openstack/skyline-apiserver
Code Issues Proposed changes

refactor: Update pydantic>=2.11.7

Browse Source 
Refer to: https://releases.openstack.org/constraints/upper/master

Change-Id: I75851e1a03043ef6cc8c44f50d0083ed827b60d8
Signed-off-by: Wu Wenxiang <wu.wenxiang@99cloud.net>
This commit is contained in:
Wu Wenxiang
2025-07-21 22:44:28 +08:00
parent e38457b5b6
commit 2fa03951cf
30 changed files with 3761 additions and 2548 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.isort.cfg
View File

@@ -7,3 +7,7 @@ ensure_newline_before_comments = True
line_length = 98
reverse_relative = true
combine_as_imports = true
[isort]
known_first_party = skyline_apiserver
known_third_party = skyline_console

2
README.rst
View File

@@ -159,7 +159,7 @@ Install & Run
.. code:: bash
tox -e venv
pip install -r requirements.txt -r test-requirements.txt
pip install -r requirements.txt -r test-requirements.txt -chttps://releases.openstack.org/constraints/upper/master
pip install -e .
2. Set skyline.yaml config file

4
requirements.txt
View File

@@ -1,6 +1,6 @@
pbr>=5.8.0 # Apache-2.0
fastapi==0.111.0 # MIT
pydantic>=1.9.0,<2.0.0
fastapi>=0.111.0 # MIT
pydantic>=2.11.7,<3.0.0 # MIT
uvicorn==0.30.1 # BSD License (3 clause)
gunicorn>=20.1.0 # MIT
python-jose<=3.3.0 # MIT

25
skyline_apiserver/api/v1/login.py
View File

@@ -20,12 +20,13 @@ from typing import Any, Dict, List, Optional, Tuple, Union
from fastapi import status
from fastapi.exceptions import HTTPException
from fastapi.param_functions import Depends, Form, Header
from fastapi.responses import RedirectResponse
from fastapi.routing import APIRouter
from keystoneauth1.identity.v3 import Password, Token
from keystoneauth1.session import Session
from keystoneclient.client import Client as KeystoneClient
from starlette.requests import Request
from starlette.responses import RedirectResponse, Response
from starlette.responses import Response
from skyline_apiserver import schemas
from skyline_apiserver.api import deps
@@ -262,7 +263,7 @@ def get_sso(request: Request) -> schemas.SSO:
"/websso",
description="Websso",
responses={
302: {"class": RedirectResponse},
302: {"description": "Redirect to SSO provider"},
401: {"model": schemas.common.UnauthorizedMessage},
},
response_class=RedirectResponse,
@@ -378,33 +379,33 @@ def logout(
)
def switch_project(
project_id: str,
request: Request,
response: Response,
profile: schemas.Profile = Depends(deps.get_profile),
x_openstack_request_id: str = Header(
"",
alias=constants.INBOUND_HEADER,
regex=constants.INBOUND_HEADER_REGEX,
),
) -> schemas.Profile:
profile = deps.get_profile(request)
region = profile.region
try:
project_scope_token = get_project_scope_token(
keystone_token=profile.keystone_token,
region=profile.region,
region=region,
project_id=project_id,
)
profile = generate_profile(
new_profile = generate_profile(
keystone_token=project_scope_token,
region=profile.region,
uuid_value=profile.uuid,
region=region,
)
profile = _patch_profile(profile, x_openstack_request_id)
new_profile = _patch_profile(new_profile, x_openstack_request_id)
except Exception as e:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=str(e),
)
else:
response.set_cookie(CONF.default.session_name, profile.toJWTPayload())
response.set_cookie(constants.TIME_EXPIRED_KEY, str(profile.exp))
return profile
response.set_cookie(CONF.default.session_name, new_profile.toJWTPayload())
response.set_cookie(constants.TIME_EXPIRED_KEY, str(new_profile.exp))
return new_profile

2
skyline_apiserver/cmd/generate_nginx.py
View File

@@ -196,7 +196,7 @@ def main(
endpoints = get_proxy_endpoints()
context = {
"skyline_console_static_path": static_path,
"endpoints": [i.dict() for i in endpoints.values()],
"endpoints": [i.model_dump() for i in endpoints.values()],
"api_prefix": constants.API_PREFIX,
}
if ssl_certfile:

2
skyline_apiserver/cmd/generate_swagger.py
View File

@@ -16,6 +16,7 @@ from __future__ import annotations
import json
import sys
import traceback
import click
@@ -41,6 +42,7 @@ def main(output_file_path: str) -> None:
except Exception as e:
print(f"Generate swagger file failed: {str(e)}")
traceback.print_exc()
sys.exit(1)

16
skyline_apiserver/cmd/policy_manager.py
View File

@@ -198,9 +198,9 @@ list_rules = ("""
for r in rules:
print(
rule_format_str.format(
name=json.dumps(r.name),
check_str=json.dumps(r.check_str),
description=json.dumps(r.description),
name=r.name,
check_str=r.check_str,
description=r.description,
),
)
@@ -216,11 +216,11 @@ list_rules = ("""
for r in api_rules:
print(
apirule_format_str.format(
name=json.dumps(r.name),
check_str=json.dumps(r.check_str),
description=json.dumps(r.description),
scope_types=json.dumps(r.scope_types),
operations=json.dumps(r.operations),
name=r.name,
check_str=r.check_str,
description=r.description,
scope_types=r.scope_types,
operations=r.operations.model_dump(),
),
)

