identity:delete_identity_provider: rule:admin_required
|
|
identity:delete_implied_role: rule:admin_required
|
|
identity:delete_mapping: rule:admin_required
|
|
identity:delete_policy_association_for_endpoint: rule:admin_required
|
|
identity:delete_policy_association_for_region_and_service: rule:admin_required
|
|
identity:delete_policy_association_for_service: rule:admin_required
|
|
identity:delete_policy: rule:admin_required
|
|
identity:delete_project: rule:admin_required
|
|
identity:delete_protocol: rule:admin_required
|
|
identity:delete_region: rule:admin_required
|
|
identity:delete_role: rule:admin_required
|
|
identity:delete_service_provider: rule:admin_required
|
|
identity:delete_service: rule:admin_required
|
|
identity:delete_trust: ""
|
|
identity:delete_user: rule:admin_required
|
|
identity:ec2_create_credential: rule:admin_or_owner
|
|
identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:ec2_list_credentials: rule:admin_or_owner
|
|
identity:get_access_token_role: rule:admin_required
|
|
identity:get_access_token: rule:admin_required
|
|
identity:get_auth_catalog: ""
|
|
identity:get_auth_domains: ""
|
|
identity:get_auth_projects: ""
|
|
identity:get_consumer: rule:admin_required
|
|
identity:get_credential: rule:admin_required
|
|
identity:get_domain_config_default: rule:admin_required or rule:project_admin_required
|
|
identity:get_domain_config: rule:admin_required or rule:project_admin_required
|
|
identity:get_domain_role: rule:admin_required or rule:project_admin_required
|
|
identity:get_domain: rule:admin_required or rule:project_admin_required
|
|
identity:get_endpoint_group_in_project: rule:admin_required
|
|
identity:get_endpoint_group: rule:admin_required
|
|
identity:get_endpoint: rule:admin_required
|
|
identity:get_group: rule:admin_required or rule:project_admin_required
|
|
identity:get_identity_providers: rule:admin_required
|
|
identity:get_implied_role: rule:admin_required or rule:project_admin_required
|
|
identity:get_mapping: rule:admin_required
|
|
identity:get_policy_for_endpoint: rule:admin_required
|
|
identity:get_policy: rule:admin_required
|
|
identity:get_project: rule:admin_required or project_id:%(target.project.id)s or rule:project_admin_required
|
|
identity:get_protocol: rule:admin_required
|
|
identity:get_region: ""
|
|
identity:get_role_for_trust: ""
|
|
identity:get_role: rule:admin_required or rule:project_admin_required
|
|
identity:get_service_provider: rule:admin_required
|
|
identity:get_service: rule:admin_required
|
|
identity:get_user: rule:admin_or_owner or rule:project_admin_required
|
|
identity:list_access_token_roles: rule:admin_required
|
|
identity:list_access_tokens: rule:admin_required
|
|
identity:list_consumers: rule:admin_required
|
|
identity:list_credentials: rule:admin_required
|
|
identity:list_domain_roles: rule:admin_required or rule:project_admin_required
|
|
identity:list_domains_for_groups: ""
|
|
identity:list_domains: rule:admin_required or rule:project_admin_required
|
|
identity:list_endpoint_groups_for_project: rule:admin_required
|
|
identity:list_endpoint_groups: rule:admin_required
|
|
identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
|
|
identity:list_endpoints_for_policy: rule:admin_required
|
|
identity:list_endpoints_for_project: rule:admin_required
|
|
identity:list_endpoints: rule:admin_required
|
|
identity:list_grants: rule:admin_required or rule:project_admin_required
|
|
identity:list_groups_for_user: rule:admin_or_owner or rule:project_admin_required
|
|
identity:list_groups: rule:admin_required or rule:project_admin_required
|
|
identity:list_identity_providers: rule:admin_required
|
|
identity:list_implied_roles: rule:admin_required
|
|
identity:list_mappings: rule:admin_required
|
|
identity:list_policies: rule:admin_required
|
|
identity:list_projects_associated_with_endpoint_group: rule:admin_required
|
|
identity:list_projects_for_endpoint: rule:admin_required
|
|
identity:list_projects_for_groups: ""
|
|
identity:list_projects: rule:admin_required or rule:project_admin_required
|
