Merge "Sync default policy rules"

openstack_dashboard/conf/default_policies/glance.yaml

@@ -18,10 +18,10 @@
   name: context_is_admin
   operations: []
   scope_types: null
-- check_str: role:admin or (role:member and project_id:%(project_id)s)
+- check_str: role:role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -39,7 +39,7 @@
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -55,10 +55,10 @@
   - system
   - project
 - check_str: role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s
-    or "community":%(visibility)s or "public":%(visibility)s))
+    or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -76,7 +76,7 @@
 - check_str: role:admin or (role:reader and project_id:%(project_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -94,7 +94,7 @@
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -121,7 +121,7 @@
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -140,7 +140,7 @@
     or "community":%(visibility)s or "public":%(visibility)s))
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -158,7 +158,7 @@
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -176,7 +176,7 @@
 - check_str: role:admin
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -194,7 +194,7 @@
 - check_str: role:admin or (role:reader and project_id:%(project_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -212,7 +212,7 @@
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -230,7 +230,7 @@
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -248,7 +248,7 @@
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -263,10 +263,10 @@
   scope_types:
   - system
   - project
-- check_str: role:admin or (role:reader and project_id:%(project_id)s)
+- check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -281,10 +281,10 @@
   scope_types:
   - system
   - project
-- check_str: role:admin or (role:reader and project_id:%(project_id)s)
+- check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -299,10 +299,10 @@
   scope_types:
   - system
   - project
-- check_str: role:admin or (role:member and project_id:%(project_id)s)
+- check_str: role:admin or (role:member and project_id:%(member_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -327,7 +327,7 @@
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -345,7 +345,7 @@
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
   deprecated_reason: '
 
-    The image API now supports and default roles.
+    The image API now supports roles.
 
     '
   deprecated_rule:
@@ -370,6 +370,18 @@
   - system
   - project
 - check_str: rule:default
+  deprecated_reason: '
+
+    From Xena we are enforcing policy checks in the API and policy layer where task
+    policies were enforcing will be removed. Since task APIs are already deprecated
+    and `tasks_api_access` is checked for each API at API layer, there will be no
+    benefit of other having other task related policies.
+
+    '
+  deprecated_rule:
+    check_str: rule:default
+    name: get_task
+  deprecated_since: X
   description: 'Get an image task.
 
 
@@ -394,6 +406,18 @@
   - system
   - project
 - check_str: rule:default
+  deprecated_reason: '
+
+    From Xena we are enforcing policy checks in the API and policy layer where task
+    policies were enforcing will be removed. Since task APIs are already deprecated
+    and `tasks_api_access` is checked for each API at API layer, there will be no
+    benefit of other having other task related policies.
+
+    '
+  deprecated_rule:
+    check_str: rule:default
+    name: get_task
+  deprecated_since: X
   description: 'List tasks for all images.
 
 
@@ -418,6 +442,18 @@
   - system
   - project
 - check_str: rule:default
+  deprecated_reason: '
+
+    From Xena we are enforcing policy checks in the API and policy layer where task
+    policies were enforcing will be removed. Since task APIs are already deprecated
+    and `tasks_api_access` is checked for each API at API layer, there will be no
+    benefit of other having other task related policies.
+
+    '
+  deprecated_rule:
+    check_str: rule:default
+    name: add_task
+  deprecated_since: X
   description: 'List tasks for all images.
 
 

openstack_dashboard/conf/default_policies/keystone.yaml

@@ -467,9 +467,9 @@
   - method: HEAD
     path: /v3/domains/{domain_id}/config/security_compliance
   - method: GET
-    path: v3/domains/{domain_id}/config/security_compliance/{option}
+    path: /v3/domains/{domain_id}/config/security_compliance/{option}
   - method: HEAD
-    path: v3/domains/{domain_id}/config/security_compliance/{option}
+    path: /v3/domains/{domain_id}/config/security_compliance/{option}
   scope_types:
   - system
   - domain
@@ -1887,15 +1887,7 @@
     or project_id:%(target.project.id)s
   deprecated_reason: '
 
-    As of the Train release, the project tags API understands how to handle
+    The project API is now aware of system scope and default roles.
-
-    system-scoped tokens in addition to project and domain tokens, making the API
-
-    more accessible to users without compromising security or manageability for
-
-    administrators. The new default policies for this API account for these changes
-
-    automatically.
 