98
skyline_apiserver/policy/manager/barbican.py
View File

@@ -15,6 +15,8 @@
# flake8: noqa
# fmt: off
from skyline_apiserver.schemas.policy_manager import Operation
from . import base
list_rules = (
@@ -203,336 +205,336 @@ list_rules = (
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="Retrieve the ACL settings for a given secret.If no ACL is defined for that secret, then Default ACL is returned.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/acl"}],
operations=[Operation(method="GET", path="/v1/secrets/{secret-id}/acl")],
),
base.APIRule(
name="secret_acls:delete",
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="Delete the ACL settings for a given secret.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/secrets/{secret-id}/acl"}],
operations=[Operation(method="DELETE", path="/v1/secrets/{secret-id}/acl")],
),
base.APIRule(
name="secret_acls:put_patch",
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="Create new, replaces, or updates existing ACL for a given secret.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/secrets/{secret-id}/acl"}, {"method": "PATCH", "path": "/v1/secrets/{secret-id}/acl"}],
operations=[Operation(method="PUT", path="/v1/secrets/{secret-id}/acl"), Operation(method="PATCH", path="/v1/secrets/{secret-id}/acl")],
),
base.APIRule(
name="container_acls:get",
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"),
description="Retrieve the ACL settings for a given container.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container-id}/acl"}],
operations=[Operation(method="GET", path="/v1/containers/{container-id}/acl")],
),
base.APIRule(
name="container_acls:delete",
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"),
description="Delete ACL for a given container. No content is returned in the case of successful deletion.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/acl"}],
operations=[Operation(method="DELETE", path="/v1/containers/{container-id}/acl")],
),
base.APIRule(
name="container_acls:put_patch",
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"),
description="Create new or replaces existing ACL for a given container.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/containers/{container-id}/acl"}, {"method": "PATCH", "path": "/v1/containers/{container-id}/acl"}],
operations=[Operation(method="PUT", path="/v1/containers/{container-id}/acl"), Operation(method="PATCH", path="/v1/containers/{container-id}/acl")],
),
base.APIRule(
name="consumer:get",
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"),
description="DEPRECATED: show information for a specific consumer",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/containers/{container-id}/consumers/{consumer-id}"}],
operations=[Operation(method="GET", path="/v1/containers/{container-id}/consumers/{consumer-id}")],
),
base.APIRule(
name="container_consumers:get",
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"),
description="List a containers consumers.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/containers/{container-id}/consumers"}],
operations=[Operation(method="GET", path="/v1/containers/{container-id}/consumers")],
),
base.APIRule(
name="container_consumers:post",
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"),
description="Creates a consumer.",
scope_types=["project", "system"],
operations=[{"method": "POST", "path": "/v1/containers/{container-id}/consumers"}],
operations=[Operation(method="POST", path="/v1/containers/{container-id}/consumers")],
),
base.APIRule(
name="container_consumers:delete",
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"),
description="Deletes a consumer.",
scope_types=["project", "system"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/consumers"}],
operations=[Operation(method="DELETE", path="/v1/containers/{container-id}/consumers")],
),
base.APIRule(
name="secret_consumers:get",
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"),
description="List consumers for a secret.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/consumers"}],
operations=[Operation(method="GET", path="/v1/secrets/{secret-id}/consumers")],
),
base.APIRule(
name="secret_consumers:post",
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"),
description="Creates a consumer.",
scope_types=["project", "system"],
operations=[{"method": "POST", "path": "/v1/secrets/{secrets-id}/consumers"}],
operations=[Operation(method="POST", path="/v1/secrets/{secrets-id}/consumers")],
),
base.APIRule(
name="secret_consumers:delete",
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"),
description="Deletes a consumer.",
scope_types=["project", "system"],
operations=[{"method": "DELETE", "path": "/v1/secrets/{secrets-id}/consumers"}],
operations=[Operation(method="DELETE", path="/v1/secrets/{secrets-id}/consumers")],
),
base.APIRule(
name="containers:post",
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
description="Creates a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
operations=[Operation(method="POST", path="/v1/containers")],
),
base.APIRule(
name="containers:get",
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
description="Lists a projects containers.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers"}],
operations=[Operation(method="GET", path="/v1/containers")],
),
base.APIRule(
name="container:get",
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"),
description="Retrieves a single container.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container-id}"}],
operations=[Operation(method="GET", path="/v1/containers/{container-id}")],
),
base.APIRule(
name="container:delete",
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"),
description="Deletes a container.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{uuid}"}],
operations=[Operation(method="DELETE", path="/v1/containers/{uuid}")],
),
base.APIRule(
name="container_secret:post",
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"),
description="Add a secret to an existing container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container-id}/secrets"}],
operations=[Operation(method="POST", path="/v1/containers/{container-id}/secrets")],
),
base.APIRule(
name="container_secret:delete",
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"),
description="Remove a secret from a container.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/secrets/{secret-id}"}],
operations=[Operation(method="DELETE", path="/v1/containers/{container-id}/secrets/{secret-id}")],
),
base.APIRule(
name="orders:get",
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
description="Gets list of all orders associated with a project.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/orders"}],
operations=[Operation(method="GET", path="/v1/orders")],
),
base.APIRule(
name="orders:post",
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
description="Creates an order.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/orders"}],
operations=[Operation(method="POST", path="/v1/orders")],
),
base.APIRule(
name="orders:put",
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
description="Unsupported method for the orders API.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/orders"}],
operations=[Operation(method="PUT", path="/v1/orders")],
),
base.APIRule(
name="order:get",
check_str=("True:%(enforce_new_defaults)s and rule:order_project_member"),
description="Retrieves an orders metadata.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/orders/{order-id}"}],
operations=[Operation(method="GET", path="/v1/orders/{order-id}")],
),
base.APIRule(
name="order:delete",
check_str=("True:%(enforce_new_defaults)s and rule:order_project_member"),
description="Deletes an order.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/orders/{order-id}"}],
operations=[Operation(method="DELETE", path="/v1/orders/{order-id}")],
),
base.APIRule(
name="quotas:get",
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="List quotas for the project the user belongs to.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas"}],
operations=[Operation(method="GET", path="/v1/quotas")],
),
base.APIRule(
name="project_quotas:get",
check_str=("True:%(enforce_new_defaults)s and rule:system_reader"),
description="List quotas for the specified project.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/v1/project-quotas"}, {"method": "GET", "path": "/v1/project-quotas/{uuid}"}],
operations=[Operation(method="GET", path="/v1/project-quotas"), Operation(method="GET", path="/v1/project-quotas/{uuid}")],
),
base.APIRule(
name="project_quotas:put",
check_str=("True:%(enforce_new_defaults)s and rule:system_admin"),
description="Create or update the configured project quotas for the project with the specified UUID.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/v1/project-quotas/{uuid}"}],
operations=[Operation(method="PUT", path="/v1/project-quotas/{uuid}")],
),
base.APIRule(
name="project_quotas:delete",
check_str=("True:%(enforce_new_defaults)s and rule:system_admin"),
description="Delete the project quotas configuration for the project with the requested UUID.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/v1/quotas}"}],
operations=[Operation(method="DELETE", path="/v1/quotas}")],
),
base.APIRule(
name="secret_meta:get",
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"),
description="metadata/: Lists a secrets user-defined metadata. || metadata/{key}: Retrieves a secrets user-added metadata.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/metadata"}, {"method": "GET", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}],
operations=[Operation(method="GET", path="/v1/secrets/{secret-id}/metadata"), Operation(method="GET", path="/v1/secrets/{secret-id}/metadata/{meta-key}")],
),
base.APIRule(
name="secret_meta:post",
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="Adds a new key/value pair to the secrets user-defined metadata.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}],
operations=[Operation(method="POST", path="/v1/secrets/{secret-id}/metadata/{meta-key}")],
),
base.APIRule(
name="secret_meta:put",
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="metadata/: Sets the user-defined metadata for a secret || metadata/{key}: Updates an existing key/value pair in the secrets user-defined metadata.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/secrets/{secret-id}/metadata"}, {"method": "PUT", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}],
operations=[Operation(method="PUT", path="/v1/secrets/{secret-id}/metadata"), Operation(method="PUT", path="/v1/secrets/{secret-id}/metadata/{meta-key}")],
),
base.APIRule(
name="secret_meta:delete",
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="Delete secret user-defined metadata by key.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}],
operations=[Operation(method="DELETE", path="/v1/secrets/{secret-id}/metadata/{meta-key}")],
),
base.APIRule(
name="secret:decrypt",
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"),
description="Retrieve a secrets payload.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/secrets/{uuid}/payload"}],
operations=[Operation(method="GET", path="/v1/secrets/{uuid}/payload")],
),
base.APIRule(
name="secret:get",
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"),
description="Retrieves a secrets metadata.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}"}],
operations=[Operation(method="GET", path="/v1/secrets/{secret-id}")],
),
base.APIRule(
name="secret:put",
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="Add the payload to an existing metadata-only secret.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/secrets/{secret-id}"}],
operations=[Operation(method="PUT", path="/v1/secrets/{secret-id}")],
),
base.APIRule(
name="secret:delete",
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="Delete a secret by uuid.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/secrets/{secret-id}"}],
operations=[Operation(method="DELETE", path="/v1/secrets/{secret-id}")],
),
base.APIRule(
name="secrets:post",
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
description="Creates a Secret entity.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/secrets"}],
operations=[Operation(method="POST", path="/v1/secrets")],
),
base.APIRule(
name="secrets:get",
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
description="Lists a projects secrets.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/secrets"}],
operations=[Operation(method="GET", path="/v1/secrets")],
),
base.APIRule(
name="secretstores:get",
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="Get list of available secret store backends.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secret-stores"}],
operations=[Operation(method="GET", path="/v1/secret-stores")],
),
base.APIRule(
name="secretstores:get_global_default",
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="Get a reference to the secret store that is used as default secret store backend for the deployment.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secret-stores/global-default"}],
operations=[Operation(method="GET", path="/v1/secret-stores/global-default")],
),
base.APIRule(
name="secretstores:get_preferred",
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="Get a reference to the preferred secret store if assigned previously.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secret-stores/preferred"}],
operations=[Operation(method="GET", path="/v1/secret-stores/preferred")],
),
base.APIRule(
name="secretstore_preferred:post",
check_str=("True:%(enforce_new_defaults)s and role:admin"),
description="Set a secret store backend to be preferred store backend for their project.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/secret-stores/{ss-id}/preferred"}],
operations=[Operation(method="POST", path="/v1/secret-stores/{ss-id}/preferred")],
),
base.APIRule(
name="secretstore_preferred:delete",
check_str=("True:%(enforce_new_defaults)s and role:admin"),
description="Remove preferred secret store backend setting for their project.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/secret-stores/{ss-id}/preferred"}],
operations=[Operation(method="DELETE", path="/v1/secret-stores/{ss-id}/preferred")],
),
base.APIRule(
name="secretstore:get",
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="Get details of secret store by its ID.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secret-stores/{ss-id}"}],
operations=[Operation(method="GET", path="/v1/secret-stores/{ss-id}")],
),
base.APIRule(
name="transport_key:get",
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="Get a specific transport key.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/transport_keys/{key-id}}"}],
operations=[Operation(method="GET", path="/v1/transport_keys/{key-id}}")],
),
base.APIRule(
name="transport_key:delete",
check_str=("True:%(enforce_new_defaults)s and rule:system_admin"),
description="Delete a specific transport key.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/v1/transport_keys/{key-id}"}],
operations=[Operation(method="DELETE", path="/v1/transport_keys/{key-id}")],
),
base.APIRule(
name="transport_keys:get",
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="Get a list of all transport keys.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/transport_keys"}],
operations=[Operation(method="GET", path="/v1/transport_keys")],
),
base.APIRule(
name="transport_keys:post",
check_str=("True:%(enforce_new_defaults)s and rule:system_admin"),
description="Create a new transport key.",
scope_types=["system"],
operations=[{"method": "POST", "path": "/v1/transport_keys"}],
operations=[Operation(method="POST", path="/v1/transport_keys")],
),
)

