openstack/neutron
Code Issues Proposed changes
Files
f8984c66996c876d5bbd0cc0c4c47f567e515511
neutron/neutron/conf/policies/base.py
Akihiro Motoki f8984c6699 Convert policy.json into policy-in-code 
This commit introduces a framework for policy-in-code support
in the neutron stadium and converts the existing policy.json
in the neutron repository into the policy-in-code style.

NOTES:
1) This commit tries not to change the existing policy behavior
provided by the neutron repository even if there are some stale policies
or policies to be defined in a neutron-related project.
They should be clean up later in Stein release.

2) 'default' policy should be dropped from the default policies
as all default policies should be defined in the code (as many projects
which already completed policy-in-code do). However, dropping 'default'
policy potentially affects policy behavior in neutron-related projects,
so it needs to be visit carefully. Considering this, this commit decides
to keep the 'default' policy.

Partially Implements: blueprint neutron-policy-in-code
Change-Id: I6a61079da4d4f5080ee32d640144e6bdb14735fa
2018-12-13 20:37:53 +00:00

68 lines
2.3 KiB
Python
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'context_is_admin',
'role:admin',
description='Rule for cloud admin access'),
policy.RuleDefault(
'owner',
'tenant_id:%(tenant_id)s',
description='Rule for resource owner access'),
policy.RuleDefault(
'admin_or_owner',
'rule:context_is_admin or rule:owner',
description='Rule for admin or owner access'),
policy.RuleDefault(
'context_is_advsvc',
'role:advsvc',
description='Rule for advsvc role access'),
policy.RuleDefault(
'admin_or_network_owner',
'rule:context_is_admin or tenant_id:%(network:tenant_id)s',
description='Rule for admin or network owner access'),
policy.RuleDefault(
'admin_owner_or_network_owner',
'rule:owner or rule:admin_or_network_owner',
description=('Rule for resource owner, '
'admin or network owner access')),
policy.RuleDefault(
'admin_only',
'rule:context_is_admin',
description='Rule only for admin access'),
policy.RuleDefault(
'regular_user',
'',
description='Rule for regular user access'),
# TODO(amotoki): Should be renamed to shared_network? It seems clearer.
policy.RuleDefault(
'shared',
'field:networks:shared=True',
description='Rule of shared network'),
policy.RuleDefault(
'default',
'rule:admin_or_owner',
description='Default access rule'),
policy.RuleDefault(
'admin_or_ext_parent_owner',
'rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s',
description='Rule for common parent owner check'),
]
def list_rules():
return rules
View Git Blame Copy Permalink