     '
   deprecated_rule:
@@ -1917,15 +1909,7 @@
     or project_id:%(target.project.id)s
   deprecated_reason: '
 
-    As of the Train release, the project tags API understands how to handle
+    The project API is now aware of system scope and default roles.
-
-    system-scoped tokens in addition to project and domain tokens, making the API
-
-    more accessible to users without compromising security or manageability for
-
-    administrators. The new default policies for this API account for these changes
-
-    automatically.
 
     '
   deprecated_rule:
@@ -1947,15 +1931,7 @@
     or (role:admin and project_id:%(target.project.id)s)
   deprecated_reason: '
 
-    As of the Train release, the project tags API understands how to handle
+    The project API is now aware of system scope and default roles.
-
-    system-scoped tokens in addition to project and domain tokens, making the API
-
-    more accessible to users without compromising security or manageability for
-
-    administrators. The new default policies for this API account for these changes
-
-    automatically.
 
     '
   deprecated_rule:
@@ -1975,15 +1951,7 @@
     or (role:admin and project_id:%(target.project.id)s)
   deprecated_reason: '
 
-    As of the Train release, the project tags API understands how to handle
+    The project API is now aware of system scope and default roles.
-
-    system-scoped tokens in addition to project and domain tokens, making the API
-
-    more accessible to users without compromising security or manageability for
-
-    administrators. The new default policies for this API account for these changes
-
-    automatically.
 
     '
   deprecated_rule:
@@ -2003,15 +1971,7 @@
     or (role:admin and project_id:%(target.project.id)s)
   deprecated_reason: '
 
-    As of the Train release, the project tags API understands how to handle
+    The project API is now aware of system scope and default roles.
-
-    system-scoped tokens in addition to project and domain tokens, making the API
-
-    more accessible to users without compromising security or manageability for
-
-    administrators. The new default policies for this API account for these changes
-
-    automatically.
 
     '
   deprecated_rule:
@@ -2031,15 +1991,7 @@
     or (role:admin and project_id:%(target.project.id)s)
   deprecated_reason: '
 
-    As of the Train release, the project tags API understands how to handle
+    The project API is now aware of system scope and default roles.
-
-    system-scoped tokens in addition to project and domain tokens, making the API
-
-    more accessible to users without compromising security or manageability for
-
-    administrators. The new default policies for this API account for these changes
-
-    automatically.
 
     '
   deprecated_rule:

openstack_dashboard/conf/default_policies/neutron.yaml

@@ -529,6 +529,7 @@
   - method: POST
     path: /floatingips
   scope_types:
+  - system
   - project
 - check_str: role:admin and system_scope:all
   deprecated_reason: null
@@ -600,7 +601,7 @@
   - method: GET
     path: /floatingip_pools
   scope_types:
-  - admin
+  - system
   - project
 - check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
     or rule:ext_parent_owner
@@ -752,6 +753,7 @@
     path: /log/logs
   scope_types:
   - system
+  - project
 - check_str: role:reader and system_scope:all
   deprecated_reason: null
   deprecated_rule:
@@ -898,6 +900,7 @@
   - method: POST
     path: /networks
   scope_types:
+  - system
   - project
 - check_str: role:admin and system_scope:all
   deprecated_reason: null
@@ -942,6 +945,7 @@
   name: create_network:port_security_enabled
   operations: *id001
   scope_types:
+  - system
   - project
 - check_str: role:admin and system_scope:all
   deprecated_reason: null
@@ -1014,6 +1018,7 @@
   name: get_network:router:external
   operations: *id002
   scope_types:
+  - system
   - project
 - check_str: role:reader and system_scope:all
   deprecated_reason: null
@@ -1379,6 +1384,7 @@
   name: create_port:binding:vnic_type
   operations: *id004
   scope_types:
+  - system
   - project
 - check_str: role:admin and system_scope:all or role:admin and project_id:%(project_id)s
     or rule:network_owner
@@ -2046,7 +2052,7 @@
   scope_types:
   - system
   - project
-- check_str: role:admin and system_scope:all or rule:restrict_wildcard
+- check_str: role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)
   deprecated_reason: null
   deprecated_rule:
     check_str: rule:restrict_wildcard
@@ -2074,7 +2080,7 @@
   scope_types:
   - project
   - system
-- check_str: role:admin and system_scope:all or rule:restrict_wildcard
+- check_str: role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)
   deprecated_reason: null
   deprecated_rule:
     check_str: rule:restrict_wildcard and rule:admin_or_owner
@@ -2130,6 +2136,7 @@
   - method: POST
     path: /routers
   scope_types:
+  - system
   - project
 - check_str: role:admin and system_scope:all
   deprecated_reason: null
@@ -2367,6 +2374,34 @@
   scope_types:
   - system
   - project
+- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:admin_or_owner
+    name: add_extraroutes
+  deprecated_since: null
+  description: Add extra route to a router
+  name: add_extraroutes
+  operations:
+  - method: PUT
+    path: /routers/{id}/add_extraroutes
+  scope_types:
+  - system
+  - project
+- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:admin_or_owner
+    name: remove_extraroutes
+  deprecated_since: null
+  description: Remove extra route from a router
+  name: remove_extraroutes
+  operations:
+  - method: PUT
+    path: /routers/{id}/remove_extraroutes
+  scope_types:
+  - system
+  - project
 - check_str: rule:context_is_admin or tenant_id:%(security_group:tenant_id)s
   description: Rule for admin or security group owner access
   name: admin_or_sg_owner
@@ -2534,7 +2569,7 @@
     path: /segments/{id}
   scope_types:
   - system
-- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
+- check_str: role:reader
   deprecated_reason: null
   deprecated_rule:
     check_str: rule:regular_user

