diff --git a/barbican/templates/configmap-etc.yaml b/barbican/templates/configmap-etc.yaml
index b7695509af..450136fd23 100644
--- a/barbican/templates/configmap-etc.yaml
+++ b/barbican/templates/configmap-etc.yaml
@@ -81,7 +81,7 @@ data:
api_audit_map.conf: |+
{{- tuple .Values.conf.audit_map "etc/_api_audit_map.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
-{{- tuple .Values.conf.override "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+{{ toJson .Values.conf.policy | indent 4 }}
barbican-api.ini: |+
{{- tuple .Values.conf.barbican_api "etc/_barbican-api.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{- end }}
diff --git a/barbican/templates/etc/_policy.json.tpl b/barbican/templates/etc/_policy.json.tpl
deleted file mode 100644
index 723f1c1793..0000000000
--- a/barbican/templates/etc/_policy.json.tpl
+++ /dev/null
@@ -1,90 +0,0 @@
-{
- "admin": "role:admin",
- "observer": "role:observer",
- "creator": "role:creator",
- "audit": "role:audit",
- "service_admin": "role:key-manager:service-admin",
- "admin_or_user_does_not_work": "project_id:%(project_id)s",
- "admin_or_user": "rule:admin or project_id:%(project_id)s",
- "admin_or_creator": "rule:admin or rule:creator",
- "all_but_audit": "rule:admin or rule:observer or rule:creator",
- "all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin",
- "secret_project_match": "project:%(target.secret.project_id)s",
- "secret_acl_read": "'read':%(target.secret.read)s",
- "secret_private_read": "'False':%(target.secret.read_project_access)s",
- "secret_creator_user": "user:%(target.secret.creator_id)s",
- "container_project_match": "project:%(target.container.project_id)s",
- "container_acl_read": "'read':%(target.container.read)s",
- "container_private_read": "'False':%(target.container.read_project_access)s",
- "container_creator_user": "user:%(target.container.creator_id)s",
-
- "secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read",
- "secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read",
- "container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read",
- "secret_project_admin": "rule:admin and rule:secret_project_match",
- "secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user",
- "container_project_admin": "rule:admin and rule:container_project_match",
- "container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user",
-
- "version:get": "@",
- "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
- "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
- "secret:put": "rule:admin_or_creator and rule:secret_project_match",
- "secret:delete": "rule:secret_project_admin or rule:secret_project_creator",
- "secrets:post": "rule:admin_or_creator",
- "secrets:get": "rule:all_but_audit",
- "orders:post": "rule:admin_or_creator",
- "orders:get": "rule:all_but_audit",
- "order:get": "rule:all_users",
- "order:put": "rule:admin_or_creator",
- "order:delete": "rule:admin",
- "consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
- "consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
- "consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
- "consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
- "containers:post": "rule:admin_or_creator",
- "containers:get": "rule:all_but_audit",
- "container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
- "container:delete": "rule:container_project_admin or rule:container_project_creator",
- "container_secret:post": "rule:admin",
- "container_secret:delete": "rule:admin",
- "transport_key:get": "rule:all_users",
- "transport_key:delete": "rule:admin",
- "transport_keys:get": "rule:all_users",
- "transport_keys:post": "rule:admin",
- "certificate_authorities:get_limited": "rule:all_users",
- "certificate_authorities:get_all": "rule:admin",
- "certificate_authorities:post": "rule:admin",
- "certificate_authorities:get_preferred_ca": "rule:all_users",
- "certificate_authorities:get_global_preferred_ca": "rule:service_admin",
- "certificate_authorities:unset_global_preferred": "rule:service_admin",
- "certificate_authority:delete": "rule:admin",
- "certificate_authority:get": "rule:all_users",
- "certificate_authority:get_cacert": "rule:all_users",
- "certificate_authority:get_ca_cert_chain": "rule:all_users",
- "certificate_authority:get_projects": "rule:service_admin",
- "certificate_authority:add_to_project": "rule:admin",
- "certificate_authority:remove_from_project": "rule:admin",
- "certificate_authority:set_preferred": "rule:admin",
- "certificate_authority:set_global_preferred": "rule:service_admin",
- "secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator",
- "secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator",
- "secret_acls:get": "rule:all_but_audit and rule:secret_project_match",
- "container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator",
- "container_acls:delete": "rule:container_project_admin or rule:container_project_creator",
- "container_acls:get": "rule:all_but_audit and rule:container_project_match",
- "quotas:get": "rule:all_users",
- "project_quotas:get": "rule:service_admin",
- "project_quotas:put": "rule:service_admin",
- "project_quotas:delete": "rule:service_admin",
- "secret_meta:get": "rule:all_but_audit",
- "secret_meta:post": "rule:admin_or_creator",
- "secret_meta:put": "rule:admin_or_creator",
- "secret_meta:delete": "rule:admin_or_creator",
- "secretstores:get": "rule:admin",
- "secretstores:get_global_default": "rule:admin",
- "secretstores:get_preferred": "rule:admin",
- "secretstore_preferred:post": "rule:admin",
- "secretstore_preferred:delete": "rule:admin",
- "secretstore:get": "rule:admin"
-}
diff --git a/barbican/values.yaml b/barbican/values.yaml
index 02bd744d85..acd6789c31 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -172,8 +172,101 @@ conf:
override:
append:
policy:
- override:
- append:
+ admin: role:admin
+ observer: role:observer
+ creator: role:creator
+ audit: role:audit
+ service_admin: role:key-manager:service-admin
+ admin_or_user_does_not_work: project_id:%(project_id)s
+ admin_or_user: rule:admin or project_id:%(project_id)s
+ admin_or_creator: rule:admin or rule:creator
+ all_but_audit: rule:admin or rule:observer or rule:creator
+ all_users: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin
+ secret_project_match: project:%(target.secret.project_id)s
+ secret_acl_read: "'read':%(target.secret.read)s"
+ secret_private_read: "'False':%(target.secret.read_project_access)s"
+ secret_creator_user: user:%(target.secret.creator_id)s
+ container_project_match: project:%(target.container.project_id)s
+ container_acl_read: "'read':%(target.container.read)s"
+ container_private_read: "'False':%(target.container.read_project_access)s"
+ container_creator_user: user:%(target.container.creator_id)s
+ secret_non_private_read: rule:all_users and rule:secret_project_match and not rule:secret_private_read
+ secret_decrypt_non_private_read: rule:all_but_audit and rule:secret_project_match
+ and not rule:secret_private_read
+ container_non_private_read: rule:all_users and rule:container_project_match and not
+ rule:container_private_read
+ secret_project_admin: rule:admin and rule:secret_project_match
+ secret_project_creator: rule:creator and rule:secret_project_match and rule:secret_creator_user
+ container_project_admin: rule:admin and rule:container_project_match
+ container_project_creator: rule:creator and rule:container_project_match and rule:container_creator_user
+ version:get: "@"
+ secret:decrypt: rule:secret_decrypt_non_private_read or rule:secret_project_creator
+ or rule:secret_project_admin or rule:secret_acl_read
+ secret:get: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin
+ or rule:secret_acl_read
+ secret:put: rule:admin_or_creator and rule:secret_project_match
+ secret:delete: rule:secret_project_admin or rule:secret_project_creator
+ secrets:post: rule:admin_or_creator
+ secrets:get: rule:all_but_audit
+ orders:post: rule:admin_or_creator
+ orders:get: rule:all_but_audit
+ order:get: rule:all_users
+ order:put: rule:admin_or_creator
+ order:delete: rule:admin
+ consumer:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
+ or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
+ consumers:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
+ or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
+ consumers:post: rule:admin or rule:container_non_private_read or rule:container_project_creator
+ or rule:container_project_admin or rule:container_acl_read
+ consumers:delete: rule:admin or rule:container_non_private_read or rule:container_project_creator
+ or rule:container_project_admin or rule:container_acl_read
+ containers:post: rule:admin_or_creator
+ containers:get: rule:all_but_audit
+ container:get: rule:container_non_private_read or rule:container_project_creator or
+ rule:container_project_admin or rule:container_acl_read
+ container:delete: rule:container_project_admin or rule:container_project_creator
+ container_secret:post: rule:admin
+ container_secret:delete: rule:admin
+ transport_key:get: rule:all_users
+ transport_key:delete: rule:admin
+ transport_keys:get: rule:all_users
+ transport_keys:post: rule:admin
+ certificate_authorities:get_limited: rule:all_users
+ certificate_authorities:get_all: rule:admin
+ certificate_authorities:post: rule:admin
+ certificate_authorities:get_preferred_ca: rule:all_users
+ certificate_authorities:get_global_preferred_ca: rule:service_admin
+ certificate_authorities:unset_global_preferred: rule:service_admin
+ certificate_authority:delete: rule:admin
+ certificate_authority:get: rule:all_users
+ certificate_authority:get_cacert: rule:all_users
+ certificate_authority:get_ca_cert_chain: rule:all_users
+ certificate_authority:get_projects: rule:service_admin
+ certificate_authority:add_to_project: rule:admin
+ certificate_authority:remove_from_project: rule:admin
+ certificate_authority:set_preferred: rule:admin