27
skyline_apiserver/policy/manager/base.py
View File

@@ -14,10 +14,11 @@
from __future__ import annotations
from typing import List
from typing import Any, List, Optional, Sequence
from oslo_policy import _parser
from oslo_policy.policy import DocumentedRuleDefault, RuleDefault
from pydantic import BaseModel
from skyline_apiserver import schemas
@@ -68,7 +69,7 @@ class APIRule(Rule):
check_str: str,
description: str,
scope_types: List[str],
operations: List[schemas.Operation],
operations: Optional[Sequence[Any]] = None,
basic_check_str: str = "",
) -> None:
super().__init__(name, check_str, description, basic_check_str)
@@ -76,13 +77,16 @@ class APIRule(Rule):
schemas.ScopeTypesSchema.parse_obj(scope_types)
self.scope_types = scope_types
schemas.OperationsSchema.parse_obj(operations)
self.operations = operations
# for Pydantic 2.x, automatically convert Operation instances to dict
if operations and isinstance(operations[0], BaseModel):
operations = [op.model_dump() for op in operations]
self.operations: schemas.OperationsSchema = schemas.OperationsSchema.model_validate(
operations
)
def format_into_yaml(self) -> str:
op_list = [
f'# {operation.get("method"):8}{operation.get("path")}\n'
for operation in self.operations
f"# {operation.method:8}{operation.path}\n" for operation in self.operations.root
]
op = "".join(op_list)
scope = f"# Intended scope(s): {self.scope_types}\n"
@@ -92,6 +96,17 @@ class APIRule(Rule):
return text
def to_dict(self):
return {
"name": getattr(self, "name", None),
"description": getattr(self, "description", None),
"scope_types": getattr(self, "scope_types", None),
"operations": self.operations.model_dump() if hasattr(self, "operations") else None,
}
def __repr__(self):
return f"APIRule({self.to_dict()})"
@classmethod
def from_oslo(cls, rule: DocumentedRuleDefault):
description = rule.description or ""