openstack_dashboard/conf/default_policies/nova.yaml

@@ -1808,7 +1808,7 @@
   deprecated_rule:
     check_str: rule:admin_or_owner
     name: os_compute_api:os-security-groups
-  deprecated_since: 21.0.0
+  deprecated_since: 22.0.0
   description: List security groups of server.
   name: os_compute_api:os-security-groups:list
   operations:
@@ -1830,7 +1830,7 @@
   deprecated_rule:
     check_str: rule:admin_or_owner
     name: os_compute_api:os-security-groups
-  deprecated_since: 21.0.0
+  deprecated_since: 22.0.0
   description: Add security groups to server.
   name: os_compute_api:os-security-groups:add
   operations:
@@ -1852,7 +1852,7 @@
   deprecated_rule:
     check_str: rule:admin_or_owner
     name: os_compute_api:os-security-groups
-  deprecated_since: 21.0.0
+  deprecated_since: 22.0.0
   description: Remove security groups from server.
   name: os_compute_api:os-security-groups:remove
   operations:

openstack_dashboard/conf/glance_policy.yaml

@@ -18,13 +18,13 @@
 # Create new image
 # POST  /v2/images
 # Intended scope(s): system, project
-#"add_image": "role:admin or (role:member and project_id:%(project_id)s)"
+#"add_image": "role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)"
 
 # DEPRECATED
 # "add_image":"rule:default" has been deprecated since W in favor of
 # "add_image":"role:admin or (role:member and
-# project_id:%(project_id)s)".
+# project_id:%(project_id)s and project_id:%(owner)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Deletes the image
 # DELETE  /v2/images/{image_id}
@@ -35,19 +35,20 @@
 # "delete_image":"rule:default" has been deprecated since W in favor
 # of "delete_image":"role:admin or (role:member and
 # project_id:%(project_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Get specified image
 # GET  /v2/images/{image_id}
 # Intended scope(s): system, project
-#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))"
+#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))"
 
 # DEPRECATED
 # "get_image":"rule:default" has been deprecated since W in favor of
 # "get_image":"role:admin or (role:reader and
 # (project_id:%(project_id)s or project_id:%(member_id)s or
-# "community":%(visibility)s or "public":%(visibility)s))".
+# "community":%(visibility)s or "public":%(visibility)s or
-# The image API now supports and default roles.
+# "shared":%(visibility)s))".
+# The image API now supports roles.
 
