diff options
Diffstat (limited to 'heat/policies/base.py')
-rw-r--r-- | heat/policies/base.py | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/heat/policies/base.py b/heat/policies/base.py index 7f4d8643d..cdc3b9f7d 100644 --- a/heat/policies/base.py +++ b/heat/policies/base.py @@ -18,11 +18,45 @@ RULE_DENY_STACK_USER = 'rule:deny_stack_user' RULE_DENY_EVERYBODY = 'rule:deny_everybody' RULE_ALLOW_EVERYBODY = 'rule:allow_everybody' +# Check strings that embody common personas +SYSTEM_ADMIN = 'role:admin and system_scope:all' +SYSTEM_READER = 'role:reader and system_scope:all' +PROJECT_MEMBER = 'role:member and project_id:%(project_id)s' +PROJECT_READER = 'role:reader and project_id:%(project_id)s' + +# Heat personas +PROJECT_ADMIN = 'role:admin and project_id:%(project_id)s' +PROJECT_STACK_USER = 'role:heat_stack_user and project_id:%(project_id)s' + +# Composite check strings that are useful for policies that protect APIs that +# operate at different scopes. +SYSTEM_ADMIN_OR_PROJECT_MEMBER = ( + '(' + SYSTEM_ADMIN + ')' + ' or (' + PROJECT_MEMBER + ')' +) +SYSTEM_OR_PROJECT_READER = ( + '(' + SYSTEM_READER + ')' + ' or (' + PROJECT_READER + ')' +) +SYSTEM_ADMIN_OR_PROJECT_MEMBER_OR_STACK_USER = ( + '(' + SYSTEM_ADMIN + ')' + ' or (' + PROJECT_MEMBER + ')' + ' or (' + PROJECT_STACK_USER + ')' +) +SYSTEM_OR_PROJECT_READER_OR_STACK_USER = ( + '(' + SYSTEM_READER + ')' + ' or (' + PROJECT_READER + ')' + ' or (' + PROJECT_STACK_USER + ')' +) + rules = [ policy.RuleDefault( name="context_is_admin", - check_str="role:admin and is_admin_project:True", + check_str=( + "(role:admin and is_admin_project:True) OR " + "(" + SYSTEM_ADMIN + ")" + ), description="Decides what is required for the 'is_admin:True' check " "to succeed."), policy.RuleDefault( |