320
skyline_apiserver/policy/manager/cinder.py
View File

File diff suppressed because it is too large Load Diff

126
skyline_apiserver/policy/manager/designate.py
View File

@@ -15,6 +15,8 @@
# flake8: noqa
# fmt: off
from skyline_apiserver.schemas.policy_manager import Operation
from . import base
list_rules = (
@@ -158,434 +160,434 @@ list_rules = (
check_str=("role:admin"),
description="Create blacklist.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/blacklists"}],
operations=[Operation(method="POST", path="/v2/blacklists")],
),
base.APIRule(
name="find_blacklists",
check_str=("role:admin"),
description="Find blacklists.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/blacklists"}],
operations=[Operation(method="GET", path="/v2/blacklists")],
),
base.APIRule(
name="get_blacklist",
check_str=("role:admin"),
description="Get blacklist.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/blacklists/{blacklist_id}"}],
operations=[Operation(method="GET", path="/v2/blacklists/{blacklist_id}")],
),
base.APIRule(
name="update_blacklist",
check_str=("role:admin"),
description="Update blacklist.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/blacklists/{blacklist_id}"}],
operations=[Operation(method="PATCH", path="/v2/blacklists/{blacklist_id}")],
),
base.APIRule(
name="delete_blacklist",
check_str=("role:admin"),
description="Delete blacklist.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/blacklists/{blacklist_id}"}],
operations=[Operation(method="DELETE", path="/v2/blacklists/{blacklist_id}")],
),
base.APIRule(
name="use_blacklisted_zone",
check_str=("role:admin"),
description="Allowed bypass the blacklist.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/zones"}],
operations=[Operation(method="POST", path="/v2/zones")],
),
base.APIRule(
name="find_pools",
check_str=("role:admin"),
description="Find pool.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/pools"}],
operations=[Operation(method="GET", path="/v2/pools")],
),
base.APIRule(
name="find_pool",
check_str=("role:admin"),
description="Find pools.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/pools"}],
operations=[Operation(method="GET", path="/v2/pools")],
),
base.APIRule(
name="get_pool",
check_str=("role:admin"),
description="Get pool.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/pools/{pool_id}"}],
operations=[Operation(method="GET", path="/v2/pools/{pool_id}")],
),
base.APIRule(
name="zone_create_forced_pool",
check_str=("role:admin"),
description="load and set the pool to the one provided in the Zone attributes.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/zones"}],
operations=[Operation(method="POST", path="/v2/zones")],
),
base.APIRule(
name="get_quotas",
check_str=("(role:admin) or (role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"),
description="View Current Project's Quotas.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/quotas"}],
operations=[Operation(method="GET", path="/v2/quotas")],
),
base.APIRule(
name="set_quota",
check_str=("role:admin"),
description="Set Quotas.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/quotas/{project_id}"}],
operations=[Operation(method="PATCH", path="/v2/quotas/{project_id}")],
),
base.APIRule(
name="reset_quotas",
check_str=("role:admin"),
description="Reset Quotas.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/quotas/{project_id}"}],
operations=[Operation(method="DELETE", path="/v2/quotas/{project_id}")],
),
base.APIRule(
name="find_records",
check_str=("(role:admin) or (role:reader and project_id:%(project_id)s)"),
description="Find records.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/reverse/floatingips/{region}:{floatingip_id}"}, {"method": "GET", "path": "/v2/reverse/floatingips"}],
operations=[Operation(method="GET", path="/v2/reverse/floatingips/{region}:{floatingip_id}"), Operation(method="GET", path="/v2/reverse/floatingips")],
),
base.APIRule(
name="create_recordset",
check_str=("(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('SECONDARY':%(zone_type)s) or (\"True\":%(zone_shared)s) and ('PRIMARY':%(zone_type)s)"),
description="Create Recordset",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/zones/{zone_id}/recordsets"}],
operations=[Operation(method="POST", path="/v2/zones/{zone_id}/recordsets")],
),
base.APIRule(
name="get_recordset",
check_str=("(role:admin) or (role:reader and project_id:%(project_id)s) or (\"True\":%(zone_shared)s)"),
description="Get recordset",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/{zone_id}/recordsets/{recordset_id}"}],
operations=[Operation(method="GET", path="/v2/zones/{zone_id}/recordsets/{recordset_id}")],
),
base.APIRule(
name="find_recordsets",
check_str=("(role:admin) or (role:reader and project_id:%(project_id)s)"),
description="List Recordsets in a Zone",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/{zone_id}/recordsets"}],
operations=[Operation(method="GET", path="/v2/zones/{zone_id}/recordsets")],
),
base.APIRule(
name="update_recordset",
check_str=("(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('SECONDARY':%(zone_type)s) or role:member and (project_id:%(recordset_project_id)s) and ('PRIMARY':%(zone_type)s)"),
description="Update recordset",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/zones/{zone_id}/recordsets/{recordset_id}"}],
operations=[Operation(method="PUT", path="/v2/zones/{zone_id}/recordsets/{recordset_id}")],
),
base.APIRule(
name="delete_recordset",
check_str=("(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('PRIMARY':%(zone_type)s) or (role:admin) and ('SECONDARY':%(zone_type)s) or role:member and (project_id:%(recordset_project_id)s) and ('PRIMARY':%(zone_type)s)"),
description="Delete RecordSet",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/zones/{zone_id}/recordsets/{recordset_id}"}],
operations=[Operation(method="DELETE", path="/v2/zones/{zone_id}/recordsets/{recordset_id}")],
),
base.APIRule(
name="find_service_status",
check_str=("role:admin"),
description="Find a single Service Status",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/service_status/{service_id}"}],
operations=[Operation(method="GET", path="/v2/service_status/{service_id}")],
),
base.APIRule(
name="find_service_statuses",
check_str=("role:admin"),
description="List service statuses.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/service_status"}],
operations=[Operation(method="GET", path="/v2/service_status")],
),
base.APIRule(
name="get_zone_share",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Get a Zone Share",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/{zone_id}/shares/{zone_share_id}"}],
operations=[Operation(method="GET", path="/v2/zones/{zone_id}/shares/{zone_share_id}")],
),
base.APIRule(
name="share_zone",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Share a Zone",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/zones/{zone_id}/shares"}],
operations=[Operation(method="POST", path="/v2/zones/{zone_id}/shares")],
),
base.APIRule(
name="find_zone_shares",
check_str=("@"),
description="List Shared Zones",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/{zone_id}/shares"}],
operations=[Operation(method="GET", path="/v2/zones/{zone_id}/shares")],
),
base.APIRule(
name="unshare_zone",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Unshare Zone",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/zones/{zone_id}/shares/{shared_zone_id}"}],
operations=[Operation(method="DELETE", path="/v2/zones/{zone_id}/shares/{shared_zone_id}")],
),
base.APIRule(
name="create_tld",
check_str=("role:admin"),
description="Create Tld",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/tlds"}],
operations=[Operation(method="POST", path="/v2/tlds")],
),
base.APIRule(
name="find_tlds",
check_str=("role:admin"),
description="List Tlds",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/tlds"}],
operations=[Operation(method="GET", path="/v2/tlds")],
),
base.APIRule(
name="get_tld",
check_str=("role:admin"),
description="Show Tld",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/tlds/{tld_id}"}],
operations=[Operation(method="GET", path="/v2/tlds/{tld_id}")],
),
base.APIRule(
name="update_tld",
check_str=("role:admin"),
description="Update Tld",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/tlds/{tld_id}"}],
operations=[Operation(method="PATCH", path="/v2/tlds/{tld_id}")],
),
base.APIRule(
name="delete_tld",
check_str=("role:admin"),
description="Delete Tld",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/tlds/{tld_id}"}],
operations=[Operation(method="DELETE", path="/v2/tlds/{tld_id}")],
),
base.APIRule(
name="create_tsigkey",
check_str=("role:admin"),
description="Create Tsigkey",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/tsigkeys"}],
operations=[Operation(method="POST", path="/v2/tsigkeys")],
),
base.APIRule(
name="find_tsigkeys",
check_str=("role:admin"),
description="List Tsigkeys",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/tsigkeys"}],
operations=[Operation(method="GET", path="/v2/tsigkeys")],
),
base.APIRule(
name="get_tsigkey",
check_str=("role:admin"),
description="Show a Tsigkey",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/tsigkeys/{tsigkey_id}"}],
operations=[Operation(method="GET", path="/v2/tsigkeys/{tsigkey_id}")],
),
base.APIRule(
name="update_tsigkey",
check_str=("role:admin"),
description="Update Tsigkey",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/tsigkeys/{tsigkey_id}"}],
operations=[Operation(method="PATCH", path="/v2/tsigkeys/{tsigkey_id}")],
),
base.APIRule(
name="delete_tsigkey",
check_str=("role:admin"),
description="Delete a Tsigkey",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/tsigkeys/{tsigkey_id}"}],
operations=[Operation(method="DELETE", path="/v2/tsigkeys/{tsigkey_id}")],
),
base.APIRule(
name="create_zone",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Create Zone",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/zones"}],
operations=[Operation(method="POST", path="/v2/zones")],
),
base.APIRule(
name="get_zone",
check_str=("(role:admin) or (role:reader and project_id:%(project_id)s) or (\"True\":%(zone_shared)s)"),
description="Get Zone",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/{zone_id}"}],
operations=[Operation(method="GET", path="/v2/zones/{zone_id}")],
),
base.APIRule(
name="get_zone_ns_records",
check_str=("(role:admin) or (role:reader and project_id:%(project_id)s)"),
description="Get the Name Servers for a Zone",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/{zone_id}/nameservers"}],
operations=[Operation(method="GET", path="/v2/zones/{zone_id}/nameservers")],
),
base.APIRule(
name="find_zones",
check_str=("(role:admin) or (role:reader and project_id:%(project_id)s)"),
description="List existing zones",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones"}],
operations=[Operation(method="GET", path="/v2/zones")],
),
base.APIRule(
name="update_zone",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Update Zone",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/zones/{zone_id}"}],
operations=[Operation(method="PATCH", path="/v2/zones/{zone_id}")],
),
base.APIRule(
name="delete_zone",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Delete Zone",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/zones/{zone_id}"}],
operations=[Operation(method="DELETE", path="/v2/zones/{zone_id}")],
),
base.APIRule(
name="xfr_zone",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Manually Trigger an Update of a Secondary Zone",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/zones/{zone_id}/tasks/xfr"}],
operations=[Operation(method="POST", path="/v2/zones/{zone_id}/tasks/xfr")],
),
base.APIRule(
name="abandon_zone",
check_str=("role:admin"),
description="Abandon Zone",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/zones/{zone_id}/tasks/abandon"}],
operations=[Operation(method="POST", path="/v2/zones/{zone_id}/tasks/abandon")],
),
base.APIRule(
name="zone_export",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Retrive a Zone Export from the Designate Datastore",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/tasks/exports/{zone_export_id}/export"}],
operations=[Operation(method="GET", path="/v2/zones/tasks/exports/{zone_export_id}/export")],
),
base.APIRule(
name="create_zone_export",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Create Zone Export",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/zones/{zone_id}/tasks/export"}],
operations=[Operation(method="POST", path="/v2/zones/{zone_id}/tasks/export")],
),
base.APIRule(
name="find_zone_exports",
check_str=("(role:admin) or (role:reader and project_id:%(project_id)s)"),
description="List Zone Exports",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/tasks/exports"}],
operations=[Operation(method="GET", path="/v2/zones/tasks/exports")],
),
base.APIRule(
name="get_zone_export",
check_str=("(role:admin) or (role:reader and project_id:%(project_id)s)"),
description="Get Zone Exports",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/tasks/exports/{zone_export_id}"}],
operations=[Operation(method="GET", path="/v2/zones/tasks/exports/{zone_export_id}")],
),
base.APIRule(
name="update_zone_export",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Update Zone Exports",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/zones/{zone_id}/tasks/export"}],
operations=[Operation(method="POST", path="/v2/zones/{zone_id}/tasks/export")],
),
base.APIRule(
name="delete_zone_export",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Delete a zone export",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/zones/tasks/exports/{zone_export_id}"}],
operations=[Operation(method="DELETE", path="/v2/zones/tasks/exports/{zone_export_id}")],
),
base.APIRule(
name="create_zone_import",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Create Zone Import",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/zones/tasks/imports"}],
operations=[Operation(method="POST", path="/v2/zones/tasks/imports")],
),
base.APIRule(
name="find_zone_imports",
check_str=("(role:admin) or (role:reader and project_id:%(project_id)s)"),
description="List all Zone Imports",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/tasks/imports"}],
operations=[Operation(method="GET", path="/v2/zones/tasks/imports")],
),
base.APIRule(
name="get_zone_import",
check_str=("(role:admin) or (role:reader and project_id:%(project_id)s)"),
description="Get Zone Imports",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/tasks/imports/{zone_import_id}"}],
operations=[Operation(method="GET", path="/v2/zones/tasks/imports/{zone_import_id}")],
),
base.APIRule(
name="update_zone_import",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Update Zone Imports",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/zones/tasks/imports"}],
operations=[Operation(method="POST", path="/v2/zones/tasks/imports")],
),
base.APIRule(
name="delete_zone_import",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Delete a Zone Import",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/zones/tasks/imports/{zone_import_id}"}],
operations=[Operation(method="DELETE", path="/v2/zones/tasks/imports/{zone_import_id}")],
),
base.APIRule(
name="create_zone_transfer_accept",
check_str=("((role:admin) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s"),
description="Create Zone Transfer Accept",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/zones/tasks/transfer_accepts"}],
operations=[Operation(method="POST", path="/v2/zones/tasks/transfer_accepts")],
),
base.APIRule(
name="get_zone_transfer_accept",
check_str=("(role:admin) or (role:reader and project_id:%(project_id)s)"),
description="Get Zone Transfer Accept",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}"}],
operations=[Operation(method="GET", path="/v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}")],
),
base.APIRule(
name="find_zone_transfer_accepts",
check_str=("role:admin"),
description="List Zone Transfer Accepts",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/tasks/transfer_accepts"}],
operations=[Operation(method="GET", path="/v2/zones/tasks/transfer_accepts")],
),
base.APIRule(
name="create_zone_transfer_request",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Create Zone Transfer Accept",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/zones/{zone_id}/tasks/transfer_requests"}],
operations=[Operation(method="POST", path="/v2/zones/{zone_id}/tasks/transfer_requests")],
),
base.APIRule(
name="get_zone_transfer_request",
check_str=("((role:admin) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s"),
description="Show a Zone Transfer Request",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}"}],
operations=[Operation(method="GET", path="/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}")],
),
base.APIRule(
name="find_zone_transfer_requests",
check_str=("@"),
description="List Zone Transfer Requests",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/zones/tasks/transfer_requests"}],
operations=[Operation(method="GET", path="/v2/zones/tasks/transfer_requests")],
),
base.APIRule(
name="update_zone_transfer_request",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Update a Zone Transfer Request",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}"}],
operations=[Operation(method="PATCH", path="/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}")],
),
base.APIRule(
name="delete_zone_transfer_request",
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
description="Delete a Zone Transfer Request",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}"}],
operations=[Operation(method="DELETE", path="/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}")],
),
)