 # Get all available images
 # GET  /v2/images
@@ -58,7 +59,7 @@
 # "get_images":"rule:default" has been deprecated since W in favor of
 # "get_images":"role:admin or (role:reader and
 # project_id:%(project_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Updates given image
 # PATCH  /v2/images/{image_id}
@@ -69,7 +70,7 @@
 # "modify_image":"rule:default" has been deprecated since W in favor
 # of "modify_image":"role:admin or (role:member and
 # project_id:%(project_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Publicize given image
 # PATCH  /v2/images/{image_id}
@@ -85,19 +86,20 @@
 # "communitize_image":"rule:default" has been deprecated since W in
 # favor of "communitize_image":"role:admin or (role:member and
 # project_id:%(project_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Downloads given image
 # GET  /v2/images/{image_id}/file
 # Intended scope(s): system, project
-#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))"
+#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))"
 
 # DEPRECATED
 # "download_image":"rule:default" has been deprecated since W in favor
 # of "download_image":"role:admin or (role:member and
 # (project_id:%(project_id)s or project_id:%(member_id)s or
-# "community":%(visibility)s or "public":%(visibility)s))".
+# "community":%(visibility)s or "public":%(visibility)s or
-# The image API now supports and default roles.
+# "shared":%(visibility)s))".
+# The image API now supports roles.
 
 # Uploads data to specified image
 # PUT  /v2/images/{image_id}/file
@@ -108,7 +110,7 @@
 # "upload_image":"rule:default" has been deprecated since W in favor
 # of "upload_image":"role:admin or (role:member and
 # project_id:%(project_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Deletes the location of given image
 # PATCH  /v2/images/{image_id}
@@ -118,7 +120,7 @@
 # DEPRECATED
 # "delete_image_location":"rule:default" has been deprecated since W
 # in favor of "delete_image_location":"role:admin".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Reads the location of the image
 # GET  /v2/images/{image_id}
@@ -129,7 +131,7 @@
 # "get_image_location":"rule:default" has been deprecated since W in
 # favor of "get_image_location":"role:admin or (role:reader and
 # project_id:%(project_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Sets location URI to given image
 # PATCH  /v2/images/{image_id}
@@ -140,7 +142,7 @@
 # "set_image_location":"rule:default" has been deprecated since W in
 # favor of "set_image_location":"role:admin or (role:member and
 # project_id:%(project_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Create image member
 # POST  /v2/images/{image_id}/members
@@ -151,7 +153,7 @@
 # "add_member":"rule:default" has been deprecated since W in favor of
 # "add_member":"role:admin or (role:member and
 # project_id:%(project_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Delete image member
 # DELETE  /v2/images/{image_id}/members/{member_id}
@@ -162,40 +164,40 @@
 # "delete_member":"rule:default" has been deprecated since W in favor
 # of "delete_member":"role:admin or (role:member and
 # project_id:%(project_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Show image member details
 # GET  /v2/images/{image_id}/members/{member_id}
 # Intended scope(s): system, project
-#"get_member": "role:admin or (role:reader and project_id:%(project_id)s)"
+#"get_member": "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"
 
 # DEPRECATED
 # "get_member":"rule:default" has been deprecated since W in favor of
-# "get_member":"role:admin or (role:reader and
+# "get_member":"role:admin or role:reader and
-# project_id:%(project_id)s)".
+# (project_id:%(project_id)s or project_id:%(member_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # List image members
 # GET  /v2/images/{image_id}/members
 # Intended scope(s): system, project
-#"get_members": "role:admin or (role:reader and project_id:%(project_id)s)"
+#"get_members": "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"
 
 # DEPRECATED
 # "get_members":"rule:default" has been deprecated since W in favor of
-# "get_members":"role:admin or (role:reader and
+# "get_members":"role:admin or role:reader and
-# project_id:%(project_id)s)".
+# (project_id:%(project_id)s or project_id:%(member_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Update image member
 # PUT  /v2/images/{image_id}/members/{member_id}
 # Intended scope(s): system, project
-#"modify_member": "role:admin or (role:member and project_id:%(project_id)s)"
+#"modify_member": "role:admin or (role:member and project_id:%(member_id)s)"
 
 # DEPRECATED
 # "modify_member":"rule:default" has been deprecated since W in favor
 # of "modify_member":"role:admin or (role:member and
-# project_id:%(project_id)s)".
+# project_id:%(member_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Manage image cache
 # Intended scope(s): system, project
@@ -210,7 +212,7 @@
 # "deactivate":"rule:default" has been deprecated since W in favor of
 # "deactivate":"role:admin or (role:member and
 # project_id:%(project_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Reactivate image
 # POST  /v2/images/{image_id}/actions/reactivate
@@ -221,7 +223,7 @@
 # "reactivate":"rule:default" has been deprecated since W in favor of
 # "reactivate":"role:admin or (role:member and
 # project_id:%(project_id)s)".
-# The image API now supports and default roles.
+# The image API now supports roles.
 