+ certificate_authority:set_global_preferred: rule:service_admin
+ secret_acls:put_patch: rule:secret_project_admin or rule:secret_project_creator
+ secret_acls:delete: rule:secret_project_admin or rule:secret_project_creator
+ secret_acls:get: rule:all_but_audit and rule:secret_project_match
+ container_acls:put_patch: rule:container_project_admin or rule:container_project_creator
+ container_acls:delete: rule:container_project_admin or rule:container_project_creator
+ container_acls:get: rule:all_but_audit and rule:container_project_match
+ quotas:get: rule:all_users
+ project_quotas:get: rule:service_admin
+ project_quotas:put: rule:service_admin
+ project_quotas:delete: rule:service_admin
+ secret_meta:get: rule:all_but_audit
+ secret_meta:post: rule:admin_or_creator
+ secret_meta:put: rule:admin_or_creator
+ secret_meta:delete: rule:admin_or_creator
+ secretstores:get: rule:admin
+ secretstores:get_global_default: rule:admin
+ secretstores:get_preferred: rule:admin
+ secretstore_preferred:post: rule:admin
+ secretstore_preferred:delete: rule:admin
+ secretstore:get: rule:admin
audit_map:
override:
append:
diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml
index 2d853c00e5..b1fd2d0eb8 100644
--- a/glance/templates/configmap-etc.yaml
+++ b/glance/templates/configmap-etc.yaml
@@ -135,5 +135,5 @@ data:
glance-registry-paste.ini: |+
{{- tuple .Values.conf.paste_registry "etc/_glance-registry-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
-{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+{{ toJson .Values.conf.policy | indent 4 }}
{{- end }}
diff --git a/glance/templates/etc/_policy.json.tpl b/glance/templates/etc/_policy.json.tpl
deleted file mode 100644
index 0a058c1c5d..0000000000
--- a/glance/templates/etc/_policy.json.tpl
+++ /dev/null
@@ -1,61 +0,0 @@
-{
- "context_is_admin": "role:admin",
- "default": "role:admin",
-
- "add_image": "",
- "delete_image": "",
- "get_image": "",
- "get_images": "",
- "modify_image": "",
- "publicize_image": "role:admin",
- "copy_from": "",
-
- "download_image": "",
- "upload_image": "",
-
- "delete_image_location": "",
- "get_image_location": "",
- "set_image_location": "",
-
- "add_member": "",
- "delete_member": "",
- "get_member": "",
- "get_members": "",
- "modify_member": "",
-
- "manage_image_cache": "role:admin",
-
- "get_task": "role:admin",
- "get_tasks": "role:admin",
- "add_task": "role:admin",
- "modify_task": "role:admin",
-
- "deactivate": "",
- "reactivate": "",
-
- "get_metadef_namespace": "",
- "get_metadef_namespaces":"",
- "modify_metadef_namespace":"",
- "add_metadef_namespace":"",
-
- "get_metadef_object":"",
- "get_metadef_objects":"",
- "modify_metadef_object":"",
- "add_metadef_object":"",
-
- "list_metadef_resource_types":"",
- "get_metadef_resource_type":"",
- "add_metadef_resource_type_association":"",
-
- "get_metadef_property":"",
- "get_metadef_properties":"",
- "modify_metadef_property":"",
- "add_metadef_property":"",
-
- "get_metadef_tag":"",
- "get_metadef_tags":"",
- "modify_metadef_tag":"",
- "add_metadef_tag":"",
- "add_metadef_tags":""
-
-}
diff --git a/glance/values.yaml b/glance/values.yaml
index a24110896c..c74d32c029 100644
--- a/glance/values.yaml
+++ b/glance/values.yaml
@@ -76,8 +76,52 @@ conf:
override:
append:
policy:
- override:
- append:
+ context_is_admin: role:admin
+ default: role:admin
+ add_image: ''
+ delete_image: ''
+ get_image: ''
+ get_images: ''
+ modify_image: ''
+ publicize_image: role:admin
+ copy_from: ''
+ download_image: ''
+ upload_image: ''
+ delete_image_location: ''
+ get_image_location: ''
+ set_image_location: ''
+ add_member: ''
+ delete_member: ''
+ get_member: ''
+ get_members: ''
+ modify_member: ''
+ manage_image_cache: role:admin
+ get_task: role:admin
+ get_tasks: role:admin
+ add_task: role:admin
+ modify_task: role:admin
+ deactivate: ''
+ reactivate: ''
+ get_metadef_namespace: ''
+ get_metadef_namespaces: ''
+ modify_metadef_namespace: ''
+ add_metadef_namespace: ''
+ get_metadef_object: ''
+ get_metadef_objects: ''
+ modify_metadef_object: ''
+ add_metadef_object: ''
+ list_metadef_resource_types: ''
+ get_metadef_resource_type: ''
+ add_metadef_resource_type_association: ''
+ get_metadef_property: ''
+ get_metadef_properties: ''
+ modify_metadef_property: ''
+ add_metadef_property: ''
+ get_metadef_tag: ''
+ get_metadef_tags: ''
+ modify_metadef_tag: ''
+ add_metadef_tag: ''
+ add_metadef_tags: ''
glance:
override:
append:
diff --git a/heat/templates/configmap-etc.yaml b/heat/templates/configmap-etc.yaml
index 022c25fb91..54369beccd 100644
--- a/heat/templates/configmap-etc.yaml
+++ b/heat/templates/configmap-etc.yaml
@@ -123,5 +123,5 @@ data:
api-paste.ini: |+
{{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
-{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+{{ toJson .Values.conf.policy | indent 4 }}
{{- end }}
diff --git a/heat/templates/etc/_policy.json.tpl b/heat/templates/etc/_policy.json.tpl
deleted file mode 100644
index c9aae5ff79..0000000000
--- a/heat/templates/etc/_policy.json.tpl
+++ /dev/null
@@ -1,96 +0,0 @@
-{
- "context_is_admin": "role:admin and is_admin_project:True",
- "project_admin": "role:admin",
- "deny_stack_user": "not role:heat_stack_user",
- "deny_everybody": "!",
-
- "cloudformation:ListStacks": "rule:deny_stack_user",
- "cloudformation:CreateStack": "rule:deny_stack_user",
- "cloudformation:DescribeStacks": "rule:deny_stack_user",
- "cloudformation:DeleteStack": "rule:deny_stack_user",
- "cloudformation:UpdateStack": "rule:deny_stack_user",
- "cloudformation:CancelUpdateStack": "rule:deny_stack_user",
- "cloudformation:DescribeStackEvents": "rule:deny_stack_user",
- "cloudformation:ValidateTemplate": "rule:deny_stack_user",
- "cloudformation:GetTemplate": "rule:deny_stack_user",
- "cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
- "cloudformation:DescribeStackResource": "",
- "cloudformation:DescribeStackResources": "rule:deny_stack_user",
- "cloudformation:ListStackResources": "rule:deny_stack_user",
-
- "cloudwatch:DeleteAlarms": "rule:deny_stack_user",
- "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
- "cloudwatch:DescribeAlarms": "rule:deny_stack_user",
- "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
- "cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
- "cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
- "cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
- "cloudwatch:ListMetrics": "rule:deny_stack_user",
- "cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
- "cloudwatch:PutMetricData": "",
- "cloudwatch:SetAlarmState": "rule:deny_stack_user",
-
- "actions:action": "rule:deny_stack_user",
- "build_info:build_info": "rule:deny_stack_user",
- "events:index": "rule:deny_stack_user",
- "events:show": "rule:deny_stack_user",
- "resource:index": "rule:deny_stack_user",
- "resource:metadata": "",
- "resource:signal": "",
- "resource:mark_unhealthy": "rule:deny_stack_user",
- "resource:show": "rule:deny_stack_user",
- "stacks:abandon": "rule:deny_stack_user",
- "stacks:create": "rule:deny_stack_user",
- "stacks:delete": "rule:deny_stack_user",
- "stacks:detail": "rule:deny_stack_user",
- "stacks:export": "rule:deny_stack_user",
- "stacks:generate_template": "rule:deny_stack_user",
- "stacks:global_index": "rule:deny_everybody",
- "stacks:index": "rule:deny_stack_user",
- "stacks:list_resource_types": "rule:deny_stack_user",
- "stacks:list_template_versions": "rule:deny_stack_user",
- "stacks:list_template_functions": "rule:deny_stack_user",
- "stacks:lookup": "",
- "stacks:preview": "rule:deny_stack_user",
- "stacks:resource_schema": "rule:deny_stack_user",
- "stacks:show": "rule:deny_stack_user",
- "stacks:template": "rule:deny_stack_user",
- "stacks:environment": "rule:deny_stack_user",
- "stacks:files": "rule:deny_stack_user",
- "stacks:update": "rule:deny_stack_user",
- "stacks:update_patch": "rule:deny_stack_user",
- "stacks:preview_update": "rule:deny_stack_user",
- "stacks:preview_update_patch": "rule:deny_stack_user",
- "stacks:validate_template": "rule:deny_stack_user",
- "stacks:snapshot": "rule:deny_stack_user",
- "stacks:show_snapshot": "rule:deny_stack_user",
- "stacks:delete_snapshot": "rule:deny_stack_user",
- "stacks:list_snapshots": "rule:deny_stack_user",
- "stacks:restore_snapshot": "rule:deny_stack_user",
- "stacks:list_outputs": "rule:deny_stack_user",
- "stacks:show_output": "rule:deny_stack_user",
-
- "software_configs:global_index": "rule:deny_everybody",
- "software_configs:index": "rule:deny_stack_user",
- "software_configs:create": "rule:deny_stack_user",
- "software_configs:show": "rule:deny_stack_user",
- "software_configs:delete": "rule:deny_stack_user",
- "software_deployments:index": "rule:deny_stack_user",
- "software_deployments:create": "rule:deny_stack_user",
- "software_deployments:show": "rule:deny_stack_user",
- "software_deployments:update": "rule:deny_stack_user",
- "software_deployments:delete": "rule:deny_stack_user",
- "software_deployments:metadata": "",
-
- "service:index": "rule:context_is_admin",
-
- "resource_types:OS::Nova::Flavor": "rule:project_admin",
- "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin",
- "resource_types:OS::Cinder::VolumeType": "rule:project_admin",
- "resource_types:OS::Cinder::Quota": "rule:project_admin",
- "resource_types:OS::Manila::ShareType": "rule:project_admin",
- "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin",
- "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin",
- "resource_types:OS::Nova::HostAggregate": "rule:project_admin",
- "resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
-}
diff --git a/heat/values.yaml b/heat/values.yaml
index d647f28d99..26396e9f34 100644
--- a/heat/values.yaml
+++ b/heat/values.yaml
@@ -42,8 +42,94 @@ conf:
override:
append:
policy:
- override:
- append:
+ context_is_admin: role:admin and is_admin_project:True
+ project_admin: role:admin
+ deny_stack_user: not role:heat_stack_user
+ deny_everybody: "!"