112
skyline_apiserver/policy/manager/glance.py
View File

@@ -15,6 +15,8 @@
# flake8: noqa
# fmt: off
from skyline_apiserver.schemas.policy_manager import Operation
from . import base
list_rules = (
@@ -48,385 +50,385 @@ list_rules = (
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s and project_id:%(owner)s)"),
description="Create new image",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/images"}],
operations=[Operation(method="POST", path="/v2/images")],
),
base.APIRule(
name="delete_image",
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Deletes the image",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}"}],
operations=[Operation(method="DELETE", path="/v2/images/{image_id}")],
),
base.APIRule(
name="get_image",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"),
description="Get specified image",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}"}],
operations=[Operation(method="GET", path="/v2/images/{image_id}")],
),
base.APIRule(
name="get_images",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
description="Get all available images",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/images"}],
operations=[Operation(method="GET", path="/v2/images")],
),
base.APIRule(
name="modify_image",
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Updates given image",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
operations=[Operation(method="PATCH", path="/v2/images/{image_id}")],
),
base.APIRule(
name="publicize_image",
check_str=("role:admin"),
description="Publicize given image",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
operations=[Operation(method="PATCH", path="/v2/images/{image_id}")],
),
base.APIRule(
name="communitize_image",
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Communitize given image",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
operations=[Operation(method="PATCH", path="/v2/images/{image_id}")],
),
base.APIRule(
name="download_image",
check_str=("role:admin or ((role:member or role:_member_) and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"),
description="Downloads given image",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}/file"}],
operations=[Operation(method="GET", path="/v2/images/{image_id}/file")],
),
base.APIRule(
name="upload_image",
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Uploads data to specified image",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/file"}],
operations=[Operation(method="PUT", path="/v2/images/{image_id}/file")],
),
base.APIRule(
name="delete_image_location",
check_str=("role:admin"),
description="Deletes the location of given image",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
operations=[Operation(method="PATCH", path="/v2/images/{image_id}")],
),
base.APIRule(
name="get_image_location",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
description="Reads the location of the image",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}"}],
operations=[Operation(method="GET", path="/v2/images/{image_id}")],
),
base.APIRule(
name="set_image_location",
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Sets location URI to given image",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
operations=[Operation(method="PATCH", path="/v2/images/{image_id}")],
),
base.APIRule(
name="add_member",
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Create image member",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/members"}],
operations=[Operation(method="POST", path="/v2/images/{image_id}/members")],
),
base.APIRule(
name="delete_member",
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Delete image member",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}/members/{member_id}"}],
operations=[Operation(method="DELETE", path="/v2/images/{image_id}/members/{member_id}")],
),
base.APIRule(
name="get_member",
check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"),
description="Show image member details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}/members/{member_id}"}],
operations=[Operation(method="GET", path="/v2/images/{image_id}/members/{member_id}")],
),
base.APIRule(
name="get_members",
check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"),
description="List image members",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}/members"}],
operations=[Operation(method="GET", path="/v2/images/{image_id}/members")],
),
base.APIRule(
name="modify_member",
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(member_id)s)"),
description="Update image member",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/members/{member_id}"}],
operations=[Operation(method="PUT", path="/v2/images/{image_id}/members/{member_id}")],
),
base.APIRule(
name="deactivate",
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Deactivate image",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/deactivate"}],
operations=[Operation(method="POST", path="/v2/images/{image_id}/actions/deactivate")],
),
base.APIRule(
name="reactivate",
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Reactivate image",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/reactivate"}],
operations=[Operation(method="POST", path="/v2/images/{image_id}/actions/reactivate")],
),
base.APIRule(
name="copy_image",
check_str=("role:admin"),
description="Copy existing image to other stores",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/import"}],
operations=[Operation(method="POST", path="/v2/images/{image_id}/import")],
),
base.APIRule(
name="get_task",
check_str=("rule:default"),
description="Get an image task.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}],
operations=[Operation(method="GET", path="/v2/tasks/{task_id}")],
),
base.APIRule(
name="get_tasks",
check_str=("rule:default"),
description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/tasks"}],
operations=[Operation(method="GET", path="/v2/tasks")],
),
base.APIRule(
name="add_task",
check_str=("rule:default"),
description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/tasks"}],
operations=[Operation(method="POST", path="/v2/tasks")],
),
base.APIRule(
name="modify_task",
check_str=("rule:default"),
description="This policy is not used.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/tasks/{task_id}"}],
operations=[Operation(method="DELETE", path="/v2/tasks/{task_id}")],
),
base.APIRule(
name="tasks_api_access",
check_str=("role:admin"),
description="\n#This is a generic blanket policy for protecting all task APIs. It is not\n#granular and will not allow you to separate writable and readable task\n#operations into different roles.\n#",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}, {"method": "GET", "path": "/v2/tasks"}, {"method": "POST", "path": "/v2/tasks"}, {"method": "DELETE", "path": "/v2/tasks/{task_id}"}],
operations=[Operation(method="GET", path="/v2/tasks/{task_id}"), Operation(method="GET", path="/v2/tasks"), Operation(method="POST", path="/v2/tasks"), Operation(method="DELETE", path="/v2/tasks/{task_id}")],
),
base.APIRule(
name="get_metadef_namespace",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get a specific namespace.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}"}],
operations=[Operation(method="GET", path="/v2/metadefs/namespaces/{namespace_name}")],
),
base.APIRule(
name="get_metadef_namespaces",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
description="List namespace.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces"}],
operations=[Operation(method="GET", path="/v2/metadefs/namespaces")],
),
base.APIRule(
name="modify_metadef_namespace",
check_str=("rule:metadef_admin"),
description="Modify an existing namespace.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}"}],
operations=[Operation(method="PUT", path="/v2/metadefs/namespaces/{namespace_name}")],
),
base.APIRule(
name="add_metadef_namespace",
check_str=("rule:metadef_admin"),
description="Create a namespace.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces"}],
operations=[Operation(method="POST", path="/v2/metadefs/namespaces")],
),
base.APIRule(
name="delete_metadef_namespace",
check_str=("rule:metadef_admin"),
description="Delete a namespace.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}"}],
operations=[Operation(method="DELETE", path="/v2/metadefs/namespaces/{namespace_name}")],
),
base.APIRule(
name="get_metadef_object",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get a specific object from a namespace.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}],
operations=[Operation(method="GET", path="/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}")],
),
base.APIRule(
name="get_metadef_objects",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get objects from a namespace.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}],
operations=[Operation(method="GET", path="/v2/metadefs/namespaces/{namespace_name}/objects")],
),
base.APIRule(
name="modify_metadef_object",
check_str=("rule:metadef_admin"),
description="Update an object within a namespace.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}],
operations=[Operation(method="PUT", path="/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}")],
),
base.APIRule(
name="add_metadef_object",
check_str=("rule:metadef_admin"),
description="Create an object within a namespace.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}],
operations=[Operation(method="POST", path="/v2/metadefs/namespaces/{namespace_name}/objects")],
),
base.APIRule(
name="delete_metadef_object",
check_str=("rule:metadef_admin"),
description="Delete an object within a namespace.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}],
operations=[Operation(method="DELETE", path="/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}")],
),
base.APIRule(
name="list_metadef_resource_types",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="List meta definition resource types.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/resource_types"}],
operations=[Operation(method="GET", path="/v2/metadefs/resource_types")],
),
base.APIRule(
name="get_metadef_resource_type",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get meta definition resource types associations.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}],
operations=[Operation(method="GET", path="/v2/metadefs/namespaces/{namespace_name}/resource_types")],
),
base.APIRule(
name="add_metadef_resource_type_association",
check_str=("rule:metadef_admin"),
description="Create meta definition resource types association.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}],
operations=[Operation(method="POST", path="/v2/metadefs/namespaces/{namespace_name}/resource_types")],
),
base.APIRule(
name="remove_metadef_resource_type_association",
check_str=("rule:metadef_admin"),
description="Delete meta definition resource types association.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types/{name}"}],
operations=[Operation(method="POST", path="/v2/metadefs/namespaces/{namespace_name}/resource_types/{name}")],
),
base.APIRule(
name="get_metadef_property",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get a specific meta definition property.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}],
operations=[Operation(method="GET", path="/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}")],
),
base.APIRule(
name="get_metadef_properties",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="List meta definition properties.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}],
operations=[Operation(method="GET", path="/v2/metadefs/namespaces/{namespace_name}/properties")],
),
base.APIRule(
name="modify_metadef_property",
check_str=("rule:metadef_admin"),
description="Update meta definition property.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}],
operations=[Operation(method="GET", path="/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}")],
),
base.APIRule(
name="add_metadef_property",
check_str=("rule:metadef_admin"),
description="Create meta definition property.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}],
operations=[Operation(method="POST", path="/v2/metadefs/namespaces/{namespace_name}/properties")],
),
base.APIRule(
name="remove_metadef_property",
check_str=("rule:metadef_admin"),
description="Delete meta definition property.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}],
operations=[Operation(method="DELETE", path="/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}")],
),
base.APIRule(
name="get_metadef_tag",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get tag definition.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
operations=[Operation(method="GET", path="/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}")],
),
base.APIRule(
name="get_metadef_tags",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="List tag definitions.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}],
operations=[Operation(method="GET", path="/v2/metadefs/namespaces/{namespace_name}/tags")],
),
base.APIRule(
name="modify_metadef_tag",
check_str=("rule:metadef_admin"),
description="Update tag definition.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
operations=[Operation(method="PUT", path="/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}")],
),
base.APIRule(
name="add_metadef_tag",
check_str=("rule:metadef_admin"),
description="Add tag definition.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
operations=[Operation(method="POST", path="/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}")],
),
base.APIRule(
name="add_metadef_tags",
check_str=("rule:metadef_admin"),
description="Create tag definitions.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}],
operations=[Operation(method="POST", path="/v2/metadefs/namespaces/{namespace_name}/tags")],
),
base.APIRule(
name="delete_metadef_tag",
check_str=("rule:metadef_admin"),
description="Delete tag definition.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
operations=[Operation(method="DELETE", path="/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}")],
),
base.APIRule(
name="delete_metadef_tags",
check_str=("rule:metadef_admin"),
description="Delete tag definitions.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}],
operations=[Operation(method="DELETE", path="/v2/metadefs/namespaces/{namespace_name}/tags")],
),
base.APIRule(
name="cache_image",
check_str=("role:admin"),
description="Queue image for caching",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/cache/{image_id}"}],
operations=[Operation(method="PUT", path="/v2/cache/{image_id}")],
),
base.APIRule(
name="cache_list",
check_str=("role:admin"),
description="List cache status",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/cache"}],
operations=[Operation(method="GET", path="/v2/cache")],
),
base.APIRule(
name="cache_delete",
check_str=("role:admin"),
description="Delete image(s) from cache and/or queue",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/cache"}, {"method": "DELETE", "path": "/v2/cache/{image_id}"}],
operations=[Operation(method="DELETE", path="/v2/cache"), Operation(method="DELETE", path="/v2/cache/{image_id}")],
),
base.APIRule(
name="stores_info_detail",
check_str=("role:admin"),
description="Expose store specific information",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/info/stores/detail"}],
operations=[Operation(method="GET", path="/v2/info/stores/detail")],
),
)