 # Copy existing image to other stores
 # POST  /v2/images/{image_id}/import
@@ -241,6 +243,15 @@
 # Intended scope(s): system, project
 #"get_task": "rule:default"
 
+# DEPRECATED
+# "get_task":"rule:default" has been deprecated since X in favor of
+# "get_task":"rule:default".
+# From Xena we are enforcing policy checks in the API and policy layer
+# where task policies were enforcing will be removed. Since task APIs
+# are already deprecated and `tasks_api_access` is checked for each
+# API at API layer, there will be no benefit of other having other
+# task related policies.
+
 # List tasks for all images.
 #
 # This granular policy controls access to tasks, both from the tasks
@@ -254,6 +265,15 @@
 # Intended scope(s): system, project
 #"get_tasks": "rule:default"
 
+# DEPRECATED
+# "get_tasks":"rule:default" has been deprecated since X in favor of
+# "get_tasks":"rule:default".
+# From Xena we are enforcing policy checks in the API and policy layer
+# where task policies were enforcing will be removed. Since task APIs
+# are already deprecated and `tasks_api_access` is checked for each
+# API at API layer, there will be no benefit of other having other
+# task related policies.
+
 # List tasks for all images.
 #
 # This granular policy controls access to tasks, both from the tasks
@@ -267,6 +287,15 @@
 # Intended scope(s): system, project
 #"add_task": "rule:default"
 
+# DEPRECATED
+# "add_task":"rule:default" has been deprecated since X in favor of
+# "add_task":"rule:default".
+# From Xena we are enforcing policy checks in the API and policy layer
+# where task policies were enforcing will be removed. Since task APIs
+# are already deprecated and `tasks_api_access` is checked for each
+# API at API layer, there will be no benefit of other having other
+# task related policies.
+
 # DEPRECATED
 # "modify_task" has been deprecated since W.
 # This policy check has never been honored by the API. It will be

openstack_dashboard/conf/keystone_policy.yaml

@@ -340,8 +340,8 @@
 # a specific option in a domain.
 # GET  /v3/domains/{domain_id}/config/security_compliance
 # HEAD  /v3/domains/{domain_id}/config/security_compliance
-# GET  v3/domains/{domain_id}/config/security_compliance/{option}
+# GET  /v3/domains/{domain_id}/config/security_compliance/{option}
-# HEAD  v3/domains/{domain_id}/config/security_compliance/{option}
+# HEAD  /v3/domains/{domain_id}/config/security_compliance/{option}
 # Intended scope(s): system, domain, project
 #"identity:get_security_compliance_domain_config": ""
 
@@ -1547,11 +1547,7 @@
 # system_scope:all) or (role:reader and
 # domain_id:%(target.project.domain_id)s) or
 # project_id:%(target.project.id)s".
-# As of the Train release, the project tags API understands how to
+# The project API is now aware of system scope and default roles.
-# handle system-scoped tokens in addition to project and domain
-# tokens, making the API more accessible to users without compromising
-# security or manageability for administrators. The new default
-# policies for this API account for these changes automatically.
 
 # Check if project contains a tag.
 # GET  /v3/projects/{project_id}/tags/{value}
@@ -1566,11 +1562,7 @@
 # system_scope:all) or (role:reader and
 # domain_id:%(target.project.domain_id)s) or
 # project_id:%(target.project.id)s".
-# As of the Train release, the project tags API understands how to
+# The project API is now aware of system scope and default roles.
-# handle system-scoped tokens in addition to project and domain
-# tokens, making the API more accessible to users without compromising
-# security or manageability for administrators. The new default
-# policies for this API account for these changes automatically.
 
 # Replace all tags on a project with the new set of tags.
 # PUT  /v3/projects/{project_id}/tags
@@ -1583,11 +1575,7 @@
 # "identity:update_project_tags":"(role:admin and system_scope:all) or
 # (role:admin and domain_id:%(target.project.domain_id)s) or
 # (role:admin and project_id:%(target.project.id)s)".
-# As of the Train release, the project tags API understands how to
+# The project API is now aware of system scope and default roles.
-# handle system-scoped tokens in addition to project and domain
-# tokens, making the API more accessible to users without compromising
-# security or manageability for administrators. The new default
-# policies for this API account for these changes automatically.
 