+ cloudformation:ListStacks: rule:deny_stack_user
+ cloudformation:CreateStack: rule:deny_stack_user
+ cloudformation:DescribeStacks: rule:deny_stack_user
+ cloudformation:DeleteStack: rule:deny_stack_user
+ cloudformation:UpdateStack: rule:deny_stack_user
+ cloudformation:CancelUpdateStack: rule:deny_stack_user
+ cloudformation:DescribeStackEvents: rule:deny_stack_user
+ cloudformation:ValidateTemplate: rule:deny_stack_user
+ cloudformation:GetTemplate: rule:deny_stack_user
+ cloudformation:EstimateTemplateCost: rule:deny_stack_user
+ cloudformation:DescribeStackResource: ''
+ cloudformation:DescribeStackResources: rule:deny_stack_user
+ cloudformation:ListStackResources: rule:deny_stack_user
+ cloudwatch:DeleteAlarms: rule:deny_stack_user
+ cloudwatch:DescribeAlarmHistory: rule:deny_stack_user
+ cloudwatch:DescribeAlarms: rule:deny_stack_user
+ cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user
+ cloudwatch:DisableAlarmActions: rule:deny_stack_user
+ cloudwatch:EnableAlarmActions: rule:deny_stack_user
+ cloudwatch:GetMetricStatistics: rule:deny_stack_user
+ cloudwatch:ListMetrics: rule:deny_stack_user
+ cloudwatch:PutMetricAlarm: rule:deny_stack_user
+ cloudwatch:PutMetricData: ''
+ cloudwatch:SetAlarmState: rule:deny_stack_user
+ actions:action: rule:deny_stack_user
+ build_info:build_info: rule:deny_stack_user
+ events:index: rule:deny_stack_user
+ events:show: rule:deny_stack_user
+ resource:index: rule:deny_stack_user
+ resource:metadata: ''
+ resource:signal: ''
+ resource:mark_unhealthy: rule:deny_stack_user
+ resource:show: rule:deny_stack_user
+ stacks:abandon: rule:deny_stack_user
+ stacks:create: rule:deny_stack_user
+ stacks:delete: rule:deny_stack_user
+ stacks:detail: rule:deny_stack_user
+ stacks:export: rule:deny_stack_user
+ stacks:generate_template: rule:deny_stack_user
+ stacks:global_index: rule:deny_everybody
+ stacks:index: rule:deny_stack_user
+ stacks:list_resource_types: rule:deny_stack_user
+ stacks:list_template_versions: rule:deny_stack_user
+ stacks:list_template_functions: rule:deny_stack_user
+ stacks:lookup: ''
+ stacks:preview: rule:deny_stack_user
+ stacks:resource_schema: rule:deny_stack_user
+ stacks:show: rule:deny_stack_user
+ stacks:template: rule:deny_stack_user
+ stacks:environment: rule:deny_stack_user
+ stacks:files: rule:deny_stack_user
+ stacks:update: rule:deny_stack_user
+ stacks:update_patch: rule:deny_stack_user
+ stacks:preview_update: rule:deny_stack_user
+ stacks:preview_update_patch: rule:deny_stack_user
+ stacks:validate_template: rule:deny_stack_user
+ stacks:snapshot: rule:deny_stack_user
+ stacks:show_snapshot: rule:deny_stack_user
+ stacks:delete_snapshot: rule:deny_stack_user
+ stacks:list_snapshots: rule:deny_stack_user
+ stacks:restore_snapshot: rule:deny_stack_user
+ stacks:list_outputs: rule:deny_stack_user
+ stacks:show_output: rule:deny_stack_user
+ software_configs:global_index: rule:deny_everybody
+ software_configs:index: rule:deny_stack_user
+ software_configs:create: rule:deny_stack_user
+ software_configs:show: rule:deny_stack_user
+ software_configs:delete: rule:deny_stack_user
+ software_deployments:index: rule:deny_stack_user
+ software_deployments:create: rule:deny_stack_user
+ software_deployments:show: rule:deny_stack_user
+ software_deployments:update: rule:deny_stack_user
+ software_deployments:delete: rule:deny_stack_user
+ software_deployments:metadata: ''
+ service:index: rule:context_is_admin
+ resource_types:OS::Nova::Flavor: rule:project_admin
+ resource_types:OS::Cinder::EncryptedVolumeType: rule:project_admin
+ resource_types:OS::Cinder::VolumeType: rule:project_admin
+ resource_types:OS::Cinder::Quota: rule:project_admin
+ resource_types:OS::Manila::ShareType: rule:project_admin
+ resource_types:OS::Neutron::QoSPolicy: rule:project_admin
+ resource_types:OS::Neutron::QoSBandwidthLimitRule: rule:project_admin
+ resource_types:OS::Nova::HostAggregate: rule:project_admin
+ resource_types:OS::Cinder::QoSSpecs: rule:project_admin
heat:
override:
append:
diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml
index 36207353a1..928bbf8db2 100644
--- a/keystone/templates/configmap-etc.yaml
+++ b/keystone/templates/configmap-etc.yaml
@@ -44,7 +44,7 @@ data:
keystone-paste.ini: |+
{{- tuple .Values.conf.paste "etc/_keystone-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
-{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+{{ toJson .Values.conf.policy | indent 4 }}
mpm_event.conf: |+
{{- tuple .Values.conf.mpm_event "etc/_mpm_event.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
wsgi-keystone.conf: |+
diff --git a/keystone/templates/etc/_policy.json.tpl b/keystone/templates/etc/_policy.json.tpl
deleted file mode 100644
index f7e8a82963..0000000000
--- a/keystone/templates/etc/_policy.json.tpl
+++ /dev/null
@@ -1,199 +0,0 @@
-{
- "admin_required": "role:admin or is_admin:1",
- "service_role": "role:service",
- "service_or_admin": "rule:admin_required or rule:service_role",
- "owner" : "user_id:%(user_id)s",
- "admin_or_owner": "rule:admin_required or rule:owner",
- "token_subject": "user_id:%(target.token.user_id)s",
- "admin_or_token_subject": "rule:admin_required or rule:token_subject",
- "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
- "default": "rule:admin_required",
-
- "identity:get_region": "",
- "identity:list_regions": "",
- "identity:create_region": "rule:admin_required",
- "identity:update_region": "rule:admin_required",
- "identity:delete_region": "rule:admin_required",
-
- "identity:get_service": "rule:admin_required",
- "identity:list_services": "rule:admin_required",
- "identity:create_service": "rule:admin_required",
- "identity:update_service": "rule:admin_required",
- "identity:delete_service": "rule:admin_required",
-
- "identity:get_endpoint": "rule:admin_required",
- "identity:list_endpoints": "rule:admin_required",
- "identity:create_endpoint": "rule:admin_required",
- "identity:update_endpoint": "rule:admin_required",
- "identity:delete_endpoint": "rule:admin_required",
-
- "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
- "identity:list_domains": "rule:admin_required",
- "identity:create_domain": "rule:admin_required",
- "identity:update_domain": "rule:admin_required",
- "identity:delete_domain": "rule:admin_required",
-
- "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
- "identity:list_projects": "rule:admin_required",
- "identity:list_user_projects": "rule:admin_or_owner",
- "identity:create_project": "rule:admin_required",
- "identity:update_project": "rule:admin_required",
- "identity:delete_project": "rule:admin_required",
-
- "identity:get_user": "rule:admin_or_owner",
- "identity:list_users": "rule:admin_required",
- "identity:create_user": "rule:admin_required",
- "identity:update_user": "rule:admin_required",
- "identity:delete_user": "rule:admin_required",
- "identity:change_password": "rule:admin_or_owner",
-
- "identity:get_group": "rule:admin_required",
- "identity:list_groups": "rule:admin_required",
- "identity:list_groups_for_user": "rule:admin_or_owner",
- "identity:create_group": "rule:admin_required",
- "identity:update_group": "rule:admin_required",
- "identity:delete_group": "rule:admin_required",
- "identity:list_users_in_group": "rule:admin_required",
- "identity:remove_user_from_group": "rule:admin_required",
- "identity:check_user_in_group": "rule:admin_required",
- "identity:add_user_to_group": "rule:admin_required",
-
- "identity:get_credential": "rule:admin_required",
- "identity:list_credentials": "rule:admin_required",
- "identity:create_credential": "rule:admin_required",
- "identity:update_credential": "rule:admin_required",
- "identity:delete_credential": "rule:admin_required",
-
- "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
- "identity:ec2_list_credentials": "rule:admin_or_owner",
- "identity:ec2_create_credential": "rule:admin_or_owner",
- "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
- "identity:get_role": "rule:admin_required",
- "identity:list_roles": "rule:admin_required",
- "identity:create_role": "rule:admin_required",
- "identity:update_role": "rule:admin_required",
- "identity:delete_role": "rule:admin_required",
- "identity:get_domain_role": "rule:admin_required",
- "identity:list_domain_roles": "rule:admin_required",
- "identity:create_domain_role": "rule:admin_required",
- "identity:update_domain_role": "rule:admin_required",
- "identity:delete_domain_role": "rule:admin_required",
-
- "identity:get_implied_role": "rule:admin_required ",
- "identity:list_implied_roles": "rule:admin_required",
- "identity:create_implied_role": "rule:admin_required",
- "identity:delete_implied_role": "rule:admin_required",
- "identity:list_role_inference_rules": "rule:admin_required",
- "identity:check_implied_role": "rule:admin_required",
-
- "identity:check_grant": "rule:admin_required",
- "identity:list_grants": "rule:admin_required",
- "identity:create_grant": "rule:admin_required",
- "identity:revoke_grant": "rule:admin_required",
-