|
identity:list_protocols: rule:admin_required
|
|
identity:list_regions: ""
|
|
identity:list_revoke_events: ""
|
|
identity:list_role_assignments_for_tree: rule:admin_required or rule:project_admin_required
|
|
identity:list_role_assignments: rule:admin_required or rule:project_admin_required
|
|
identity:list_role_inference_rules: rule:admin_required or rule:project_admin_required
|
|
identity:list_roles_for_trust: ""
|
|
identity:list_roles: rule:admin_required or rule:project_admin_required
|
|
identity:list_service_providers: rule:admin_required
|
|
identity:list_services: rule:admin_required
|
|
identity:list_trusts: ""
|
|
identity:list_user_projects: rule:admin_or_owner or rule:project_admin_required
|
|
identity:list_users_in_group: rule:admin_required or rule:project_admin_required
|
|
identity:list_users: rule:admin_required or rule:project_admin_required
|
|
identity:remove_endpoint_from_project: rule:admin_required
|
|
identity:remove_endpoint_group_from_project: rule:admin_required
|
|
identity:remove_user_from_group: rule:admin_required
|
|
identity:revocation_list: rule:service_or_admin
|
|
identity:revoke_grant: rule:admin_required or rule:project_admin_required
|
|
identity:revoke_token: rule:admin_or_token_subject
|
|
identity:update_consumer: rule:admin_required
|
|
identity:update_credential: rule:admin_required
|
|
identity:update_domain_config: rule:admin_required
|
|
identity:update_domain_role: rule:admin_required
|
|
identity:update_domain: rule:admin_required
|
|
identity:update_endpoint_group: rule:admin_required
|
|
identity:update_endpoint: rule:admin_required
|
|
identity:update_group: rule:admin_required
|
|
identity:update_identity_provider: rule:admin_required
|
|
identity:update_mapping: rule:admin_required
|
|
identity:update_policy: rule:admin_required
|
|
identity:update_project: rule:admin_required or (rule:project_admin_required and project_id:%(target.project.id)s)
|
|
identity:update_protocol: rule:admin_required
|
|
identity:update_region: rule:admin_required
|
|
identity:update_role: rule:admin_required
|
|
identity:update_service_provider: rule:admin_required
|
|
identity:update_service: rule:admin_required
|
|
identity:update_user: rule:admin_required
|
|
identity:validate_token_head: rule:service_or_admin
|
|
identity:validate_token: rule:service_admin_or_token_subject
|
|
owner: user_id:%(user_id)s
|
|
project_admin_required: role:project_admin
|
|
service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
|
|
service_or_admin: rule:admin_required or rule:service_role
|
|
service_role: role:service
|
|
token_subject: user_id:%(target.token.user_id)s
|
|
cinder:
|
|
owner: project_id:%(project_id)s
|
|
context_is_admin: role:admin
|
|
admin_api: is_admin:True or (role:admin and is_admin_project:True)
|
|
admin_or_owner: is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s
|
|
admin_or_projectadmin_owner: rule:admin_api or rule:projectadmin_and_owner
|
|
admin_or_projectadmin_required: rule:admin_api or rule:projectadmin_required
|
|
admin_or_projectmember_owner: rule:admin_api or rule:projectmember_and_owner
|
|
admin_or_projectmember_required: rule:admin_api or rule:projectmember_required
|
|
projectadmin_and_owner: rule:projectadmin_required and rule:owner
|
|
projectadmin_required: role:project_admin
|
|
projectmember_and_owner: rule:projectmember_required and rule:owner
|
|
projectmember_required: role:project_admin or role:member
|
|
backup:backup-export: rule:admin_api
|
|
backup:backup-import: rule:admin_api
|
|
backup:backup_project_attribute: rule:admin_api
|
|
backup:create: rule:admin_or_projectmember_owner
|
|
backup:delete: rule:admin_or_projectadmin_owner
|
|
backup:get_all: ""
|
|
backup:get: ""
|
|
backup:restore: rule:admin_or_projectadmin_owner
|
|
backup:update: rule:admin_or_projectadmin_owner
|
|
clusters:get: rule:admin_api
|
|
clusters:get_all: rule:admin_api
|
|
clusters:update: rule:admin_api
|
|
consistencygroup:create_cgsnapshot: rule:admin_or_projectadmin_required
|
|
consistencygroup:create: rule:admin_or_projectadmin_required