 # Add a single tag to a project.
 # PUT  /v3/projects/{project_id}/tags/{value}
@@ -1600,11 +1588,7 @@
 # "identity:create_project_tag":"(role:admin and system_scope:all) or
 # (role:admin and domain_id:%(target.project.domain_id)s) or
 # (role:admin and project_id:%(target.project.id)s)".
-# As of the Train release, the project tags API understands how to
+# The project API is now aware of system scope and default roles.
-# handle system-scoped tokens in addition to project and domain
-# tokens, making the API more accessible to users without compromising
-# security or manageability for administrators. The new default
-# policies for this API account for these changes automatically.
 
 # Remove all tags from a project.
 # DELETE  /v3/projects/{project_id}/tags
@@ -1617,11 +1601,7 @@
 # "identity:delete_project_tags":"(role:admin and system_scope:all) or
 # (role:admin and domain_id:%(target.project.domain_id)s) or
 # (role:admin and project_id:%(target.project.id)s)".
-# As of the Train release, the project tags API understands how to
+# The project API is now aware of system scope and default roles.
-# handle system-scoped tokens in addition to project and domain
-# tokens, making the API more accessible to users without compromising
-# security or manageability for administrators. The new default
-# policies for this API account for these changes automatically.
 
 # Delete a specified tag from project.
 # DELETE  /v3/projects/{project_id}/tags/{value}
@@ -1634,11 +1614,7 @@
 # "identity:delete_project_tag":"(role:admin and system_scope:all) or
 # (role:admin and domain_id:%(target.project.domain_id)s) or
 # (role:admin and project_id:%(target.project.id)s)".
-# As of the Train release, the project tags API understands how to
+# The project API is now aware of system scope and default roles.
-# handle system-scoped tokens in addition to project and domain
-# tokens, making the API more accessible to users without compromising
-# security or manageability for administrators. The new default
-# policies for this API account for these changes automatically.
 
 # List projects allowed to access an endpoint.
 # GET  /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects

openstack_dashboard/conf/neutron_policy.yaml

@@ -403,7 +403,7 @@
 
 # Create a floating IP
 # POST  /floatingips
-# Intended scope(s): project
+# Intended scope(s): system, project
 #"create_floatingip": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
 
 # DEPRECATED
@@ -460,7 +460,7 @@
 
 # Get floating IP pools
 # GET  /floatingip_pools
-# Intended scope(s): admin, project
+# Intended scope(s): system, project
 #"get_floatingip_pool": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
 
 # DEPRECATED
@@ -708,7 +708,7 @@
 
 # Create a network
 # POST  /networks
-# Intended scope(s): project
+# Intended scope(s): system, project
 #"create_network": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
 
 # DEPRECATED
@@ -752,7 +752,7 @@
 
 # Specify ``port_security_enabled`` attribute when creating a network
 # POST  /networks
-# Intended scope(s): project
+# Intended scope(s): system, project
 #"create_network:port_security_enabled": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
 
 # DEPRECATED
@@ -826,7 +826,7 @@
 # Get ``router:external`` attribute of a network
 # GET  /networks
 # GET  /networks/{id}
-# Intended scope(s): project
+# Intended scope(s): system, project
 #"get_network:router:external": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
 
 # DEPRECATED
@@ -1184,7 +1184,7 @@
 
 # Specify ``binding:vnic_type`` attribute when creating a port
 # POST  /ports
-# Intended scope(s): project
+# Intended scope(s): system, project
 #"create_port:binding:vnic_type": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
 
 # DEPRECATED
@@ -1779,13 +1779,13 @@
 # Specify ``target_tenant`` when creating an RBAC policy
 # POST  /rbac-policies
 # Intended scope(s): system, project
-#"create_rbac_policy:target_tenant": "role:admin and system_scope:all or rule:restrict_wildcard"
+#"create_rbac_policy:target_tenant": "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)"
 
 # DEPRECATED
 # "create_rbac_policy:target_tenant":"rule:restrict_wildcard" has been
 # deprecated since W in favor of
 # "create_rbac_policy:target_tenant":"role:admin and system_scope:all
-# or rule:restrict_wildcard".
+# or (not field:rbac_policy:target_tenant=*)".
 # The RBAC API now supports system scope and default roles.
 