- "identity:list_role_assignments": "rule:admin_required",
- "identity:list_role_assignments_for_tree": "rule:admin_required",
-
- "identity:get_policy": "rule:admin_required",
- "identity:list_policies": "rule:admin_required",
- "identity:create_policy": "rule:admin_required",
- "identity:update_policy": "rule:admin_required",
- "identity:delete_policy": "rule:admin_required",
-
- "identity:check_token": "rule:admin_or_token_subject",
- "identity:validate_token": "rule:service_admin_or_token_subject",
- "identity:validate_token_head": "rule:service_or_admin",
- "identity:revocation_list": "rule:service_or_admin",
- "identity:revoke_token": "rule:admin_or_token_subject",
-
- "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
- "identity:list_trusts": "",
- "identity:list_roles_for_trust": "",
- "identity:get_role_for_trust": "",
- "identity:delete_trust": "",
-
- "identity:create_consumer": "rule:admin_required",
- "identity:get_consumer": "rule:admin_required",
- "identity:list_consumers": "rule:admin_required",
- "identity:delete_consumer": "rule:admin_required",
- "identity:update_consumer": "rule:admin_required",
-
- "identity:authorize_request_token": "rule:admin_required",
- "identity:list_access_token_roles": "rule:admin_required",
- "identity:get_access_token_role": "rule:admin_required",
- "identity:list_access_tokens": "rule:admin_required",
- "identity:get_access_token": "rule:admin_required",
- "identity:delete_access_token": "rule:admin_required",
-
- "identity:list_projects_for_endpoint": "rule:admin_required",
- "identity:add_endpoint_to_project": "rule:admin_required",
- "identity:check_endpoint_in_project": "rule:admin_required",
- "identity:list_endpoints_for_project": "rule:admin_required",
- "identity:remove_endpoint_from_project": "rule:admin_required",
-
- "identity:create_endpoint_group": "rule:admin_required",
- "identity:list_endpoint_groups": "rule:admin_required",
- "identity:get_endpoint_group": "rule:admin_required",
- "identity:update_endpoint_group": "rule:admin_required",
- "identity:delete_endpoint_group": "rule:admin_required",
- "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
- "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
- "identity:get_endpoint_group_in_project": "rule:admin_required",
- "identity:list_endpoint_groups_for_project": "rule:admin_required",
- "identity:add_endpoint_group_to_project": "rule:admin_required",
- "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
- "identity:create_identity_provider": "rule:admin_required",
- "identity:list_identity_providers": "rule:admin_required",
- "identity:get_identity_providers": "rule:admin_required",
- "identity:update_identity_provider": "rule:admin_required",
- "identity:delete_identity_provider": "rule:admin_required",
-
- "identity:create_protocol": "rule:admin_required",
- "identity:update_protocol": "rule:admin_required",
- "identity:get_protocol": "rule:admin_required",
- "identity:list_protocols": "rule:admin_required",
- "identity:delete_protocol": "rule:admin_required",
-
- "identity:create_mapping": "rule:admin_required",
- "identity:get_mapping": "rule:admin_required",
- "identity:list_mappings": "rule:admin_required",
- "identity:delete_mapping": "rule:admin_required",
- "identity:update_mapping": "rule:admin_required",
-
- "identity:create_service_provider": "rule:admin_required",
- "identity:list_service_providers": "rule:admin_required",
- "identity:get_service_provider": "rule:admin_required",
- "identity:update_service_provider": "rule:admin_required",
- "identity:delete_service_provider": "rule:admin_required",
-
- "identity:get_auth_catalog": "",
- "identity:get_auth_projects": "",
- "identity:get_auth_domains": "",
-
- "identity:list_projects_for_user": "",
- "identity:list_domains_for_user": "",
-
- "identity:list_revoke_events": "",
-
- "identity:create_policy_association_for_endpoint": "rule:admin_required",
- "identity:check_policy_association_for_endpoint": "rule:admin_required",
- "identity:delete_policy_association_for_endpoint": "rule:admin_required",
- "identity:create_policy_association_for_service": "rule:admin_required",
- "identity:check_policy_association_for_service": "rule:admin_required",
- "identity:delete_policy_association_for_service": "rule:admin_required",
- "identity:create_policy_association_for_region_and_service": "rule:admin_required",
- "identity:check_policy_association_for_region_and_service": "rule:admin_required",
- "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
- "identity:get_policy_for_endpoint": "rule:admin_required",
- "identity:list_endpoints_for_policy": "rule:admin_required",
-
- "identity:create_domain_config": "rule:admin_required",
- "identity:get_domain_config": "rule:admin_required",
- "identity:update_domain_config": "rule:admin_required",
- "identity:delete_domain_config": "rule:admin_required",
- "identity:get_domain_config_default": "rule:admin_required"
-
-}
diff --git a/keystone/values.yaml b/keystone/values.yaml
index 320cb0eada..7230219f67 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -248,8 +248,172 @@ conf:
override:
append:
policy:
- override:
- append:
+ admin_required: role:admin or is_admin:1
+ service_role: role:service
+ service_or_admin: rule:admin_required or rule:service_role
+ owner: user_id:%(user_id)s
+ admin_or_owner: rule:admin_required or rule:owner
+ token_subject: user_id:%(target.token.user_id)s
+ admin_or_token_subject: rule:admin_required or rule:token_subject
+ service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
+ default: rule:admin_required
+ identity:get_region: ''
+ identity:list_regions: ''
+ identity:create_region: rule:admin_required
+ identity:update_region: rule:admin_required
+ identity:delete_region: rule:admin_required
+ identity:get_service: rule:admin_required
+ identity:list_services: rule:admin_required
+ identity:create_service: rule:admin_required
+ identity:update_service: rule:admin_required
+ identity:delete_service: rule:admin_required
+ identity:get_endpoint: rule:admin_required
+ identity:list_endpoints: rule:admin_required
+ identity:create_endpoint: rule:admin_required
+ identity:update_endpoint: rule:admin_required
+ identity:delete_endpoint: rule:admin_required
+ identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s
+ identity:list_domains: rule:admin_required
+ identity:create_domain: rule:admin_required
+ identity:update_domain: rule:admin_required
+ identity:delete_domain: rule:admin_required
+ identity:get_project: rule:admin_required or project_id:%(target.project.id)s
+ identity:list_projects: rule:admin_required
+ identity:list_user_projects: rule:admin_or_owner
+ identity:create_project: rule:admin_required
+ identity:update_project: rule:admin_required
+ identity:delete_project: rule:admin_required
+ identity:get_user: rule:admin_or_owner
+ identity:list_users: rule:admin_required
+ identity:create_user: rule:admin_required
+ identity:update_user: rule:admin_required
+ identity:delete_user: rule:admin_required
+ identity:change_password: rule:admin_or_owner
+ identity:get_group: rule:admin_required
+ identity:list_groups: rule:admin_required
+ identity:list_groups_for_user: rule:admin_or_owner
+ identity:create_group: rule:admin_required
+ identity:update_group: rule:admin_required
+ identity:delete_group: rule:admin_required
+ identity:list_users_in_group: rule:admin_required
+ identity:remove_user_from_group: rule:admin_required
+ identity:check_user_in_group: rule:admin_required
+ identity:add_user_to_group: rule:admin_required
+ identity:get_credential: rule:admin_required
+ identity:list_credentials: rule:admin_required
+ identity:create_credential: rule:admin_required
+ identity:update_credential: rule:admin_required
+ identity:delete_credential: rule:admin_required
+ identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
+ identity:ec2_list_credentials: rule:admin_or_owner
+ identity:ec2_create_credential: rule:admin_or_owner
+ identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
+ identity:get_role: rule:admin_required
+ identity:list_roles: rule:admin_required
+ identity:create_role: rule:admin_required
+ identity:update_role: rule:admin_required
+ identity:delete_role: rule:admin_required
+ identity:get_domain_role: rule:admin_required
+ identity:list_domain_roles: rule:admin_required
+ identity:create_domain_role: rule:admin_required
+ identity:update_domain_role: rule:admin_required
+ identity:delete_domain_role: rule:admin_required
+ identity:get_implied_role: 'rule:admin_required '
+ identity:list_implied_roles: rule:admin_required
+ identity:create_implied_role: rule:admin_required
+ identity:delete_implied_role: rule:admin_required
+ identity:list_role_inference_rules: rule:admin_required
+ identity:check_implied_role: rule:admin_required
+ identity:check_grant: rule:admin_required
+ identity:list_grants: rule:admin_required
+ identity:create_grant: rule:admin_required
+ identity:revoke_grant: rule:admin_required
+ identity:list_role_assignments: rule:admin_required
