From 89a3cd86cc8c96a4dad66abaf776f7422592387f Mon Sep 17 00:00:00 2001 From: Claudiu Belu Date: Tue, 14 Jun 2016 02:58:41 +0300 Subject: [PATCH] policy: Add defaults in code (part 6) Partially-Implements: bp policy-in-code Change-Id: I7c2dca52f5970ad9421bf5175fcbd963deac408f --- etc/nova/policy.json | 43 +------------------------ nova/policies/__init__.py | 28 ++++++++++++++++- nova/policies/server_tags.py | 47 ++++++++++++++++++++++++++++ nova/policies/server_usage.py | 36 +++++++++++++++++++++ nova/policies/servers.py | 11 +++++-- nova/policies/servers_migrations.py | 41 ++++++++++++++++++++++++ nova/policies/services.py | 36 +++++++++++++++++++++ nova/policies/shelve.py | 41 ++++++++++++++++++++++++ nova/policies/simple_tenant_usage.py | 38 ++++++++++++++++++++++ nova/policies/suspend_server.py | 38 ++++++++++++++++++++++ nova/policies/tenant_networks.py | 36 +++++++++++++++++++++ nova/policies/used_limits.py | 36 +++++++++++++++++++++ nova/policies/user_data.py | 32 +++++++++++++++++++ nova/policies/virtual_interfaces.py | 36 +++++++++++++++++++++ nova/policies/volumes.py | 36 +++++++++++++++++++++ nova/policies/volumes_attachments.py | 47 ++++++++++++++++++++++++++++ 16 files changed, 536 insertions(+), 46 deletions(-) create mode 100644 nova/policies/server_tags.py create mode 100644 nova/policies/server_usage.py create mode 100644 nova/policies/servers_migrations.py create mode 100644 nova/policies/services.py create mode 100644 nova/policies/shelve.py create mode 100644 nova/policies/simple_tenant_usage.py create mode 100644 nova/policies/suspend_server.py create mode 100644 nova/policies/tenant_networks.py create mode 100644 nova/policies/used_limits.py create mode 100644 nova/policies/user_data.py create mode 100644 nova/policies/virtual_interfaces.py create mode 100644 nova/policies/volumes.py create mode 100644 nova/policies/volumes_attachments.py diff --git a/etc/nova/policy.json b/etc/nova/policy.json index 898ba356917c..79481bf182bb 100644 --- a/etc/nova/policy.json +++ b/etc/nova/policy.json @@ -7,46 +7,5 @@ "admin_api": "is_admin:True", - "network:attach_external_network": "is_admin:True", - "os_compute_api:servers:show:host_status": "rule:admin_api", - "os_compute_api:servers:migrations:force_complete": "rule:admin_api", - "os_compute_api:servers:migrations:delete": "rule:admin_api", - "os_compute_api:servers:discoverable": "@", - "os_compute_api:servers:migrations:index": "rule:admin_api", - "os_compute_api:servers:migrations:show": "rule:admin_api", - "os_compute_api:os-server-usage": "rule:admin_or_owner", - "os_compute_api:os-server-usage:discoverable": "@", - "os_compute_api:os-server-tags:index": "@", - "os_compute_api:os-server-tags:show": "@", - "os_compute_api:os-server-tags:update": "@", - "os_compute_api:os-server-tags:update_all": "@", - "os_compute_api:os-server-tags:delete": "@", - "os_compute_api:os-server-tags:delete_all": "@", - "os_compute_api:os-services": "rule:admin_api", - "os_compute_api:os-services:discoverable": "@", - "os_compute_api:os-shelve:shelve": "rule:admin_or_owner", - "os_compute_api:os-shelve:shelve:discoverable": "@", - "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", - "os_compute_api:os-simple-tenant-usage:discoverable": "@", - "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner", - "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api", - "os_compute_api:os-suspend-server:discoverable": "@", - "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner", - "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner", - "os_compute_api:os-tenant-networks": "rule:admin_or_owner", - "os_compute_api:os-tenant-networks:discoverable": "@", - "os_compute_api:os-shelve:unshelve": "rule:admin_or_owner", - "os_compute_api:os-user-data:discoverable": "@", - "os_compute_api:os-virtual-interfaces": "rule:admin_or_owner", - "os_compute_api:os-virtual-interfaces:discoverable": "@", - "os_compute_api:os-volumes": "rule:admin_or_owner", - "os_compute_api:os-volumes:discoverable": "@", - "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner", - "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner", - "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner", - "os_compute_api:os-volumes-attachments:update": "rule:admin_api", - "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner", - "os_compute_api:os-volumes-attachments:discoverable": "@", - "os_compute_api:os-used-limits": "rule:admin_api", - "os_compute_api:os-used-limits:discoverable": "@" + "network:attach_external_network": "is_admin:True" } diff --git a/nova/policies/__init__.py b/nova/policies/__init__.py index d877b11d49f4..66f301ca6b8d 100644 --- a/nova/policies/__init__.py +++ b/nova/policies/__init__.py @@ -83,7 +83,20 @@ from nova.policies import server_external_events from nova.policies import server_groups from nova.policies import server_metadata from nova.policies import server_password +from nova.policies import server_tags +from nova.policies import server_usage from nova.policies import servers +from nova.policies import servers_migrations +from nova.policies import services +from nova.policies import shelve +from nova.policies import simple_tenant_usage +from nova.policies import suspend_server +from nova.policies import tenant_networks +from nova.policies import used_limits +from nova.policies import user_data +from nova.policies import virtual_interfaces +from nova.policies import volumes +from nova.policies import volumes_attachments def list_rules(): @@ -158,5 +171,18 @@ def list_rules(): server_groups.list_rules(), server_metadata.list_rules(), server_password.list_rules(), - servers.list_rules() + server_tags.list_rules(), + server_usage.list_rules(), + servers.list_rules(), + servers_migrations.list_rules(), + services.list_rules(), + shelve.list_rules(), + simple_tenant_usage.list_rules(), + suspend_server.list_rules(), + tenant_networks.list_rules(), + used_limits.list_rules(), + user_data.list_rules(), + virtual_interfaces.list_rules(), + volumes.list_rules(), + volumes_attachments.list_rules() ) diff --git a/nova/policies/server_tags.py b/nova/policies/server_tags.py new file mode 100644 index 000000000000..24795c24a6ed --- /dev/null +++ b/nova/policies/server_tags.py @@ -0,0 +1,47 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-server-tags:%s' + + +server_tags_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'delete_all', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'index', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'update_all', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'delete', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'update', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'show', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return server_tags_policies diff --git a/nova/policies/server_usage.py b/nova/policies/server_usage.py new file mode 100644 index 000000000000..da190d20fff5 --- /dev/null +++ b/nova/policies/server_usage.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-server-usage' +POLICY_ROOT = 'os_compute_api:os-server-usage:%s' + + +server_usage_policies = [ + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return server_usage_policies diff --git a/nova/policies/servers.py b/nova/policies/servers.py index 0d5a14327cc9..320f963f8335 100644 --- a/nova/policies/servers.py +++ b/nova/policies/servers.py @@ -13,8 +13,10 @@ from oslo_policy import policy +from nova.policies import base -RULE_AOO = 'rule:admin_or_owner' + +RULE_AOO = base.RULE_ADMIN_OR_OWNER SERVERS = 'os_compute_api:servers:%s' rules = [ @@ -23,6 +25,9 @@ rules = [ policy.RuleDefault(SERVERS % 'detail:get_all_tenants', RULE_AOO), policy.RuleDefault(SERVERS % 'index:get_all_tenants', RULE_AOO), policy.RuleDefault(SERVERS % 'show', RULE_AOO), + # the details in host_status are pretty sensitive, only admins + # should do that by default. + policy.RuleDefault(SERVERS % 'show:host_status', base.RULE_ADMIN_API), policy.RuleDefault(SERVERS % 'create', RULE_AOO), policy.RuleDefault(SERVERS % 'create:forced_host', RULE_AOO), policy.RuleDefault(SERVERS % 'create:attach_volume', RULE_AOO), @@ -35,11 +40,11 @@ rules = [ policy.RuleDefault(SERVERS % 'resize', RULE_AOO), policy.RuleDefault(SERVERS % 'rebuild', RULE_AOO), policy.RuleDefault(SERVERS % 'create_image', RULE_AOO), - policy.RuleDefault(SERVERS % 'create_image:allow_volume_backed', - RULE_AOO), + policy.RuleDefault(SERVERS % 'create_image:allow_volume_backed', RULE_AOO), policy.RuleDefault(SERVERS % 'start', RULE_AOO), policy.RuleDefault(SERVERS % 'stop', RULE_AOO), policy.RuleDefault(SERVERS % 'trigger_crash_dump', RULE_AOO), + policy.RuleDefault(SERVERS % 'discoverable', base.RULE_ANY), ] diff --git a/nova/policies/servers_migrations.py b/nova/policies/servers_migrations.py new file mode 100644 index 000000000000..14df68d72de8 --- /dev/null +++ b/nova/policies/servers_migrations.py @@ -0,0 +1,41 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:servers:migrations:%s' + + +servers_migrations_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'show', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'force_complete', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'delete', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'index', + check_str=base.RULE_ADMIN_API), +] + + +def list_rules(): + return servers_migrations_policies diff --git a/nova/policies/services.py b/nova/policies/services.py new file mode 100644 index 000000000000..c2ee8af550dc --- /dev/null +++ b/nova/policies/services.