116
skyline_apiserver/policy/manager/heat.py
View File

@@ -15,6 +15,8 @@
# flake8: noqa
# fmt: off
from skyline_apiserver.schemas.policy_manager import Operation
from . import base
list_rules = (
@@ -228,399 +230,399 @@ list_rules = (
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Performs non-lifecycle operations on the stack (Snapshot, Resume, Cancel update, or check stack resources). This is the default for all actions but can be overridden by more specific policies for individual actions.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions")],
),
base.APIRule(
name="actions:snapshot",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Create stack snapshot",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions")],
),
base.APIRule(
name="actions:suspend",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Suspend a stack.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions")],
),
base.APIRule(
name="actions:resume",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Resume a suspended stack.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions")],
),
base.APIRule(
name="actions:check",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Check stack resources.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions")],
),
base.APIRule(
name="actions:cancel_update",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Cancel stack operation and roll back.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions")],
),
base.APIRule(
name="actions:cancel_without_rollback",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Cancel stack operation without rolling back.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions")],
),
base.APIRule(
name="build_info:build_info",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show build information.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/build_info"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/build_info")],
),
base.APIRule(
name="events:index",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List events.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events")],
),
base.APIRule(
name="events:show",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show event.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}")],
),
base.APIRule(
name="resource:index",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List resources.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources")],
),
base.APIRule(
name="resource:metadata",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
description="Show resource metadata.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata")],
),
base.APIRule(
name="resource:signal",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
description="Signal resource.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal")],
),
base.APIRule(
name="resource:mark_unhealthy",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Mark resource as unhealthy.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}"}],
operations=[Operation(method="PATCH", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}")],
),
base.APIRule(
name="resource:show",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show resource.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}")],
),
base.APIRule(
name="software_configs:global_index",
check_str=("role:reader and system_scope:all"),
description="List configs globally.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/software_configs")],
),
base.APIRule(
name="software_configs:index",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List configs.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/software_configs")],
),
base.APIRule(
name="software_configs:create",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Create config.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_configs"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/software_configs")],
),
base.APIRule(
name="software_configs:show",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show config details.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs/{config_id}"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/software_configs/{config_id}")],
),
base.APIRule(
name="software_configs:delete",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Delete config.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_configs/{config_id}"}],
operations=[Operation(method="DELETE", path="/v1/{tenant_id}/software_configs/{config_id}")],
),
base.APIRule(
name="software_deployments:index",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List deployments.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/software_deployments")],
),
base.APIRule(
name="software_deployments:create",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Create deployment.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_deployments"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/software_deployments")],
),
base.APIRule(
name="software_deployments:show",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show deployment details.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/software_deployments/{deployment_id}")],
),
base.APIRule(
name="software_deployments:update",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Update deployment.",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
operations=[Operation(method="PUT", path="/v1/{tenant_id}/software_deployments/{deployment_id}")],
),
base.APIRule(
name="software_deployments:delete",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Delete deployment.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
operations=[Operation(method="DELETE", path="/v1/{tenant_id}/software_deployments/{deployment_id}")],
),
base.APIRule(
name="software_deployments:metadata",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
description="Show server configuration metadata.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments/metadata/{server_id}"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/software_deployments/metadata/{server_id}")],
),
base.APIRule(
name="stacks:abandon",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Abandon stack.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon"}],
operations=[Operation(method="DELETE", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon")],
),
base.APIRule(
name="stacks:create",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Create stack.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/stacks")],
),
base.APIRule(
name="stacks:delete",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Delete stack.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
operations=[Operation(method="DELETE", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}")],
),
base.APIRule(
name="stacks:detail",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List stacks in detail.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks")],
),
base.APIRule(
name="stacks:export",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Export stack.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export")],
),
base.APIRule(
name="stacks:generate_template",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Generate stack template.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template")],
),
base.APIRule(
name="stacks:global_index",
check_str=("role:reader and system_scope:all"),
description="List stacks globally.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks")],
),
base.APIRule(
name="stacks:index",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List stacks.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks")],
),
base.APIRule(
name="stacks:list_resource_types",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List resource types.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/resource_types"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/resource_types")],
),
base.APIRule(
name="stacks:list_template_versions",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List template versions.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/template_versions"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/template_versions")],
),
base.APIRule(
name="stacks:list_template_functions",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List template functions.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/template_versions/{template_version}/functions"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/template_versions/{template_version}/functions")],
),
base.APIRule(
name="stacks:lookup",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
description="Find stack.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_identity}")],
),
base.APIRule(
name="stacks:preview",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Preview stack.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/preview"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/stacks/preview")],
),
base.APIRule(
name="stacks:resource_schema",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show resource type schema.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/resource_types/{type_name}"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/resource_types/{type_name}")],
),
base.APIRule(
name="stacks:show",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show stack.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_identity}")],
),
base.APIRule(
name="stacks:template",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Get stack template.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template")],
),
base.APIRule(
name="stacks:environment",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Get stack environment.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment")],
),
base.APIRule(
name="stacks:files",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Get stack files.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files")],
),
base.APIRule(
name="stacks:update",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Update stack.",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
operations=[Operation(method="PUT", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}")],
),
base.APIRule(
name="stacks:update_patch",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Update stack (PATCH).",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
operations=[Operation(method="PATCH", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}")],
),
base.APIRule(
name="stacks:update_no_change",
check_str=("rule:stacks:update_patch"),
description="Update stack (PATCH) with no changes.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
operations=[Operation(method="PATCH", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}")],
),
base.APIRule(
name="stacks:preview_update",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Preview update stack.",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}],
operations=[Operation(method="PUT", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview")],
),
base.APIRule(
name="stacks:preview_update_patch",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Preview update stack (PATCH).",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}],
operations=[Operation(method="PATCH", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview")],
),
base.APIRule(
name="stacks:validate_template",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Validate template.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/validate"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/validate")],
),
base.APIRule(
name="stacks:snapshot",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Snapshot Stack.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots")],
),
base.APIRule(
name="stacks:show_snapshot",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show snapshot.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}")],
),
base.APIRule(
name="stacks:delete_snapshot",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Delete snapshot.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}"}],
operations=[Operation(method="DELETE", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}")],
),
base.APIRule(
name="stacks:list_snapshots",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List snapshots.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots")],
),
base.APIRule(
name="stacks:restore_snapshot",
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
description="Restore snapshot.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore"}],
operations=[Operation(method="POST", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore")],
),
base.APIRule(
name="stacks:list_outputs",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List outputs.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs")],
),
base.APIRule(
name="stacks:show_output",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show outputs.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}"}],
operations=[Operation(method="GET", path="/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}")],
),
)