+ identity:list_role_assignments_for_tree: rule:admin_required
+ identity:get_policy: rule:admin_required
+ identity:list_policies: rule:admin_required
+ identity:create_policy: rule:admin_required
+ identity:update_policy: rule:admin_required
+ identity:delete_policy: rule:admin_required
+ identity:check_token: rule:admin_or_token_subject
+ identity:validate_token: rule:service_admin_or_token_subject
+ identity:validate_token_head: rule:service_or_admin
+ identity:revocation_list: rule:service_or_admin
+ identity:revoke_token: rule:admin_or_token_subject
+ identity:create_trust: user_id:%(trust.trustor_user_id)s
+ identity:list_trusts: ''
+ identity:list_roles_for_trust: ''
+ identity:get_role_for_trust: ''
+ identity:delete_trust: ''
+ identity:create_consumer: rule:admin_required
+ identity:get_consumer: rule:admin_required
+ identity:list_consumers: rule:admin_required
+ identity:delete_consumer: rule:admin_required
+ identity:update_consumer: rule:admin_required
+ identity:authorize_request_token: rule:admin_required
+ identity:list_access_token_roles: rule:admin_required
+ identity:get_access_token_role: rule:admin_required
+ identity:list_access_tokens: rule:admin_required
+ identity:get_access_token: rule:admin_required
+ identity:delete_access_token: rule:admin_required
+ identity:list_projects_for_endpoint: rule:admin_required
+ identity:add_endpoint_to_project: rule:admin_required
+ identity:check_endpoint_in_project: rule:admin_required
+ identity:list_endpoints_for_project: rule:admin_required
+ identity:remove_endpoint_from_project: rule:admin_required
+ identity:create_endpoint_group: rule:admin_required
+ identity:list_endpoint_groups: rule:admin_required
+ identity:get_endpoint_group: rule:admin_required
+ identity:update_endpoint_group: rule:admin_required
+ identity:delete_endpoint_group: rule:admin_required
+ identity:list_projects_associated_with_endpoint_group: rule:admin_required
+ identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
+ identity:get_endpoint_group_in_project: rule:admin_required
+ identity:list_endpoint_groups_for_project: rule:admin_required
+ identity:add_endpoint_group_to_project: rule:admin_required
+ identity:remove_endpoint_group_from_project: rule:admin_required
+ identity:create_identity_provider: rule:admin_required
+ identity:list_identity_providers: rule:admin_required
+ identity:get_identity_providers: rule:admin_required
+ identity:update_identity_provider: rule:admin_required
+ identity:delete_identity_provider: rule:admin_required
+ identity:create_protocol: rule:admin_required
+ identity:update_protocol: rule:admin_required
+ identity:get_protocol: rule:admin_required
+ identity:list_protocols: rule:admin_required
+ identity:delete_protocol: rule:admin_required
+ identity:create_mapping: rule:admin_required
+ identity:get_mapping: rule:admin_required
+ identity:list_mappings: rule:admin_required
+ identity:delete_mapping: rule:admin_required
+ identity:update_mapping: rule:admin_required
+ identity:create_service_provider: rule:admin_required
+ identity:list_service_providers: rule:admin_required
+ identity:get_service_provider: rule:admin_required
+ identity:update_service_provider: rule:admin_required
+ identity:delete_service_provider: rule:admin_required
+ identity:get_auth_catalog: ''
+ identity:get_auth_projects: ''
+ identity:get_auth_domains: ''
+ identity:list_projects_for_user: ''
+ identity:list_domains_for_user: ''
+ identity:list_revoke_events: ''
+ identity:create_policy_association_for_endpoint: rule:admin_required
+ identity:check_policy_association_for_endpoint: rule:admin_required
+ identity:delete_policy_association_for_endpoint: rule:admin_required
+ identity:create_policy_association_for_service: rule:admin_required
+ identity:check_policy_association_for_service: rule:admin_required
+ identity:delete_policy_association_for_service: rule:admin_required
+ identity:create_policy_association_for_region_and_service: rule:admin_required
+ identity:check_policy_association_for_region_and_service: rule:admin_required
+ identity:delete_policy_association_for_region_and_service: rule:admin_required
+ identity:get_policy_for_endpoint: rule:admin_required
+ identity:list_endpoints_for_policy: rule:admin_required
+ identity:create_domain_config: rule:admin_required
+ identity:get_domain_config: rule:admin_required
+ identity:update_domain_config: rule:admin_required
+ identity:delete_domain_config: rule:admin_required
+ identity:get_domain_config_default: rule:admin_required
mpm_event:
override:
append:
diff --git a/magnum/templates/configmap-etc.yaml b/magnum/templates/configmap-etc.yaml
index b6df5f066b..15b68f7c12 100644
--- a/magnum/templates/configmap-etc.yaml
+++ b/magnum/templates/configmap-etc.yaml
@@ -75,5 +75,5 @@ data:
api-paste.ini: |+
{{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
-{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+{{ toJson .Values.conf.policy | indent 4 }}
{{- end }}
diff --git a/magnum/templates/etc/_policy.json.tpl b/magnum/templates/etc/_policy.json.tpl
deleted file mode 100644
index 437942adf9..0000000000
--- a/magnum/templates/etc/_policy.json.tpl
+++ /dev/null
@@ -1,51 +0,0 @@
-{
- "context_is_admin": "role:admin",
- "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
- "default": "rule:admin_or_owner",
- "admin_api": "rule:context_is_admin",
- "admin_or_user": "is_admin:True or user_id:%(user_id)s",
- "cluster_user": "user_id:%(trustee_user_id)s",
- "deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
-
- "bay:create": "rule:deny_cluster_user",
- "bay:delete": "rule:deny_cluster_user",
- "bay:detail": "rule:deny_cluster_user",
- "bay:get": "rule:deny_cluster_user",
- "bay:get_all": "rule:deny_cluster_user",
- "bay:update": "rule:deny_cluster_user",
-
- "baymodel:create": "rule:deny_cluster_user",
- "baymodel:delete": "rule:deny_cluster_user",
- "baymodel:detail": "rule:deny_cluster_user",
- "baymodel:get": "rule:deny_cluster_user",
- "baymodel:get_all": "rule:deny_cluster_user",
- "baymodel:update": "rule:deny_cluster_user",
- "baymodel:publish": "rule:admin_or_owner",
-
- "cluster:create": "rule:deny_cluster_user",
- "cluster:delete": "rule:deny_cluster_user",
- "cluster:detail": "rule:deny_cluster_user",
- "cluster:get": "rule:deny_cluster_user",
- "cluster:get_all": "rule:deny_cluster_user",
- "cluster:update": "rule:deny_cluster_user",
-
- "clustertemplate:create": "rule:deny_cluster_user",
- "clustertemplate:delete": "rule:deny_cluster_user",
- "clustertemplate:detail": "rule:deny_cluster_user",
- "clustertemplate:get": "rule:deny_cluster_user",
- "clustertemplate:get_all": "rule:deny_cluster_user",
- "clustertemplate:update": "rule:deny_cluster_user",
- "clustertemplate:publish": "rule:admin_or_owner",
-
- "rc:create": "rule:default",
- "rc:delete": "rule:default",
- "rc:detail": "rule:default",
- "rc:get": "rule:default",
- "rc:get_all": "rule:default",
- "rc:update": "rule:default",
-
- "certificate:create": "rule:admin_or_user or rule:cluster_user",
- "certificate:get": "rule:admin_or_user or rule:cluster_user",
-
- "magnum-service:get_all": "rule:admin_api"
-}
diff --git a/magnum/values.yaml b/magnum/values.yaml
index a06725a537..b57f5b28e0 100644
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@@ -40,8 +40,48 @@ conf:
override:
append:
policy:
- override:
- append:
+ context_is_admin: role:admin
+ admin_or_owner: is_admin:True or project_id:%(project_id)s
+ default: rule:admin_or_owner
+ admin_api: rule:context_is_admin
+ admin_or_user: is_admin:True or user_id:%(user_id)s
+ cluster_user: user_id:%(trustee_user_id)s
+ deny_cluster_user: not domain_id:%(trustee_domain_id)s
+ bay:create: rule:deny_cluster_user
+ bay:delete: rule:deny_cluster_user
+ bay:detail: rule:deny_cluster_user
+ bay:get: rule:deny_cluster_user
+ bay:get_all: rule:deny_cluster_user
+ bay:update: rule:deny_cluster_user
+ baymodel:create: rule:deny_cluster_user
+ baymodel:delete: rule:deny_cluster_user
+ baymodel:detail: rule:deny_cluster_user
+ baymodel:get: rule:deny_cluster_user
+ baymodel:get_all: rule:deny_cluster_user
+ baymodel:update: rule:deny_cluster_user
+ baymodel:publish: rule:admin_or_owner
+ cluster:create: rule:deny_cluster_user
+ cluster:delete: rule:deny_cluster_user
+ cluster:detail: rule:deny_cluster_user
+ cluster:get: rule:deny_cluster_user
+ cluster:get_all: rule:deny_cluster_user
+ cluster:update: rule:deny_cluster_user
+ clustertemplate:create: rule:deny_cluster_user
+ clustertemplate:delete: rule:deny_cluster_user
+ clustertemplate:detail: rule:deny_cluster_user
+ clustertemplate:get: rule:deny_cluster_user
+ clustertemplate:get_all: rule:deny_cluster_user
+ clustertemplate:update: rule:deny_cluster_user
+ clustertemplate:publish: rule:admin_or_owner
+ rc:create: rule:default
+ rc:delete: rule:default
+ rc:detail: rule:default
+ rc:get: rule:default
+ rc:get_all: rule:default
+ rc:update: rule:default
+ certificate:create: rule:admin_or_user or rule:cluster_user