|
|
consistencygroup:delete_cgsnapshot: rule:admin_or_projectadmin_required
|
|
consistencygroup:delete: rule:admin_or_projectadmin_required
|
|
consistencygroup:get_all_cgsnapshots: ""
|
|
consistencygroup:get_all: ""
|
|
consistencygroup:get_cgsnapshot: ""
|
|
consistencygroup:get: ""
|
|
consistencygroup:update: rule:admin_or_projectadmin_required
|
|
group:access_group_types_specs: rule:admin_api
|
|
group:create: rule:admin_or_projectadmin_required
|
|
group:create_group_snapshot: rule:admin_or_projectadmin_required
|
|
group:delete: rule:admin_or_projectadmin_owner
|
|
group:delete_group_snapshot: rule:admin_or_projectadmin_owner
|
|
group:disable_replication: rule:admin_or_projectadmin_owner
|
|
group:enable_replication: rule:admin_or_projectadmin_owner
|
|
group:failover_replication: rule:admin_or_projectadmin_owner
|
|
group:get: rule:admin_or_owner
|
|
group:get_all: ""
|
|
group:get_all_group_snapshots: ""
|
|
group:get_group_snapshot: ""
|
|
group:group_type_access: rule:admin_or_projectadmin_owner
|
|
group:group_types_manage: rule:admin_api
|
|
group:group_types_specs: rule:admin_api
|
|
group:list_replication_targets: rule:admin_or_owner
|
|
group:reset_group_snapshot_status: rule:admin_api
|
|
group:reset_status: rule:admin_api
|
|
group:update: rule:admin_or_projectadmin_owner
|
|
group:update_group_snapshot: rule:admin_or_projectadmin_owner
|
|
message:delete: ""
|
|
message:get_all: ""
|
|
message:get: ""
|
|
scheduler_extension:scheduler_stats:get_pools: rule:admin_api
|
|
snapshot_extension:list_manageable: rule:admin_api
|
|
snapshot_extension:snapshot_actions:update_snapshot_status: rule:admin_or_projectmember_required
|
|
snapshot_extension:snapshot_manage: rule:admin_api
|
|
snapshot_extension:snapshot_unmanage: rule:admin_api
|
|
volume_extension:access_types_extra_specs: rule:admin_api
|
|
volume_extension:access_types_qos_specs_id: rule:admin_api
|
|
volume_extension:backup_admin_actions:force_delete: rule:admin_api
|
|
volume_extension:backup_admin_actions:reset_status: rule:admin_api
|
|
volume_extension:capabilities: rule:admin_api
|
|
volume_extension:extended_snapshot_attributes: rule:admin_or_projectadmin_owner
|
|
volume_extension:hosts: rule:admin_api
|
|
volume_extension:list_manageable: rule:admin_api
|
|
volume_extension:qos_specs_manage:create: rule:admin_api
|
|
volume_extension:qos_specs_manage:delete: rule:admin_api
|
|
volume_extension:qos_specs_manage:get: rule:admin_api
|
|
volume_extension:qos_specs_manage:get_all: rule:admin_api
|
|
volume_extension:qos_specs_manage:update: rule:admin_api
|
|
volume_extension:quota_classes: rule:admin_api
|
|
volume_extension:quota_classes:validate_setup_for_nested_quota_use: rule:admin_api
|
|
volume_extension:quotas:delete: rule:admin_api
|
|
volume_extension:quotas:show: ""
|
|
volume_extension:quotas:update: rule:admin_api
|
|
volume_extension:replication:promote: rule:admin_api
|
|
volume_extension:replication:reenable: rule:admin_api
|
|
volume_extension:services:index: rule:admin_api
|
|
volume_extension:services:update: rule:admin_api
|
|
volume_extension:snapshot_admin_actions:force_delete: rule:admin_api
|
|
volume_extension:snapshot_admin_actions:reset_status: rule:admin_api
|
|
volume_extension:snapshot_backup_status_attribute: rule:admin_or_projectadmin_owner
|
|
volume_extension:snapshot_export_attributes: rule:admin_or_projectadmin_owner
|
|
volume_extension:types_extra_specs:create: rule:admin_api
|
|
volume_extension:types_extra_specs:delete: rule:admin_api
|
|
volume_extension:types_extra_specs:index: rule:admin_api
|
|
volume_extension:types_extra_specs:show: rule:admin_api
|
|
volume_extension:types_extra_specs:update: rule:admin_api
|
|
volume_extension:types_manage: rule:admin_api
|
|
volume_extension:volume_actions:upload_image: rule:admin_or_projectadmin_owner
|
|
volume_extension:volume_actions:upload_public: rule:admin_api
|
|
volume_extension:volume_admin_actions:force_delete: rule:admin_api
|
|
volume_extension:volume_admin_actions:force_detach: rule:admin_api
|
|