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-services' +POLICY_ROOT = 'os_compute_api:os-services:%s' + + +services_policies = [ + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return services_policies diff --git a/nova/policies/shelve.py b/nova/policies/shelve.py new file mode 100644 index 000000000000..b0fb25ebb20c --- /dev/null +++ b/nova/policies/shelve.py @@ -0,0 +1,41 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-shelve:%s' + + +shelve_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'shelve', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'unshelve', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'shelve_offload', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'shelve:discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return shelve_policies diff --git a/nova/policies/simple_tenant_usage.py b/nova/policies/simple_tenant_usage.py new file mode 100644 index 000000000000..70b64c56cfec --- /dev/null +++ b/nova/policies/simple_tenant_usage.py @@ -0,0 +1,38 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-simple-tenant-usage:%s' + + +simple_tenant_usage_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'show', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'list', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return simple_tenant_usage_policies diff --git a/nova/policies/suspend_server.py b/nova/policies/suspend_server.py new file mode 100644 index 000000000000..5fe1ab81c1f0 --- /dev/null +++ b/nova/policies/suspend_server.py @@ -0,0 +1,38 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-suspend-server:%s' + + +suspend_server_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'resume', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'suspend', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return suspend_server_policies diff --git a/nova/policies/tenant_networks.py b/nova/policies/tenant_networks.py new file mode 100644 index 000000000000..861f60bb6782 --- /dev/null +++ b/nova/policies/tenant_networks.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-tenant-networks' +POLICY_ROOT = 'os_compute_api:os-tenant-networks:%s' + + +tenant_networks_policies = [ + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return tenant_networks_policies diff --git a/nova/policies/used_limits.py b/nova/policies/used_limits.py new file mode 100644 index 000000000000..e2e44216c786 --- /dev/null +++ b/nova/policies/used_limits.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-used-limits' +POLICY_ROOT = 'os_compute_api:os-used-limits:%s' + + +used_limits_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API), +] + + +def list_rules(): + return used_limits_policies diff --git a/nova/policies/user_data.py b/nova/policies/user_data.py new file mode 100644 index 000000000000..8d17ad6807e6 --- /dev/null +++ b/nova/policies/user_data.py @@ -0,0 +1,32 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-user-data:%s' + + +user_data_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return user_data_policies diff --git a/nova/policies/virtual_interfaces.py b/nova/policies/virtual_interfaces.py new file mode 100644 index 000000000000..7d5038eb4cda --- /dev/null +++ b/nova/policies/virtual_interfaces.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-virtual-interfaces' +POLICY_ROOT = 'os_compute_api:os-virtual-interfaces:%s' + + +virtual_interfaces_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return virtual_interfaces_policies diff --git a/nova/policies/volumes.py b/nova/policies/volumes.py new file mode 100644 index 000000000000..0f518c632b53 --- /dev/null +++ b/nova/policies/volumes.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-volumes' +POLICY_ROOT = 'os_compute_api:os-volumes:%s' + + +volumes_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return volumes_policies diff --git a/nova/policies/volumes_attachments.py b/nova/policies/volumes_attachments.py new file mode 100644 index 000000000000..85b51a2316e2 --- /dev/null +++ b/nova/policies/volumes_attachments.py @@ -0,0 +1,47 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-volumes-attachments:%s' + + +volumes_attachments_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'index', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'create', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'show', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'update', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'delete', + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return volumes_attachments_policies