+ certificate:get: rule:admin_or_user or rule:cluster_user
+ magnum-service:get_all: rule:admin_api
magnum:
override:
append:
diff --git a/mistral/templates/configmap-etc.yaml b/mistral/templates/configmap-etc.yaml
index 05fe0d72f6..f9c50bf013 100644
--- a/mistral/templates/configmap-etc.yaml
+++ b/mistral/templates/configmap-etc.yaml
@@ -72,5 +72,5 @@ data:
mistral.conf: |+
{{- tuple .Values.conf.mistral "etc/_mistral.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
-{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+{{ toJson .Values.conf.policy | indent 4 }}
{{- end }}
diff --git a/mistral/templates/etc/_policy.json.tpl b/mistral/templates/etc/_policy.json.tpl
deleted file mode 100644
index a04e3bc1a9..0000000000
--- a/mistral/templates/etc/_policy.json.tpl
+++ /dev/null
@@ -1,65 +0,0 @@
-
-{
- "admin_only": "is_admin:True",
- "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
- "default": "rule:admin_or_owner",
-
- "action_executions:delete": "rule:admin_or_owner",
- "action_execution:create": "rule:admin_or_owner",
- "action_executions:get": "rule:admin_or_owner",
- "action_executions:list": "rule:admin_or_owner",
- "action_executions:update": "rule:admin_or_owner",
-
- "actions:create": "rule:admin_or_owner",
- "actions:delete": "rule:admin_or_owner",
- "actions:get": "rule:admin_or_owner",
- "actions:list": "rule:admin_or_owner",
- "actions:update": "rule:admin_or_owner",
-
- "cron_triggers:create": "rule:admin_or_owner",
- "cron_triggers:delete": "rule:admin_or_owner",
- "cron_triggers:get": "rule:admin_or_owner",
- "cron_triggers:list": "rule:admin_or_owner",
-
- "environments:create": "rule:admin_or_owner",
- "environments:delete": "rule:admin_or_owner",
- "environments:get": "rule:admin_or_owner",
- "environments:list": "rule:admin_or_owner",
- "environments:update": "rule:admin_or_owner",
-
- "executions:create": "rule:admin_or_owner",
- "executions:delete": "rule:admin_or_owner",
- "executions:get": "rule:admin_or_owner",
- "executions:list": "rule:admin_or_owner",
- "executions:update": "rule:admin_or_owner",
-
- "members:create": "rule:admin_or_owner",
- "members:delete": "rule:admin_or_owner",
- "members:get": "rule:admin_or_owner",
- "members:list": "rule:admin_or_owner",
- "members:update": "rule:admin_or_owner",
-
- "services:list": "rule:admin_or_owner",
-
- "tasks:get": "rule:admin_or_owner",
- "tasks:list": "rule:admin_or_owner",
- "tasks:update": "rule:admin_or_owner",
-
- "workbooks:create": "rule:admin_or_owner",
- "workbooks:delete": "rule:admin_or_owner",
- "workbooks:get": "rule:admin_or_owner",
- "workbooks:list": "rule:admin_or_owner",
- "workbooks:update": "rule:admin_or_owner",
-
- "workflows:create": "rule:admin_or_owner",
- "workflows:delete": "rule:admin_or_owner",
- "workflows:get": "rule:admin_or_owner",
- "workflows:list": "rule:admin_or_owner",
- "workflows:update": "rule:admin_or_owner",
-
- "event_triggers:create": "rule:admin_or_owner",
- "event_triggers:delete": "rule:admin_or_owner",
- "event_triggers:get": "rule:admin_or_owner",
- "event_triggers:list": "rule:admin_or_owner",
- "event_triggers:update": "rule:admin_or_owner"
-}
diff --git a/mistral/values.yaml b/mistral/values.yaml
index 80bf8bdea9..03ee733d5e 100644
--- a/mistral/values.yaml
+++ b/mistral/values.yaml
@@ -211,8 +211,57 @@ endpoints:
conf:
policy:
- override:
- append:
+ admin_only: is_admin:True
+ admin_or_owner: is_admin:True or project_id:%(project_id)s
+ default: rule:admin_or_owner
+ action_executions:delete: rule:admin_or_owner
+ action_execution:create: rule:admin_or_owner
+ action_executions:get: rule:admin_or_owner
+ action_executions:list: rule:admin_or_owner
+ action_executions:update: rule:admin_or_owner
+ actions:create: rule:admin_or_owner
+ actions:delete: rule:admin_or_owner
+ actions:get: rule:admin_or_owner
+ actions:list: rule:admin_or_owner
+ actions:update: rule:admin_or_owner
+ cron_triggers:create: rule:admin_or_owner
+ cron_triggers:delete: rule:admin_or_owner
+ cron_triggers:get: rule:admin_or_owner
+ cron_triggers:list: rule:admin_or_owner
+ environments:create: rule:admin_or_owner
+ environments:delete: rule:admin_or_owner
+ environments:get: rule:admin_or_owner
+ environments:list: rule:admin_or_owner
+ environments:update: rule:admin_or_owner
+ executions:create: rule:admin_or_owner
+ executions:delete: rule:admin_or_owner
+ executions:get: rule:admin_or_owner
+ executions:list: rule:admin_or_owner
+ executions:update: rule:admin_or_owner
+ members:create: rule:admin_or_owner
+ members:delete: rule:admin_or_owner
+ members:get: rule:admin_or_owner
+ members:list: rule:admin_or_owner
+ members:update: rule:admin_or_owner
+ services:list: rule:admin_or_owner
+ tasks:get: rule:admin_or_owner
+ tasks:list: rule:admin_or_owner
+ tasks:update: rule:admin_or_owner
+ workbooks:create: rule:admin_or_owner
+ workbooks:delete: rule:admin_or_owner
+ workbooks:get: rule:admin_or_owner
+ workbooks:list: rule:admin_or_owner
+ workbooks:update: rule:admin_or_owner
+ workflows:create: rule:admin_or_owner
+ workflows:delete: rule:admin_or_owner
+ workflows:get: rule:admin_or_owner
+ workflows:list: rule:admin_or_owner
+ workflows:update: rule:admin_or_owner
+ event_triggers:create: rule:admin_or_owner
+ event_triggers:delete: rule:admin_or_owner
+ event_triggers:get: rule:admin_or_owner
+ event_triggers:list: rule:admin_or_owner
+ event_triggers:update: rule:admin_or_owner
mistral:
override:
append:
diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml
index 6b81df7dff..47f02fca85 100644
--- a/neutron/templates/configmap-etc.yaml
+++ b/neutron/templates/configmap-etc.yaml
@@ -93,7 +93,7 @@ data:
api-paste.ini: |+
{{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
-{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+{{ toJson .Values.conf.policy | indent 4 }}
dhcp_agent.ini: |+
{{- tuple .Values.conf.dhcp_agent "etc/_dhcp_agent.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
l3_agent.ini: |+
diff --git a/neutron/templates/etc/_policy.json.tpl b/neutron/templates/etc/_policy.json.tpl
deleted file mode 100644
index 49e1ae95ef..0000000000
--- a/neutron/templates/etc/_policy.json.tpl
+++ /dev/null
@@ -1,214 +0,0 @@
-{
- "context_is_admin": "role:admin",
- "owner": "tenant_id:%(tenant_id)s",
- "admin_or_owner": "rule:context_is_admin or rule:owner",
- "context_is_advsvc": "role:advsvc",
- "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
- "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
- "admin_only": "rule:context_is_admin",
- "regular_user": "",
- "shared": "field:networks:shared=True",
- "shared_subnetpools": "field:subnetpools:shared=True",
- "shared_address_scopes": "field:address_scopes:shared=True",
- "external": "field:networks:router:external=True",
- "default": "rule:admin_or_owner",
-
- "create_subnet": "rule:admin_or_network_owner",
- "create_subnet:segment_id": "rule:admin_only",
- "create_subnet:service_types": "rule:admin_only",
- "get_subnet": "rule:admin_or_owner or rule:shared",
- "get_subnet:segment_id": "rule:admin_only",
- "update_subnet": "rule:admin_or_network_owner",
- "update_subnet:service_types": "rule:admin_only",
- "delete_subnet": "rule:admin_or_network_owner",
-
- "create_subnetpool": "",
- "create_subnetpool:shared": "rule:admin_only",
- "create_subnetpool:is_default": "rule:admin_only",
- "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
- "update_subnetpool": "rule:admin_or_owner",
- "update_subnetpool:is_default": "rule:admin_only",
- "delete_subnetpool": "rule:admin_or_owner",
-
- "create_address_scope": "",
- "create_address_scope:shared": "rule:admin_only",
- "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
- "update_address_scope": "rule:admin_or_owner",
- "update_address_scope:shared": "rule:admin_only",
- "delete_address_scope": "rule:admin_or_owner",
-
- "create_network": "",
- "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
- "get_network:router:external": "rule:regular_user",
- "get_network:segments": "rule:admin_only",
- "get_network:provider:network_type": "rule:admin_only",
- "get_network:provider:physical_network": "rule:admin_only",
- "get_network:provider:segmentation_id": "rule:admin_only",
- "get_network:queue_id": "rule:admin_only",
- "get_network_ip_availabilities": "rule:admin_only",
- "get_network_ip_availability": "rule:admin_only",
- "create_network:shared": "rule:admin_only",
- "create_network:router:external": "rule:admin_only",
- "create_network:is_default": "rule:admin_only",
- "create_network:segments": "rule:admin_only",
- "create_network:provider:network_type": "rule:admin_only",
- "create_network:provider:physical_network": "rule:admin_only",
- "create_network:provider:segmentation_id": "rule:admin_only",
- "update_network": "rule:admin_or_owner",
- "update_network:segments": "rule:admin_only",
- "update_network:shared": "rule:admin_only",
- "update_network:provider:network_type": "rule:admin_only",
- "update_network:provider:physical_network": "rule:admin_only",
- "update_network:provider:segmentation_id": "rule:admin_only",