volume_extension:volume_admin_actions:migrate_volume_completion: rule:admin_api
|
|
volume_extension:volume_admin_actions:migrate_volume: rule:admin_api
|
|
volume_extension:volume_admin_actions:reset_status: rule:admin_api
|
|
volume_extension:volume_encryption_metadata: rule:admin_or_projectadmin_owner
|
|
volume_extension:volume_host_attribute: rule:admin_api
|
|
volume_extension:volume_image_metadata: rule:admin_or_owner
|
|
volume_extension:volume_manage: rule:admin_api
|
|
volume_extension:volume_mig_status_attribute: rule:admin_api
|
|
volume_extension:volume_tenant_attribute: rule:admin_or_projectadmin_owner
|
|
volume_extension:volume_type_access: rule:admin_or_projectadmin_owner
|
|
volume_extension:volume_type_access:addProjectAccess: rule:admin_api
|
|
volume_extension:volume_type_access:removeProjectAccess: rule:admin_api
|
|
volume_extension:volume_type_encryption: rule:admin_api
|
|
volume_extension:volume_unmanage: rule:admin_api
|
|
volume:accept_transfer: rule:admin_or_projectmember_required
|
|
volume:attachment_create: rule:admin_or_projectmember_required
|
|
volume:attachment_delete: rule:admin_or_projectmember_owner
|
|
volume:attachment_update: rule:admin_or_projectmember_owner
|
|
volume:create_from_image: rule:admin_or_projectmember_required
|
|
volume:create_snapshot: rule:admin_or_projectmember_owner
|
|
volume:create_transfer: rule:admin_or_projectadmin_owner
|
|
volume:create_volume_metadata: rule:admin_or_projectmember_owner
|
|
volume:create: rule:admin_or_projectmember_required
|
|
volume:delete_snapshot_metadata: rule:admin_or_projectadmin_owner
|
|
volume:delete_snapshot: rule:admin_or_projectadmin_owner
|
|
volume:delete_transfer: rule:admin_or_projectadmin_owner
|
|
volume:delete_volume_metadata: rule:admin_or_projectadmin_owner
|
|
volume:delete: rule:admin_or_projectadmin_owner
|
|
volume:extend_attached_volume: rule:admin_or_projectadmin_owner
|
|
volume:extend: rule:admin_or_projectadmin_owner
|
|
volume:failover_host: rule:admin_api
|
|
volume:force_delete: rule:admin_api
|
|
volume:freeze_host: rule:admin_api
|
|
volume:get_all_snapshots: ""
|
|
volume:get_all_transfers: ""
|
|
volume:get_all: ""
|
|
volume:get_snapshot_metadata: ""
|
|
volume:get_snapshot: ""
|
|
volume:get_transfer: ""
|
|
volume:get_volume_admin_metadata: ""
|
|
volume:get_volume_metadata: ""
|
|
volume:get: ""
|
|
volume:retype: rule:admin_or_projectadmin_owner
|
|
volume:revert_to_snapshot: rule:admin_or_projectadmin_owner
|
|
volume:thaw_host: rule:admin_api
|
|
volume:update_readonly_flag: rule:admin_or_projectadmin_owner
|
|
volume:update_snapshot_metadata: rule:admin_or_projectadmin_owner
|
|
volume:update_snapshot: rule:admin_or_projectadmin_owner
|
|
volume:update_volume_admin_metadata: rule:admin_api
|
|
volume:update_volume_metadata: rule:admin_or_projectmember_owner
|
|
volume:update: rule:admin_or_projectadmin_owner
|
|
workers:cleanup: rule:admin_api
|
|
default: rule:admin_or_owner
|
|
glance:
|
|
owner: project_id:%(owner)s
|
|
admin_or_projectadmin_owner: rule:context_is_admin or rule:projectadmin_and_owner
|
|
admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required
|
|
admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner
|
|
admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required
|
|
projectadmin_required: role:project_admin
|
|
projectadmin_and_owner: rule:projectadmin_required and rule:owner
|
|
projectmember_and_owner: rule:projectmember_required and rule:owner
|
|
projectmember_required: role:project_admin or role:member
|
|
add_image: rule:admin_or_projectmember_required
|
|
add_member: rule:admin_or_projectadmin_required
|
|
add_metadef_namespace: rule:admin_or_projectadmin_required
|
|
add_metadef_object: rule:admin_or_projectadmin_required
|
|
add_metadef_property: rule:admin_or_projectadmin_required
|
|
add_metadef_resource_type_association: rule:admin_or_projectadmin_required
|
|
add_metadef_tag: rule:admin_or_projectadmin_required
|
|
add_metadef_tags: rule:admin_or_projectadmin_required
|
|
add_task: rule:admin_or_projectadmin_required
|
|
communitize_image: rule:admin_or_projectadmin_required
|
|
context_is_admin: role:admin
|
|
copy_from: rule:admin_or_projectadmin_required
|
|
deactivate: rule:admin_or_projectadmin_required
|
|
default: role:admin
|
|
delete_image: rule:admin_or_projectadmin_required
|
|
delete_image_location: rule:admin_or_projectadmin_required
|
|
delete_member: rule:admin_or_projectadmin_required
|
|
delete_metadef_namespace: rule:admin_or_projectadmin_required
|
|
delete_metadef_object: rule:admin_or_projectadmin_required
|
|
delete_metadef_tag: rule:admin_or_projectadmin_required
|
|
delete_metadef_tags: rule:admin_or_projectadmin_required
|
|
download_image: ""
|
|
get_image: ""
|
|
get_image_location: ""
|
|
get_images: ""
|
|
get_member: ""
|
|
get_members: ""
|
|
get_metadef_namespace: ""
|
|
get_metadef_namespaces: ""
|
|
get_metadef_object: ""
|
|
get_metadef_objects: ""
|
|
get_metadef_properties: ""
|
|
get_metadef_property: ""
|
|
get_metadef_resource_type: ""
|
|
get_metadef_tag: ""
|
|
get_metadef_tags: ""
|
|
get_task: ""
|
|
get_tasks: ""
|
|
list_metadef_resource_types: ""
|
|
manage_image_cache: role:admin
|
|
modify_image: rule:admin_or_projectmember_required
|
|
modify_member: rule:admin_or_projectmember_required
|
|
modify_metadef_namespace: rule:admin_or_projectadmin_required
|
|
modify_metadef_object: rule:admin_or_projectadmin_required
|
|
modify_metadef_property: rule:admin_or_projectadmin_required
|
|
modify_metadef_tag: rule:admin_or_projectadmin_required
|
|
modify_task: rule:admin_or_projectadmin_required
|
|
publicize_image: rule:admin_or_projectadmin_required
|
|
reactivate: rule:admin_or_projectadmin_required
|
|
remove_metadef_property: rule:admin_or_projectadmin_required
|
|
remove_metadef_resource_type_association: rule:admin_or_projectadmin_required
|
|
set_image_location: rule:admin_or_projectadmin_required
|
|
tasks_api_access: role:admin
|
|
upload_image: rule:admin_or_projectmember_required
|
|
neutron:
|
|
owner: tenant_id:%(tenant_id)s
|
|
ext_parent_owner: tenant_id:%(ext_parent:tenant_id)s
|
|
generic_owner: rule:owner or rule:network_owner
|
|
network_owner: tenant_id:%(network:tenant_id)s
|
|
context_is_admin: role:admin
|
|
context_is_advsvc: role:advsvc
|
|
external: field:networks:router:external=True
|
|
admin_only: rule:context_is_admin
|
|
admin_or_data_plane_int: rule:context_is_admin or role:data_plane_integrator
|
|
admin_or_ext_parent_owner: rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s
|
|
admin_or_generic_owner: rule:context_is_admin or rule:generic_owner
|
|
admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s
|
|
admin_or_owner: rule:context_is_admin or rule:owner
|
|
admin_or_projectadmin_ext_owner: rule:context_is_admin or rule:projectadmin_and_ext_owner
|
|
admin_or_projectadmin_generic_owner: rule:context_is_admin or rule:projectadmin_and_generic_owner
|
|
admin_or_projectadmin_network_owner: rule:context_is_admin or rule:projectadmin_and_network_owner
|
|
admin_or_projectadmin_owner: rule:context_is_admin or rule:projectadmin_and_owner
|
|
admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required
|
|
admin_or_projectmember_generic_owner: rule:context_is_admin or rule:projectmember_and_generic_owner
|
|
admin_or_projectmember_network_owner: rule:context_is_admin or rule:projectmember_and_network_owner
|
|
admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner
|
|
admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required
|
|
admin_or_qos_owner: rule:context_is_admin or tenant_id:%(qos:tenant_id)s
|
|
admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner
|
|
projectadmin_and_ext_owner: rule:projectadmin_required and rule:ext_parent_owner
|
|
projectadmin_and_generic_owner: rule:projectadmin_required and rule:generic_owner
|
|
projectadmin_and_network_owner: rule:projectadmin_required and rule:network_owner
|
|
projectadmin_and_owner: rule:projectadmin_required and rule:owner
|
|
projectadmin_required: role:project_admin
|
|
projectmember_and_generic_owner: rule:projectmember_required and rule:generic_owner
|
|
projectmember_and_network_owner: rule:projectmember_required and rule:network_owner