 # Update an RBAC policy
@@ -1802,13 +1802,13 @@
 # Update ``target_tenant`` attribute of an RBAC policy
 # PUT  /rbac-policies/{id}
 # Intended scope(s): system, project
-#"update_rbac_policy:target_tenant": "role:admin and system_scope:all or rule:restrict_wildcard"
+#"update_rbac_policy:target_tenant": "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)"
 
 # DEPRECATED
 # "update_rbac_policy:target_tenant":"rule:restrict_wildcard and
 # rule:admin_or_owner" has been deprecated since W in favor of
 # "update_rbac_policy:target_tenant":"role:admin and system_scope:all
-# or rule:restrict_wildcard".
+# or (not field:rbac_policy:target_tenant=*)".
 # The RBAC API now supports system scope and default roles.
 
 # Get an RBAC policy
@@ -1836,7 +1836,7 @@
 
 # Create a router
 # POST  /routers
-# Intended scope(s): project
+# Intended scope(s): system, project
 #"create_router": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
 
 # DEPRECATED
@@ -2068,6 +2068,28 @@
 # system_scope:all) or (role:member and project_id:%(project_id)s)".
 # The router API now supports system scope and default roles.
 
+# Add extra route to a router
+# PUT  /routers/{id}/add_extraroutes
+# Intended scope(s): system, project
+#"add_extraroutes": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
+
+# DEPRECATED
+# "add_extraroutes":"rule:admin_or_owner" has been deprecated since
+# Xena in favor of "add_extraroutes":"(role:admin and
+# system_scope:all) or (role:member and project_id:%(project_id)s)".
+# The router API now supports system scope and default roles.
+
+# Remove extra route from a router
+# PUT  /routers/{id}/remove_extraroutes
+# Intended scope(s): system, project
+#"remove_extraroutes": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
+
+# DEPRECATED
+# "remove_extraroutes":"rule:admin_or_owner" has been deprecated since
+# Xena in favor of "remove_extraroutes":"(role:admin and
+# system_scope:all) or (role:member and project_id:%(project_id)s)".
+# The router API now supports system scope and default roles.
+
 # Rule for admin or security group owner access
 #"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s"
 
@@ -2200,12 +2222,11 @@
 # Get service providers
 # GET  /service-providers
 # Intended scope(s): system, project
-#"get_service_provider": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
+#"get_service_provider": "role:reader"
 
 # DEPRECATED
 # "get_service_provider":"rule:regular_user" has been deprecated since
-# W in favor of "get_service_provider":"(role:reader and
+# W in favor of "get_service_provider":"role:reader".
-# system_scope:all) or (role:reader and project_id:%(project_id)s)".
 # The Service Providers API now supports system scope and default
 # roles.
 

openstack_dashboard/conf/nova_policy.yaml

@@ -1116,7 +1116,7 @@
 
 # DEPRECATED
 # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been
-# deprecated since 21.0.0 in favor of "os_compute_api:os-security-
+# deprecated since 22.0.0 in favor of "os_compute_api:os-security-
 # groups:list":"rule:system_or_project_reader".
 # Nova API policies are introducing new default roles with scope_type
 # capabilities. Old policies are deprecated and silently going to be
@@ -1130,7 +1130,7 @@
 
 # DEPRECATED
 # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been
-# deprecated since 21.0.0 in favor of "os_compute_api:os-security-
+# deprecated since 22.0.0 in favor of "os_compute_api:os-security-
 # groups:add":"rule:system_admin_or_owner".
 # Nova API policies are introducing new default roles with scope_type
 # capabilities. Old policies are deprecated and silently going to be
@@ -1144,7 +1144,7 @@
 
 # DEPRECATED
 # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been
-# deprecated since 21.0.0 in favor of "os_compute_api:os-security-
+# deprecated since 22.0.0 in favor of "os_compute_api:os-security-
 # groups:remove":"rule:system_admin_or_owner".
 # Nova API policies are introducing new default roles with scope_type
 # capabilities. Old policies are deprecated and silently going to be