- "update_network:router:external": "rule:admin_only",
- "delete_network": "rule:admin_or_owner",
-
- "create_segment": "rule:admin_only",
- "get_segment": "rule:admin_only",
- "update_segment": "rule:admin_only",
- "delete_segment": "rule:admin_only",
-
- "network_device": "field:port:device_owner=~^network:",
- "create_port": "",
- "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
- "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
- "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
- "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
- "create_port:binding:host_id": "rule:admin_only",
- "create_port:binding:profile": "rule:admin_only",
- "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
- "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
- "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
- "get_port:queue_id": "rule:admin_only",
- "get_port:binding:vif_type": "rule:admin_only",
- "get_port:binding:vif_details": "rule:admin_only",
- "get_port:binding:host_id": "rule:admin_only",
- "get_port:binding:profile": "rule:admin_only",
- "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
- "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
- "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
- "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
- "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
- "update_port:binding:host_id": "rule:admin_only",
- "update_port:binding:profile": "rule:admin_only",
- "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
- "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
- "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
-
- "get_router:ha": "rule:admin_only",
- "create_router": "rule:regular_user",
- "create_router:external_gateway_info:enable_snat": "rule:admin_only",
- "create_router:distributed": "rule:admin_only",
- "create_router:ha": "rule:admin_only",
- "get_router": "rule:admin_or_owner",
- "get_router:distributed": "rule:admin_only",
- "update_router:external_gateway_info:enable_snat": "rule:admin_only",
- "update_router:distributed": "rule:admin_only",
- "update_router:ha": "rule:admin_only",
- "delete_router": "rule:admin_or_owner",
-
- "add_router_interface": "rule:admin_or_owner",
- "remove_router_interface": "rule:admin_or_owner",
-
- "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
- "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
-
- "insert_rule": "rule:admin_or_owner",
- "remove_rule": "rule:admin_or_owner",
-
- "create_qos_queue": "rule:admin_only",
- "get_qos_queue": "rule:admin_only",
-
- "update_agent": "rule:admin_only",
- "delete_agent": "rule:admin_only",
- "get_agent": "rule:admin_only",
-
- "create_dhcp-network": "rule:admin_only",
- "delete_dhcp-network": "rule:admin_only",
- "get_dhcp-networks": "rule:admin_only",
- "create_l3-router": "rule:admin_only",
- "delete_l3-router": "rule:admin_only",
- "get_l3-routers": "rule:admin_only",
- "get_dhcp-agents": "rule:admin_only",
- "get_l3-agents": "rule:admin_only",
- "get_loadbalancer-agent": "rule:admin_only",
- "get_loadbalancer-pools": "rule:admin_only",
- "get_agent-loadbalancers": "rule:admin_only",
- "get_loadbalancer-hosting-agent": "rule:admin_only",
-
- "create_floatingip": "rule:regular_user",
- "create_floatingip:floating_ip_address": "rule:admin_only",
- "update_floatingip": "rule:admin_or_owner",
- "delete_floatingip": "rule:admin_or_owner",
- "get_floatingip": "rule:admin_or_owner",
-
- "create_network_profile": "rule:admin_only",
- "update_network_profile": "rule:admin_only",
- "delete_network_profile": "rule:admin_only",
- "get_network_profiles": "",
- "get_network_profile": "",
- "update_policy_profiles": "rule:admin_only",
- "get_policy_profiles": "",
- "get_policy_profile": "",
-
- "create_metering_label": "rule:admin_only",
- "delete_metering_label": "rule:admin_only",
- "get_metering_label": "rule:admin_only",
-
- "create_metering_label_rule": "rule:admin_only",
- "delete_metering_label_rule": "rule:admin_only",
- "get_metering_label_rule": "rule:admin_only",
-
- "get_service_provider": "rule:regular_user",
- "get_lsn": "rule:admin_only",
- "create_lsn": "rule:admin_only",
-
- "create_flavor": "rule:admin_only",
- "update_flavor": "rule:admin_only",
- "delete_flavor": "rule:admin_only",
- "get_flavors": "rule:regular_user",
- "get_flavor": "rule:regular_user",
- "create_service_profile": "rule:admin_only",
- "update_service_profile": "rule:admin_only",
- "delete_service_profile": "rule:admin_only",
- "get_service_profiles": "rule:admin_only",
- "get_service_profile": "rule:admin_only",
-
- "get_policy": "rule:regular_user",
- "create_policy": "rule:admin_only",
- "update_policy": "rule:admin_only",
- "delete_policy": "rule:admin_only",
- "get_policy_bandwidth_limit_rule": "rule:regular_user",
- "create_policy_bandwidth_limit_rule": "rule:admin_only",
- "delete_policy_bandwidth_limit_rule": "rule:admin_only",
- "update_policy_bandwidth_limit_rule": "rule:admin_only",
- "get_policy_dscp_marking_rule": "rule:regular_user",
- "create_policy_dscp_marking_rule": "rule:admin_only",
- "delete_policy_dscp_marking_rule": "rule:admin_only",
- "update_policy_dscp_marking_rule": "rule:admin_only",
- "get_rule_type": "rule:regular_user",
- "get_policy_minimum_bandwidth_rule": "rule:regular_user",
- "create_policy_minimum_bandwidth_rule": "rule:admin_only",
- "delete_policy_minimum_bandwidth_rule": "rule:admin_only",
- "update_policy_minimum_bandwidth_rule": "rule:admin_only",
-
- "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
- "create_rbac_policy": "",
- "create_rbac_policy:target_tenant": "rule:restrict_wildcard",
- "update_rbac_policy": "rule:admin_or_owner",
- "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
- "get_rbac_policy": "rule:admin_or_owner",
- "delete_rbac_policy": "rule:admin_or_owner",
-
- "create_flavor_service_profile": "rule:admin_only",
- "delete_flavor_service_profile": "rule:admin_only",
- "get_flavor_service_profile": "rule:regular_user",
- "get_auto_allocated_topology": "rule:admin_or_owner",
-
- "create_trunk": "rule:regular_user",
- "get_trunk": "rule:admin_or_owner",
- "delete_trunk": "rule:admin_or_owner",
- "get_subports": "",
- "add_subports": "rule:admin_or_owner",
- "remove_subports": "rule:admin_or_owner"
-}
diff --git a/neutron/values.yaml b/neutron/values.yaml
index 251f4e2230..335c5d5d00 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -365,8 +365,195 @@ conf:
override:
append:
policy:
- override:
- append:
+ context_is_admin: role:admin
+ owner: tenant_id:%(tenant_id)s
+ admin_or_owner: rule:context_is_admin or rule:owner
+ context_is_advsvc: role:advsvc
+ admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s
+ admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner
+ admin_only: rule:context_is_admin
+ regular_user: ''
+ shared: field:networks:shared=True
+ shared_subnetpools: field:subnetpools:shared=True
+ shared_address_scopes: field:address_scopes:shared=True
+ external: field:networks:router:external=True
+ default: rule:admin_or_owner
+ create_subnet: rule:admin_or_network_owner
+ create_subnet:segment_id: rule:admin_only
+ create_subnet:service_types: rule:admin_only
+ get_subnet: rule:admin_or_owner or rule:shared
+ get_subnet:segment_id: rule:admin_only
+ update_subnet: rule:admin_or_network_owner
+ update_subnet:service_types: rule:admin_only
+ delete_subnet: rule:admin_or_network_owner
+ create_subnetpool: ''
+ create_subnetpool:shared: rule:admin_only
+ create_subnetpool:is_default: rule:admin_only
+ get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools
+ update_subnetpool: rule:admin_or_owner
+ update_subnetpool:is_default: rule:admin_only
+ delete_subnetpool: rule:admin_or_owner
+ create_address_scope: ''
+ create_address_scope:shared: rule:admin_only
+ get_address_scope: rule:admin_or_owner or rule:shared_address_scopes
+ update_address_scope: rule:admin_or_owner
+ update_address_scope:shared: rule:admin_only
+ delete_address_scope: rule:admin_or_owner
+ create_network: ''
+ get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc
+ get_network:router:external: rule:regular_user
+ get_network:segments: rule:admin_only
+ get_network:provider:network_type: rule:admin_only
+ get_network:provider:physical_network: rule:admin_only
+ get_network:provider:segmentation_id: rule:admin_only
+ get_network:queue_id: rule:admin_only
+ get_network_ip_availabilities: rule:admin_only
+ get_network_ip_availability: rule:admin_only
+ create_network:shared: rule:admin_only
+ create_network:router:external: rule:admin_only
+ create_network:is_default: rule:admin_only
+ create_network:segments: rule:admin_only
+ create_network:provider:network_type: rule:admin_only
+ create_network:provider:physical_network: rule:admin_only
+ create_network:provider:segmentation_id: rule:admin_only
+ update_network: rule:admin_or_owner
+ update_network:segments: rule:admin_only
+ update_network:shared: rule:admin_only
+ update_network:provider:network_type: rule:admin_only
+ update_network:provider:physical_network: rule:admin_only