|
|
projectmember_and_owner: rule:projectmember_required and rule:owner
|
|
projectmember_required: role:project_admin or role:member
|
|
regular_user: ""
|
|
network_device: 'field:port:device_owner=~^network:'
|
|
add_router_interface: rule:admin_or_projectadmin_owner
|
|
add_subports: rule:admin_or_projectadmin_owner
|
|
create_address_scope: rule:admin_or_projectadmin_required
|
|
create_address_scope:shared: rule:admin_or_projectadmin_required
|
|
create_dhcp-network: rule:admin_only
|
|
create_flavor_service_profile: rule:admin_only
|
|
create_flavor: rule:admin_only
|
|
create_floatingip_port_forwarding: rule:admin_or_projectadmin_required
|
|
create_floatingip: rule:admin_or_projectadmin_required
|
|
create_floatingip:floating_ip_address: rule:admin_or_projectadmin_required
|
|
create_l3-router: rule:admin_only
|
|
create_log: rule:admin_only
|
|
create_lsn: rule:admin_only
|
|
create_metering_label_rule: rule:admin_only
|
|
create_metering_label: rule:admin_only
|
|
create_network_profile: rule:admin_only
|
|
create_network: rule:admin_or_projectadmin_required
|
|
create_network:is_default: rule:admin_only
|
|
create_network:provider:network_type: rule:admin_only
|
|
create_network:provider:physical_network: rule:admin_only
|
|
create_network:provider:segmentation_id: rule:admin_only
|
|
create_network:router:external: rule:admin_only
|
|
create_network:segments: rule:admin_only
|
|
create_network:shared: rule:admin_or_projectadmin_required
|
|
create_network:wrs-tm:qos: rule:admin_or_qos_owner
|
|
create_policy_bandwidth_limit_rule: rule:admin_only
|
|
create_policy_dscp_marking_rule: rule:admin_only
|
|
create_policy_minimum_bandwidth_rule: rule:admin_only
|
|
create_policy: rule:admin_only
|
|
create_port: rule:admin_or_projectmember_required
|
|
create_port:allowed_address_pairs: rule:admin_or_network_owner
|
|
create_port:binding:host_id: rule:admin_only
|
|
create_port:binding:profile: rule:admin_only
|
|
create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:wrs-binding:mac_filtering: rule:admin_only
|
|
create_port:wrs-binding:mtu: rule:admin_only
|
|
create_port:wrs-tm:qos: rule:admin_or_qos_owner
|
|
create_providernet_range: rule:admin_only
|
|
create_providernet: rule:admin_only
|
|
create_portforwarding: rule:admin_or_projectadmin_required
|
|
create_qos_queue: rule:admin_only
|
|
create_qos: rule:admin_only
|
|
create_rbac_policy: rule:admin_or_projectadmin_required
|
|
create_rbac_policy:target_tenant: rule:restrict_wildcard
|
|
create_router: rule:admin_or_projectadmin_required
|
|
create_router:distributed: rule:admin_or_projectadmin_required
|
|
create_router:external_gateway_info:enable_snat: rule:admin_or_projectadmin_required
|
|
create_router:external_gateway_info:external_fixed_ips: rule:admin_or_projectadmin_required
|
|
create_router:ha: rule:admin_or_projectadmin_required
|
|
create_security_group_rule: rule:admin_or_projectadmin_owner
|
|
create_security_group: rule:admin_or_projectadmin_owner
|
|
create_segment: rule:admin_only
|
|
create_service_profile: rule:admin_only
|
|
create_subnet: rule:admin_or_projectadmin_network_owner
|
|
create_subnet:segment_id: rule:admin_only
|
|
create_subnet:service_types: rule:admin_only
|
|
create_subnet:wrs-provider:segmentation_id: rule:admin_only
|
|
create_subnetpool: rule:admin_or_projectadmin_required
|
|
create_subnetpool:is_default: rule:admin_only
|
|
create_subnetpool:shared: rule:admin_or_projectadmin_required
|
|
create_trunk: rule:admin_or_projectadmin_required
|
|
delete_address_scope: rule:admin_or_projectadmin_owner
|
|
delete_agent: rule:admin_only
|
|
delete_dhcp-network: rule:admin_only
|
|
delete_flavor_service_profile: rule:admin_only
|
|
delete_flavor: rule:admin_only
|
|
delete_floatingip_port_forwarding: rule:admin_or_projectadmin_ext_owner
|
|
delete_floatingip: rule:admin_or_projectadmin_owner
|
|
delete_l3-router: rule:admin_only
|
|
delete_log: rule:admin_only
|
|
delete_metering_label_rule: rule:admin_only
|
|
delete_metering_label: rule:admin_only
|
|
delete_network_profile: rule:admin_only
|
|
delete_network: rule:admin_or_projectadmin_owner
|
|
delete_policy_bandwidth_limit_rule: rule:admin_only
|
|
delete_policy_dscp_marking_rule: rule:admin_only
|
|
delete_policy_minimum_bandwidth_rule: rule:admin_only
|
|
delete_policy: rule:admin_only
|
|
delete_port: rule:context_is_advsvc or rule:admin_or_projectmember_generic_owner
|
|
delete_providernet_range: rule:admin_only
|
|
delete_providernet: rule:admin_only
|
|
delete_qos: rule:admin_only
|
|
delete_portforwarding: rule:admin_or_projectadmin_owner
|
|
delete_rbac_policy: rule:admin_or_projectadmin_owner
|
|
delete_router: rule:admin_or_projectadmin_owner
|
|
delete_security_group_rule: rule:admin_or_projectadmin_owner
|
|
delete_security_group: rule:admin_or_projectadmin_owner
|
|
delete_segment: rule:admin_only
|
|
delete_service_profile: rule:admin_only
|
|
delete_subnet: rule:admin_or_projectadmin_network_owner
|
|
delete_subnetpool: rule:admin_or_projectadmin_owner
|
|
delete_trunk: rule:admin_or_projectadmin_owner
|
|
get_address_scope: rule:admin_or_owner or rule:shared_address_scopes
|
|
get_agent-loadbalancers: rule:admin_only
|
|
get_agent: rule:admin_only
|
|
get_auto_allocated_topology: rule:admin_or_owner
|
|
get_dhcp-agents: rule:admin_only
|
|
get_dhcp-networks: rule:admin_only
|
|
get_flavor_service_profile: rule:regular_user
|
|
get_flavor: rule:regular_user
|
|
get_flavors: rule:regular_user
|
|
get_floatingip_port_forwarding: rule:admin_or_ext_parent_owner or rule:context_is_advsvc
|
|
get_floatingip: rule:admin_or_owner
|
|
get_l3-agents: rule:admin_only
|
|
get_l3-routers: rule:admin_only
|
|
get_loadbalancer-agent: rule:admin_only
|
|
get_loadbalancer-hosting-agent: rule:admin_only
|
|
get_loadbalancer-pools: rule:admin_only
|
|
get_log: rule:admin_only
|
|
get_loggable_resources: rule:admin_only
|
|
get_logs: rule:admin_only
|
|
get_lsn: rule:admin_only
|
|
get_metering_label_rule: rule:admin_only
|
|
get_metering_label: rule:admin_only
|
|
get_network_ip_availabilities: rule:admin_or_projectadmin_owner
|
|
get_network_ip_availability: rule:admin_or_projectadmin_owner
|
|
get_network_profile: ""
|
|
get_network_profiles: ""
|
|
get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc
|
|
get_network:provider:network_type: rule:admin_only
|
|
get_network:provider:physical_network: rule:admin_only
|
|
get_network:provider:segmentation_id: rule:admin_only
|
|
get_network:queue_id: rule:admin_only
|
|
get_network:router:external: rule:regular_user
|
|
get_network:segments: rule:admin_only
|
|
get_network:wrs-tm:qos: rule:admin_or_qos_owner
|
|
get_policy_bandwidth_limit_rule: rule:regular_user
|
|
get_policy_dscp_marking_rule: rule:regular_user
|
|
get_policy_minimum_bandwidth_rule: rule:regular_user
|
|
get_policy_profile: ""
|
|
get_policy_profiles: ""
|
|
get_policy: rule:regular_user
|
|
get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
|
|
get_port:binding:host_id: rule:admin_only
|
|
get_port:binding:profile: rule:admin_only
|
|
get_port:binding:vif_details: rule:admin_only
|
|
get_port:binding:vif_type: rule:admin_only
|
|
get_port:queue_id: rule:admin_only
|
|
get_portforwarding: rule:admin_or_owner
|
|
get_portforwardings: rule:admin_or_owner
|
|
get_providernet_range: rule:admin_only
|
|
get_providernet_ranges: rule:admin_only
|
|
get_providernet_types: rule:admin_only
|
|
get_providernet-bindings: rule:admin_only
|
|
get_providernet: rule:admin_only
|
|
get_providernets: rule:admin_only
|
|
get_qos_queue: rule:admin_only
|
|
get_qos: rule:admin_or_owner
|
|
get_rbac_policy: rule:admin_or_owner
|
|
get_router: rule:admin_or_owner
|
|
get_router:distributed: rule:admin_or_projectadmin_required
|
|
get_router:ha: rule:admin_or_projectadmin_required
|
|
get_router:wrs-net:host: rule:admin_only
|
|
get_routers:wrs-net:host: rule:admin_only
|
|
get_rule_type: rule:regular_user
|
|
get_security_group_rule: rule:admin_or_owner
|
|
get_security_group_rules: rule:admin_or_owner
|
|
get_security_group: rule:admin_or_owner
|
|
get_security_groups: rule:admin_or_owner
|
|
get_segment: rule:admin_only
|
|
get_service_profile: rule:admin_only
|
|
get_service_profiles: rule:admin_only
|
|
get_service_provider: rule:regular_user
|
|
get_subnet: rule:admin_or_owner or rule:shared
|
|
get_subnet:segment_id: rule:admin_only
|
|
get_subnet:wrs-provider:network_type: rule:admin_only
|
|
get_subnet:wrs-provider:physical_network: rule:admin_only
|
|
get_subnet:wrs-provider:segmentation_id: rule:admin_only
|
|
get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools
|
|
insert_rule: rule:admin_or_owner
|
|
get_subports: ""
|
|
get_trunk: rule:admin_or_owner
|
|
remove_router_interface: rule:admin_or_projectadmin_owner
|
|
remove_subports: rule:admin_or_projectadmin_owner
|
|
remove_rule: rule:admin_or_owner
|
|
restrict_wildcard: (not field:rbac_policy:target_tenant=*) or rule:admin_only
|
|
shared_address_scopes: field:address_scopes:shared=True
|
|
shared_subnetpools: field:subnetpools:shared=True
|
|
shared: field:networks:shared=True
|
|
update_address_scope: rule:admin_or_projectadmin_owner
|
|
update_address_scope:shared: rule:admin_or_projectadmin_owner
|
|
update_agent: rule:admin_only
|
|
update_flavor: rule:admin_only
|
|
update_floatingip_port_forwarding: rule:admin_or_projectadmin_ext_owner
|
|
update_floatingip: rule:admin_or_projectadmin_owner
|
|
update_log: rule:admin_only
|
|
update_network_profile: rule:admin_only
|
|
update_network: rule:admin_or_projectadmin_owner
|
|
update_network:provider:network_type: rule:admin_only
|
|
update_network:provider:physical_network: rule:admin_only
|
|
update_network:provider:segmentation_id: rule:admin_only
|
|
update_network:router:external: rule:admin_only
|
|
update_network:segments: rule:admin_only
|
|
update_network:shared: rule:admin_or_projectadmin_required
|
|
update_network:wrs-tm:qos: rule:admin_or_qos_owner
|
|
update_policy_bandwidth_limit_rule: rule:admin_only
|
|
update_policy_dscp_marking_rule: rule:admin_only
|
|
update_policy_minimum_bandwidth_rule: rule:admin_only
|
|
update_policy_profiles: rule:admin_only
|
|
update_policy: rule:admin_only
|
|
update_port: rule:admin_or_projectmember_owner or rule:context_is_advsvc
|
|
update_port:allowed_address_pairs: rule:admin_or_network_owner
|
|
update_port:binding:host_id: rule:admin_only
|
|
update_port:binding:profile: rule:admin_only
|
|
update_port:data_plane_status: rule:admin_or_data_plane_int
|
|
update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
|
|
update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
update_port:mac_address: rule:admin_only or rule:context_is_advsvc
|
|
update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
update_port:wrs-binding:mac_filtering: rule:admin_only
|
|
update_port:wrs-binding:mtu: rule:admin_only
|
|
update_port:wrs-tm:qos: rule:admin_or_qos_owner
|
|
update_providernet_range: rule:admin_only
|
|
update_providernet: rule:admin_only
|
|
update_qos: rule:admin_only
|
|
update_portforwarding: rule:admin_or_projectadmin_owner
|
|
update_rbac_policy: rule:admin_or_projectadmin_owner
|
|
update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner
|
|
update_router: rule:admin_or_projectadmin_owner
|
|
update_router:distributed: rule:admin_or_projectadmin_required
|
|
update_router:external_gateway_info: rule:admin_or_projectadmin_owner
|
|
update_router:external_gateway_info:enable_snat: rule:admin_or_projectadmin_required
|
|
update_router:external_gateway_info:external_fixed_ips: rule:admin_or_projectadmin_required
|
|
update_router:external_gateway_info:network_id: rule:admin_or_projectadmin_owner
|
|
update_router:ha: rule:admin_or_projectadmin_required
|
|
update_security_group: rule:admin_or_projectadmin_owner
|
|
update_segment: rule:admin_only
|
|
update_service_profile: rule:admin_only
|
|
update_subnet: rule:admin_or_projectadmin_network_owner
|
|
update_subnet:service_types: rule:admin_only
|
|
update_subnet:wrs-provider:segmentation_id: rule:admin_only
|
|
update_subnetpool: rule:admin_or_projectadmin_owner
|
|
update_subnetpool:is_default: rule:admin_only
|
|
update_trunk: rule:admin_or_projectadmin_owner
|
|
default: rule:admin_or_owner
|