diff options
author | Zuul <zuul@review.opendev.org> | 2020-04-15 05:56:02 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2020-04-15 05:56:02 +0000 |
commit | c60ea6739451e6c2a87ff06a7e6dcba62dc4185c (patch) | |
tree | b825a3026c34d9d1bc9ad0952e3f210b333e1741 /nova/policies | |
parent | af805e00618163786c0e4ceb72a1d0e9fa028403 (diff) | |
parent | 9b3bc4817ee99153b7c847c3b9b7e6481b1c2259 (diff) | |
download | nova-c60ea6739451e6c2a87ff06a7e6dcba62dc4185c.tar.gz |
Merge "Add new default roles in server group policies"
Diffstat (limited to 'nova/policies')
-rw-r--r-- | nova/policies/base.py | 5 | ||||
-rw-r--r-- | nova/policies/server_groups.py | 21 |
2 files changed, 19 insertions, 7 deletions
diff --git a/nova/policies/base.py b/nova/policies/base.py index 96b9d8e91a..c54848e3b5 100644 --- a/nova/policies/base.py +++ b/nova/policies/base.py @@ -115,7 +115,10 @@ rules = [ policy.RuleDefault( "project_member_api", "role:member and project_id:%(project_id)s", - "Default rule for Project level non admin APIs."), + "Default rule for Project level non admin APIs.", + deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='21.0.0'), policy.RuleDefault( "project_reader_api", "role:reader and project_id:%(project_id)s", diff --git a/nova/policies/server_groups.py b/nova/policies/server_groups.py index e9b95d316d..55176b8a6a 100644 --- a/nova/policies/server_groups.py +++ b/nova/policies/server_groups.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-server-groups:%s' server_groups_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.PROJECT_MEMBER, description="Create a new server group", operations=[ { @@ -32,11 +32,20 @@ server_groups_policies = [ 'method': 'POST' } ], - scope_types=['system', 'project'] + # (NOTE)gmann: Reason for 'project' only scope: + # POST SG need project_id to create the serve groups + # system scope members do not have project id for which + # SG needs to be created. + # If we allow system scope role also then created SG will have + # project_id of system role, not the one he/she wants to create the SG + # for (nobody can create the SG for other projects because API does + # not take project id in request ). So keeping this scoped to project + # only as these roles are the only ones who will be creating SG. + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, description="Delete a server group", operations=[ { @@ -48,7 +57,7 @@ server_groups_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.PROJECT_READER_OR_SYSTEM_READER, description="List all server groups", operations=[ { @@ -60,7 +69,7 @@ server_groups_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index:all_projects', - check_str=base.RULE_ADMIN_API, + check_str=base.SYSTEM_READER, description="List all server groups for all projects", operations=[ { @@ -72,7 +81,7 @@ server_groups_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.PROJECT_READER_OR_SYSTEM_READER, description="Show details of a server group", operations=[ { |