+ update_network:provider:segmentation_id: rule:admin_only
+ update_network:router:external: rule:admin_only
+ delete_network: rule:admin_or_owner
+ create_segment: rule:admin_only
+ get_segment: rule:admin_only
+ update_segment: rule:admin_only
+ delete_segment: rule:admin_only
+ network_device: 'field:port:device_owner=~^network:'
+ create_port: ''
+ create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
+ create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner
+ create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
+ create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
+ create_port:binding:host_id: rule:admin_only
+ create_port:binding:profile: rule:admin_only
+ create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
+ create_port:allowed_address_pairs: rule:admin_or_network_owner
+ get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
+ get_port:queue_id: rule:admin_only
+ get_port:binding:vif_type: rule:admin_only
+ get_port:binding:vif_details: rule:admin_only
+ get_port:binding:host_id: rule:admin_only
+ get_port:binding:profile: rule:admin_only
+ update_port: rule:admin_or_owner or rule:context_is_advsvc
+ update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
+ update_port:mac_address: rule:admin_only or rule:context_is_advsvc
+ update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
+ update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
+ update_port:binding:host_id: rule:admin_only
+ update_port:binding:profile: rule:admin_only
+ update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
+ update_port:allowed_address_pairs: rule:admin_or_network_owner
+ delete_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
+ get_router:ha: rule:admin_only
+ create_router: rule:regular_user
+ create_router:external_gateway_info:enable_snat: rule:admin_only
+ create_router:distributed: rule:admin_only
+ create_router:ha: rule:admin_only
+ get_router: rule:admin_or_owner
+ get_router:distributed: rule:admin_only
+ update_router:external_gateway_info:enable_snat: rule:admin_only
+ update_router:distributed: rule:admin_only
+ update_router:ha: rule:admin_only
+ delete_router: rule:admin_or_owner
+ add_router_interface: rule:admin_or_owner
+ remove_router_interface: rule:admin_or_owner
+ create_router:external_gateway_info:external_fixed_ips: rule:admin_only
+ update_router:external_gateway_info:external_fixed_ips: rule:admin_only
+ insert_rule: rule:admin_or_owner
+ remove_rule: rule:admin_or_owner
+ create_qos_queue: rule:admin_only
+ get_qos_queue: rule:admin_only
+ update_agent: rule:admin_only
+ delete_agent: rule:admin_only
+ get_agent: rule:admin_only
+ create_dhcp-network: rule:admin_only
+ delete_dhcp-network: rule:admin_only
+ get_dhcp-networks: rule:admin_only
+ create_l3-router: rule:admin_only
+ delete_l3-router: rule:admin_only
+ get_l3-routers: rule:admin_only
+ get_dhcp-agents: rule:admin_only
+ get_l3-agents: rule:admin_only
+ get_loadbalancer-agent: rule:admin_only
+ get_loadbalancer-pools: rule:admin_only
+ get_agent-loadbalancers: rule:admin_only
+ get_loadbalancer-hosting-agent: rule:admin_only
+ create_floatingip: rule:regular_user
+ create_floatingip:floating_ip_address: rule:admin_only
+ update_floatingip: rule:admin_or_owner
+ delete_floatingip: rule:admin_or_owner
+ get_floatingip: rule:admin_or_owner
+ create_network_profile: rule:admin_only
+ update_network_profile: rule:admin_only
+ delete_network_profile: rule:admin_only
+ get_network_profiles: ''
+ get_network_profile: ''
+ update_policy_profiles: rule:admin_only
+ get_policy_profiles: ''
+ get_policy_profile: ''
+ create_metering_label: rule:admin_only
+ delete_metering_label: rule:admin_only
+ get_metering_label: rule:admin_only
+ create_metering_label_rule: rule:admin_only
+ delete_metering_label_rule: rule:admin_only
+ get_metering_label_rule: rule:admin_only
+ get_service_provider: rule:regular_user
+ get_lsn: rule:admin_only
+ create_lsn: rule:admin_only
+ create_flavor: rule:admin_only
+ update_flavor: rule:admin_only
+ delete_flavor: rule:admin_only
+ get_flavors: rule:regular_user
+ get_flavor: rule:regular_user
+ create_service_profile: rule:admin_only
+ update_service_profile: rule:admin_only
+ delete_service_profile: rule:admin_only
+ get_service_profiles: rule:admin_only
+ get_service_profile: rule:admin_only
+ get_policy: rule:regular_user
+ create_policy: rule:admin_only
+ update_policy: rule:admin_only
+ delete_policy: rule:admin_only
+ get_policy_bandwidth_limit_rule: rule:regular_user
+ create_policy_bandwidth_limit_rule: rule:admin_only
+ delete_policy_bandwidth_limit_rule: rule:admin_only
+ update_policy_bandwidth_limit_rule: rule:admin_only
+ get_policy_dscp_marking_rule: rule:regular_user
+ create_policy_dscp_marking_rule: rule:admin_only
+ delete_policy_dscp_marking_rule: rule:admin_only
+ update_policy_dscp_marking_rule: rule:admin_only
+ get_rule_type: rule:regular_user
+ get_policy_minimum_bandwidth_rule: rule:regular_user
+ create_policy_minimum_bandwidth_rule: rule:admin_only
+ delete_policy_minimum_bandwidth_rule: rule:admin_only
+ update_policy_minimum_bandwidth_rule: rule:admin_only
+ restrict_wildcard: "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
+ create_rbac_policy: ''
+ create_rbac_policy:target_tenant: rule:restrict_wildcard
+ update_rbac_policy: rule:admin_or_owner
+ update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner
+ get_rbac_policy: rule:admin_or_owner
+ delete_rbac_policy: rule:admin_or_owner
+ create_flavor_service_profile: rule:admin_only
+ delete_flavor_service_profile: rule:admin_only
+ get_flavor_service_profile: rule:regular_user
+ get_auto_allocated_topology: rule:admin_or_owner
+ create_trunk: rule:regular_user
+ get_trunk: rule:admin_or_owner
+ delete_trunk: rule:admin_or_owner
+ get_subports: ''
+ add_subports: rule:admin_or_owner
+ remove_subports: rule:admin_or_owner
neutron_sudoers:
override:
append:
diff --git a/senlin/templates/configmap-etc.yaml b/senlin/templates/configmap-etc.yaml
index 73413a0826..9da8c5c6a8 100644
--- a/senlin/templates/configmap-etc.yaml
+++ b/senlin/templates/configmap-etc.yaml
@@ -75,5 +75,5 @@ data:
api-paste.ini: |+
{{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
-{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+{{ toJson .Values.conf.policy | indent 4 }}
{{- end }}
diff --git a/senlin/templates/etc/_policy.json.tpl b/senlin/templates/etc/_policy.json.tpl
deleted file mode 100644
index d4e154600d..0000000000
--- a/senlin/templates/etc/_policy.json.tpl
+++ /dev/null
@@ -1,49 +0,0 @@
-{
- "context_is_admin": "role:admin",
- "deny_everybody": "!",
-
- "build_info:build_info": "",
- "profile_types:index": "",
- "profile_types:get": "",
- "policy_types:index": "",
- "policy_types:get": "",
- "clusters:index": "",
- "clusters:create": "",
- "clusters:delete": "",
- "clusters:get": "",
- "clusters:action": "",
- "clusters:update": "",
- "clusters:collect": "",
- "profiles:index": "",
- "profiles:create": "",
- "profiles:get": "",
- "profiles:delete": "",
- "profiles:update": "",
- "profiles:validate": "",
- "nodes:index": "",
- "nodes:create": "",
- "nodes:get": "",
- "nodes:action": "",
- "nodes:update": "",
- "nodes:delete": "",
- "policies:index": "",
- "policies:create": "",
- "policies:get": "",
- "policies:update": "",
- "policies:delete": "",
- "policies:validate": "",
- "cluster_policies:index": "",
- "cluster_policies:attach": "",
- "cluster_policies:detach": "",
- "cluster_policies:update": "",
- "cluster_policies:get": "",
- "receivers:index": "",
- "receivers:create": "",
- "receivers:get": "",
- "receivers:delete": "",
- "actions:index": "",
- "actions:get": "",
- "events:index": "",
- "events:get": "",
- "webhooks:trigger": ""
-}
diff --git a/senlin/values.yaml b/senlin/values.yaml
index 7760872859..ab49e4b3e5 100644
--- a/senlin/values.yaml
+++ b/senlin/values.yaml
@@ -40,8 +40,52 @@ conf:
override:
append:
policy:
- override:
- append:
+ context_is_admin: role:admin
+ deny_everybody: "!"
+ build_info:build_info: ''
+ profile_types:index: ''
+ profile_types:get: ''
+ policy_types:index: ''
+ policy_types:get: ''
+ clusters:index: ''
+ clusters:create: ''
+ clusters:delete: ''
+ clusters:get: ''
+ clusters:action: ''
+ clusters:update: ''
+ clusters:collect: ''
+ profiles:index: ''
+ profiles:create: ''
+ profiles:get: ''
+ profiles:delete: ''
+ profiles:update: ''
+ profiles:validate: ''
+ nodes:index: ''
+ nodes:create: ''
+ nodes:get: ''
+ nodes:action: ''
+ nodes:update: ''
+ nodes:delete: ''
+ policies:index: ''
+ policies:create: ''
+ policies:get: ''
+ policies:update: ''
+ policies:delete: ''
+ policies:validate: ''
+ cluster_policies:index: ''
+ cluster_policies:attach: ''
+ cluster_policies:detach: ''
+ cluster_policies:update: ''
+ cluster_policies:get: ''
+ receivers:index: ''
+ receivers:create: ''
+ receivers:get: ''
+ receivers:delete: ''
+ actions:index: ''
+ actions:get: ''
+ events:index: ''
+ events:get: ''
+ webhooks:trigger: ''
senlin:
override:
append: