openstack/neutron
Code Issues Proposed changes
neutron/neutron/conf/policies/rbac.py
Akihiro Motoki f8984c6699 Convert policy.json into policy-in-code 
This commit introduces a framework for policy-in-code support
in the neutron stadium and converts the existing policy.json
in the neutron repository into the policy-in-code style.

NOTES:
1) This commit tries not to change the existing policy behavior
provided by the neutron repository even if there are some stale policies
or policies to be defined in a neutron-related project.
They should be clean up later in Stein release.

2) 'default' policy should be dropped from the default policies
as all default policies should be defined in the code (as many projects
which already completed policy-in-code do). However, dropping 'default'
policy potentially affects policy behavior in neutron-related projects,
so it needs to be visit carefully. Considering this, this commit decides
to keep the 'default' policy.

Partially Implements: blueprint neutron-policy-in-code
Change-Id: I6a61079da4d4f5080ee32d640144e6bdb14735fa
2018-12-13 20:37:53 +00:00

53 lines
1.8 KiB
Python
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'restrict_wildcard',
'(not field:rbac_policy:target_tenant=*) or rule:admin_only',
description='Rule of restrict wildcard'),
policy.RuleDefault(
'create_rbac_policy',
'',
description='Access rule for creating RBAC policy'),
policy.RuleDefault(
'create_rbac_policy:target_tenant',
'rule:restrict_wildcard',
description=('Access rule for creating RBAC '
'policy with a specific target tenant')),
policy.RuleDefault(
'update_rbac_policy',
'rule:admin_or_owner',
description='Access rule for updating RBAC policy'),
policy.RuleDefault(
'update_rbac_policy:target_tenant',
'rule:restrict_wildcard and rule:admin_or_owner',
description=('Access rule for updating target_tenant '
'attribute of RBAC policy')),
policy.RuleDefault(
'get_rbac_policy',
'rule:admin_or_owner',
description='Access rule for getting RBAC policy'),
policy.RuleDefault(
'delete_rbac_policy',
'rule:admin_or_owner',
description='Access rule for deleting RBAC policy'),
]
def list_rules():
return rules
View Git Blame Copy Permalink