dc110b71c1
Blueprint make-authz-orthogonal This implements work item #1 of the blueprint. This patch enables authZ checks for 'member actions' in the base controller and removes explicit checks from l3_db. This patch also addresses a small glitch in the policy engine which was assuming the request always had a body. Change-Id: I7e0f386eedcfff24ea1fee7294bbadd6c5ec781c
70 lines
2.6 KiB
JSON
70 lines
2.6 KiB
JSON
{
|
|
"admin_or_owner": "role:admin or tenant_id:%(tenant_id)s",
|
|
"admin_or_network_owner": "role:admin or tenant_id:%(network_tenant_id)s",
|
|
"admin_only": "role:admin",
|
|
"regular_user": "",
|
|
"shared": "field:networks:shared=True",
|
|
"external": "field:networks:router:external=True",
|
|
"default": "rule:admin_or_owner",
|
|
|
|
"extension:provider_network:view": "rule:admin_only",
|
|
"extension:provider_network:set": "rule:admin_only",
|
|
|
|
"extension:router:view": "rule:regular_user",
|
|
"extension:router:set": "rule:admin_only",
|
|
|
|
"extension:port_binding:view": "rule:admin_only",
|
|
"extension:port_binding:set": "rule:admin_only",
|
|
|
|
"subnets:private:read": "rule:admin_or_owner",
|
|
"subnets:private:write": "rule:admin_or_owner",
|
|
"subnets:shared:read": "rule:regular_user",
|
|
"subnets:shared:write": "rule:admin_only",
|
|
|
|
"create_subnet": "rule:admin_or_network_owner",
|
|
"get_subnet": "rule:admin_or_owner or rule:shared",
|
|
"update_subnet": "rule:admin_or_network_owner",
|
|
"delete_subnet": "rule:admin_or_network_owner",
|
|
|
|
"create_network": "",
|
|
"get_network": "rule:admin_or_owner or rule:shared or rule:external",
|
|
"create_network:shared": "rule:admin_only",
|
|
"create_network:router:external": "rule:admin_only",
|
|
"update_network": "rule:admin_or_owner",
|
|
"delete_network": "rule:admin_or_owner",
|
|
|
|
"create_port": "",
|
|
"create_port:mac_address": "rule:admin_or_network_owner",
|
|
"create_port:fixed_ips": "rule:admin_or_network_owner",
|
|
"create_port:port_security_enabled": "rule:admin_or_network_owner",
|
|
"get_port": "rule:admin_or_owner",
|
|
"update_port": "rule:admin_or_owner",
|
|
"update_port:fixed_ips": "rule:admin_or_network_owner",
|
|
"update_port:port_security_enabled": "rule:admin_or_network_owner",
|
|
"delete_port": "rule:admin_or_owner",
|
|
|
|
"extension:service_type:view_extended": "rule:admin_only",
|
|
"create_service_type": "rule:admin_only",
|
|
"update_service_type": "rule:admin_only",
|
|
"delete_service_type": "rule:admin_only",
|
|
"get_service_type": "rule:regular_user",
|
|
|
|
"create_qos_queue": "rule:admin_only",
|
|
"get_qos_queue": "rule:admin_only",
|
|
"get_qos_queues": "rule:admin_only",
|
|
|
|
"update_agent": "rule:admin_only",
|
|
"delete_agent": "rule:admin_only",
|
|
"get_agent": "rule:admin_only",
|
|
"get_agents": "rule:admin_only",
|
|
|
|
"create_dhcp-network": "rule:admin_only",
|
|
"delete_dhcp-network": "rule:admin_only",
|
|
"get_dhcp-networks": "rule:admin_only",
|
|
"create_l3-router": "rule:admin_only",
|
|
"delete_l3-router": "rule:admin_only",
|
|
"get_l3-routers": "rule:admin_only",
|
|
"get_dhcp-agents": "rule:admin_only",
|
|
"get_l3-agents": "rule:admin_only"
|
|
}
|