194
skyline_apiserver/policy/manager/ironic.py
View File

@@ -15,6 +15,8 @@
# flake8: noqa
# fmt: off
from skyline_apiserver.schemas.policy_manager import Operation
from . import base
list_rules = (
@@ -73,672 +75,672 @@ list_rules = (
check_str=("role:admin and system_scope:all"),
description="Create Node records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/nodes"}],
operations=[Operation(method="POST", path="/nodes")],
),
base.APIRule(
name="baremetal:node:create:self_owned_node",
check_str=("role:admin"),
description="Create node records which will be tracked as owned by the associated user project.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/nodes"}],
operations=[Operation(method="POST", path="/nodes")],
),
base.APIRule(
name="baremetal:node:list",
check_str=("role:reader"),
description="Retrieve multiple Node records, filtered by an explicit owner or the client project_id",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes"}, {"method": "GET", "path": "/nodes/detail"}],
operations=[Operation(method="GET", path="/nodes"), Operation(method="GET", path="/nodes/detail")],
),
base.APIRule(
name="baremetal:node:list_all",
check_str=("role:reader and system_scope:all"),
description="Retrieve multiple Node records",
scope_types=["system"],
operations=[{"method": "GET", "path": "/nodes"}, {"method": "GET", "path": "/nodes/detail"}],
operations=[Operation(method="GET", path="/nodes"), Operation(method="GET", path="/nodes/detail")],
),
base.APIRule(
name="baremetal:node:get",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Retrieve a single Node record",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:get:filter_threshold",
check_str=("role:reader and system_scope:all"),
description="Filter to allow operators to govern the threshold where information should be filtered. Non-authorized users will be subjected to additional API policy checks for API content response bodies.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:get:last_error",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Governs if the node last_error field is masked from API clients with insufficient privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:get:reservation",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Governs if the node reservation field is masked from API clients with insufficient privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:get:driver_internal_info",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Governs if the node driver_internal_info field is masked from API clients with insufficient privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:get:driver_info",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Governs if the driver_info field is masked from API clients with insufficient privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update:driver_info",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
description="Governs if node driver_info field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update:properties",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
description="Governs if node properties field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update:chassis_uuid",
check_str=("role:admin and system_scope:all"),
description="Governs if node chassis_uuid field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update:instance_uuid",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
description="Governs if node instance_uuid field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update:lessee",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
description="Governs if node lessee field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update:owner",
check_str=("(role:member or role:_member_) and system_scope:all"),
description="Governs if node owner field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update:driver_interfaces",
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Governs if node driver and driver interfaces field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update:network_data",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
description="Governs if node driver_info field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update:conductor_group",
check_str=("(role:member or role:_member_) and system_scope:all"),
description="Governs if node conductor_group field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update:name",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
description="Governs if node name field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update:retired",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
description="Governs if node retired and retired reason can be updated by API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Generalized update of node records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update_extra",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Update Node extra field",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update_instance_info",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Update Node instance_info field",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:update_owner_provisioned",
check_str=("role:admin and system_scope:all"),
description="Update Node owner even when Node is provisioned",
scope_types=["system"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:delete",
check_str=("role:admin and system_scope:all"),
description="Delete Node records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="DELETE", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:delete:self_owned_node",
check_str=("role:admin and project_id:%(node.owner)s"),
description="Delete node records which are associated with the requesting project.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="DELETE", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:validate",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Request active validation of Nodes",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/validate"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}/validate")],
),
base.APIRule(
name="baremetal:node:set_maintenance",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Set maintenance flag, taking a Node out of service",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/maintenance"}],
operations=[Operation(method="PUT", path="/nodes/{node_ident}/maintenance")],
),
base.APIRule(
name="baremetal:node:clear_maintenance",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Clear maintenance flag, placing the Node into service again",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/maintenance"}],
operations=[Operation(method="DELETE", path="/nodes/{node_ident}/maintenance")],
),
base.APIRule(
name="baremetal:node:get_boot_device",
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Retrieve Node boot device metadata",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"}, {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}/management/boot_device"), Operation(method="GET", path="/nodes/{node_ident}/management/boot_device/supported")],
),
base.APIRule(
name="baremetal:node:set_boot_device",
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Change Node boot device",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/boot_device"}],
operations=[Operation(method="PUT", path="/nodes/{node_ident}/management/boot_device")],
),
base.APIRule(
name="baremetal:node:get_indicator_state",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Retrieve Node indicators and their states",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}"}, {"method": "GET", "path": "/nodes/{node_ident}/management/indicators"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}/management/indicators/{component}/{indicator}"), Operation(method="GET", path="/nodes/{node_ident}/management/indicators")],
),
base.APIRule(
name="baremetal:node:set_indicator_state",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
description="Change Node indicator state",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}"}],
operations=[Operation(method="PUT", path="/nodes/{node_ident}/management/indicators/{component}/{indicator}")],
),
base.APIRule(
name="baremetal:node:inject_nmi",
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Inject NMI for a node",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/inject_nmi"}],
operations=[Operation(method="PUT", path="/nodes/{node_ident}/management/inject_nmi")],
),
base.APIRule(
name="baremetal:node:get_states",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="View Node power and provision state",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/states"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}/states")],
),
base.APIRule(
name="baremetal:node:set_power_state",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Change Node power status",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/power"}],
operations=[Operation(method="PUT", path="/nodes/{node_ident}/states/power")],
),
base.APIRule(
name="baremetal:node:set_boot_mode",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Change Node boot mode",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/boot_mode"}],
operations=[Operation(method="PUT", path="/nodes/{node_ident}/states/boot_mode")],
),
base.APIRule(
name="baremetal:node:set_secure_boot",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Change Node secure boot state",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/secure_boot"}],
operations=[Operation(method="PUT", path="/nodes/{node_ident}/states/secure_boot")],
),
base.APIRule(
name="baremetal:node:set_provision_state",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Change Node provision status",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/provision"}],
operations=[Operation(method="PUT", path="/nodes/{node_ident}/states/provision")],
),
base.APIRule(
name="baremetal:node:set_raid_state",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
description="Change Node RAID status",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/raid"}],
operations=[Operation(method="PUT", path="/nodes/{node_ident}/states/raid")],
),
base.APIRule(
name="baremetal:node:get_console",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
description="Get Node console connection information",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/states/console"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}/states/console")],
),
base.APIRule(
name="baremetal:node:set_console_state",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
description="Change Node console status",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/console"}],
operations=[Operation(method="PUT", path="/nodes/{node_ident}/states/console")],
),
base.APIRule(
name="baremetal:node:vif:list",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="List VIFs attached to node",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/vifs"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}/vifs")],
),
base.APIRule(
name="baremetal:node:vif:attach",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Attach a VIF to a node",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/nodes/{node_ident}/vifs"}],
operations=[Operation(method="POST", path="/nodes/{node_ident}/vifs")],
),
base.APIRule(
name="baremetal:node:vif:detach",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Detach a VIF from a node",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/vifs/{node_vif_ident}"}],
operations=[Operation(method="DELETE", path="/nodes/{node_ident}/vifs/{node_vif_ident}")],
),
base.APIRule(
name="baremetal:node:traits:list",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="List node traits",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/traits"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}/traits")],
),
base.APIRule(
name="baremetal:node:traits:set",
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Add a trait to, or replace all traits of, a node",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/traits"}, {"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"}],
operations=[Operation(method="PUT", path="/nodes/{node_ident}/traits"), Operation(method="PUT", path="/nodes/{node_ident}/traits/{trait}")],
),
base.APIRule(
name="baremetal:node:traits:delete",
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Remove one or all traits from a node",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/traits"}, {"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"}],
operations=[Operation(method="DELETE", path="/nodes/{node_ident}/traits"), Operation(method="DELETE", path="/nodes/{node_ident}/traits/{trait}")],
),
base.APIRule(
name="baremetal:node:bios:get",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Retrieve Node BIOS information",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/bios"}, {"method": "GET", "path": "/nodes/{node_ident}/bios/{setting}"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}/bios"), Operation(method="GET", path="/nodes/{node_ident}/bios/{setting}")],
),
base.APIRule(
name="baremetal:node:disable_cleaning",
check_str=("role:admin and system_scope:all"),
description="Disable Node disk cleaning",
scope_types=["system"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
operations=[Operation(method="PATCH", path="/nodes/{node_ident}")],
),
base.APIRule(
name="baremetal:node:history:get",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Filter to allow operators to retreive history records for a node.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/history"}, {"method": "GET", "path": "/nodes/{node_ident}/history/{event_ident}"}],
operations=[Operation(method="GET", path="/nodes/{node_ident}/history"), Operation(method="GET", path="/nodes/{node_ident}/history/{event_ident}")],
),
base.APIRule(
name="baremetal:port:get",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Retrieve Port records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/ports/{port_id}"}, {"method": "GET", "path": "/nodes/{node_ident}/ports"}, {"method": "GET", "path": "/nodes/{node_ident}/ports/detail"}, {"method": "GET", "path": "/portgroups/{portgroup_ident}/ports"}, {"method": "GET", "path": "/portgroups/{portgroup_ident}/ports/detail"}],
operations=[Operation(method="GET", path="/ports/{port_id}"), Operation(method="GET", path="/nodes/{node_ident}/ports"), Operation(method="GET", path="/nodes/{node_ident}/ports/detail"), Operation(method="GET", path="/portgroups/{portgroup_ident}/ports"), Operation(method="GET", path="/portgroups/{portgroup_ident}/ports/detail")],
),
base.APIRule(
name="baremetal:port:list",
check_str=("role:reader"),
description="Retrieve multiple Port records, filtered by owner",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/detail"}],
operations=[Operation(method="GET", path="/ports"), Operation(method="GET", path="/ports/detail")],
),
base.APIRule(
name="baremetal:port:list_all",
check_str=("role:reader and system_scope:all"),
description="Retrieve multiple Port records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/detail"}],
operations=[Operation(method="GET", path="/ports"), Operation(method="GET", path="/ports/detail")],
),
base.APIRule(
name="baremetal:port:create",
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Create Port records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/ports"}],
operations=[Operation(method="POST", path="/ports")],
),
base.APIRule(
name="baremetal:port:delete",
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Delete Port records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/ports/{port_id}"}],
operations=[Operation(method="DELETE", path="/ports/{port_id}")],
),
base.APIRule(
name="baremetal:port:update",
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Update Port records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/ports/{port_id}"}],
operations=[Operation(method="PATCH", path="/ports/{port_id}")],
),
base.APIRule(
name="baremetal:portgroup:get",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Retrieve Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/portgroups"}, {"method": "GET", "path": "/portgroups/detail"}, {"method": "GET", "path": "/portgroups/{portgroup_ident}"}, {"method": "GET", "path": "/nodes/{node_ident}/portgroups"}, {"method": "GET", "path": "/nodes/{node_ident}/portgroups/detail"}],
operations=[Operation(method="GET", path="/portgroups"), Operation(method="GET", path="/portgroups/detail"), Operation(method="GET", path="/portgroups/{portgroup_ident}"), Operation(method="GET", path="/nodes/{node_ident}/portgroups"), Operation(method="GET", path="/nodes/{node_ident}/portgroups/detail")],
),
base.APIRule(
name="baremetal:portgroup:create",
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Create Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/portgroups"}],
operations=[Operation(method="POST", path="/portgroups")],
),
base.APIRule(
name="baremetal:portgroup:delete",
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Delete Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/portgroups/{portgroup_ident}"}],
operations=[Operation(method="DELETE", path="/portgroups/{portgroup_ident}")],
),
base.APIRule(
name="baremetal:portgroup:update",
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Update Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/portgroups/{portgroup_ident}"}],
operations=[Operation(method="PATCH", path="/portgroups/{portgroup_ident}")],
),
base.APIRule(
name="baremetal:portgroup:list",
check_str=("role:reader"),
description="Retrieve multiple Port records, filtered by owner",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/portgroups"}, {"method": "GET", "path": "/portgroups/detail"}],
operations=[Operation(method="GET", path="/portgroups"), Operation(method="GET", path="/portgroups/detail")],
),
base.APIRule(
name="baremetal:portgroup:list_all",
check_str=("role:reader and system_scope:all"),
description="Retrieve multiple Port records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/portgroups"}, {"method": "GET", "path": "/portgroups/detail"}],
operations=[Operation(method="GET", path="/portgroups"), Operation(method="GET", path="/portgroups/detail")],
),
base.APIRule(
name="baremetal:chassis:get",
check_str=("role:reader and system_scope:all"),
description="Retrieve Chassis records",
scope_types=["system"],
operations=[{"method": "GET", "path": "/chassis"}, {"method": "GET", "path": "/chassis/detail"}, {"method": "GET", "path": "/chassis/{chassis_id}"}],
operations=[Operation(method="GET", path="/chassis"), Operation(method="GET", path="/chassis/detail"), Operation(method="GET", path="/chassis/{chassis_id}")],
),
base.APIRule(
name="baremetal:chassis:create",
check_str=("role:admin and system_scope:all"),
description="Create Chassis records",
scope_types=["system"],
operations=[{"method": "POST", "path": "/chassis"}],
operations=[Operation(method="POST", path="/chassis")],
),
base.APIRule(
name="baremetal:chassis:delete",
check_str=("role:admin and system_scope:all"),
description="Delete Chassis records",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/chassis/{chassis_id}"}],
operations=[Operation(method="DELETE", path="/chassis/{chassis_id}")],
),
base.APIRule(
name="baremetal:chassis:update",
check_str=("(role:member or role:_member_) and system_scope:all"),
description="Update Chassis records",
scope_types=["system"],
operations=[{"method": "PATCH", "path": "/chassis/{chassis_id}"}],
operations=[Operation(method="PATCH", path="/chassis/{chassis_id}")],
),
base.APIRule(
name="baremetal:driver:get",
check_str=("role:reader and system_scope:all"),
description="View list of available drivers",
scope_types=["system"],
operations=[{"method": "GET", "path": "/drivers"}, {"method": "GET", "path": "/drivers/{driver_name}"}],
operations=[Operation(method="GET", path="/drivers"), Operation(method="GET", path="/drivers/{driver_name}")],
),
base.APIRule(
name="baremetal:driver:get_properties",
check_str=("role:reader and system_scope:all"),
description="View driver-specific properties",
scope_types=["system"],
operations=[{"method": "GET", "path": "/drivers/{driver_name}/properties"}],
operations=[Operation(method="GET", path="/drivers/{driver_name}/properties")],
),
base.APIRule(
name="baremetal:driver:get_raid_logical_disk_properties",
check_str=("role:reader and system_scope:all"),
description="View driver-specific RAID metadata",
scope_types=["system"],
operations=[{"method": "GET", "path": "/drivers/{driver_name}/raid/logical_disk_properties"}],
operations=[Operation(method="GET", path="/drivers/{driver_name}/raid/logical_disk_properties")],
),
base.APIRule(
name="baremetal:node:vendor_passthru",
check_str=("role:admin and system_scope:all"),
description="Access vendor-specific Node functions",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "nodes/{node_ident}/vendor_passthru/methods"}, {"method": "GET", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "PUT", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "POST", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "PATCH", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "DELETE", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}],
operations=[Operation(method="GET", path="nodes/{node_ident}/vendor_passthru/methods"), Operation(method="GET", path="nodes/{node_ident}/vendor_passthru?method={method_name}"), Operation(method="PUT", path="nodes/{node_ident}/vendor_passthru?method={method_name}"), Operation(method="POST", path="nodes/{node_ident}/vendor_passthru?method={method_name}"), Operation(method="PATCH", path="nodes/{node_ident}/vendor_passthru?method={method_name}"), Operation(method="DELETE", path="nodes/{node_ident}/vendor_passthru?method={method_name}")],
),
base.APIRule(
name="baremetal:driver:vendor_passthru",
check_str=("role:admin and system_scope:all"),
description="Access vendor-specific Driver functions",
scope_types=["system"],
operations=[{"method": "GET", "path": "drivers/{driver_name}/vendor_passthru/methods"}, {"method": "GET", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "PUT", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "POST", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "PATCH", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "DELETE", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}],
operations=[Operation(method="GET", path="drivers/{driver_name}/vendor_passthru/methods"), Operation(method="GET", path="drivers/{driver_name}/vendor_passthru?method={method_name}"), Operation(method="PUT", path="drivers/{driver_name}/vendor_passthru?method={method_name}"), Operation(method="POST", path="drivers/{driver_name}/vendor_passthru?method={method_name}"), Operation(method="PATCH", path="drivers/{driver_name}/vendor_passthru?method={method_name}"), Operation(method="DELETE", path="drivers/{driver_name}/vendor_passthru?method={method_name}")],
),
base.APIRule(
name="baremetal:node:ipa_heartbeat",
check_str=(""),
description="Receive heartbeats from IPA ramdisk",
scope_types=["project"],
operations=[{"method": "POST", "path": "/heartbeat/{node_ident}"}],
operations=[Operation(method="POST", path="/heartbeat/{node_ident}")],
),
base.APIRule(
name="baremetal:driver:ipa_lookup",
check_str=(""),
description="Access IPA ramdisk functions",
scope_types=["project"],
operations=[{"method": "GET", "path": "/lookup"}],
operations=[Operation(method="GET", path="/lookup")],
),
base.APIRule(
name="baremetal:volume:list_all",
check_str=("role:reader and system_scope:all"),
description="Retrieve a list of all Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/volume/connectors"}, {"method": "GET", "path": "/volume/targets"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}],
operations=[Operation(method="GET", path="/volume/connectors"), Operation(method="GET", path="/volume/targets"), Operation(method="GET", path="/nodes/{node_ident}/volume/connectors"), Operation(method="GET", path="/nodes/{node_ident}/volume/targets")],
),
base.APIRule(
name="baremetal:volume:list",
check_str=("role:reader"),
description="Retrieve a list of Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/volume/connectors"}, {"method": "GET", "path": "/volume/targets"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}],
operations=[Operation(method="GET", path="/volume/connectors"), Operation(method="GET", path="/volume/targets"), Operation(method="GET", path="/nodes/{node_ident}/volume/connectors"), Operation(method="GET", path="/nodes/{node_ident}/volume/targets")],
),
base.APIRule(
name="baremetal:volume:get",
check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
description="Retrieve Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/volume"}, {"method": "GET", "path": "/volume/connectors"}, {"method": "GET", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "GET", "path": "/volume/targets"}, {"method": "GET", "path": "/volume/targets/{volume_target_id}"}, {"method": "GET", "path": "/nodes/{node_ident}/volume"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}],
operations=[Operation(method="GET", path="/volume"), Operation(method="GET", path="/volume/connectors"), Operation(method="GET", path="/volume/connectors/{volume_connector_id}"), Operation(method="GET", path="/volume/targets"), Operation(method="GET", path="/volume/targets/{volume_target_id}"), Operation(method="GET", path="/nodes/{node_ident}/volume"), Operation(method="GET", path="/nodes/{node_ident}/volume/connectors"), Operation(method="GET", path="/nodes/{node_ident}/volume/targets")],
),
base.APIRule(
name="baremetal:volume:create",
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Create Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/volume/connectors"}, {"method": "POST", "path": "/volume/targets"}],
operations=[Operation(method="POST", path="/volume/connectors"), Operation(method="POST", path="/volume/targets")],
),
base.APIRule(
name="baremetal:volume:delete",
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Delete Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "DELETE", "path": "/volume/targets/{volume_target_id}"}],
operations=[Operation(method="DELETE", path="/volume/connectors/{volume_connector_id}"), Operation(method="DELETE", path="/volume/targets/{volume_target_id}")],
),
base.APIRule(
name="baremetal:volume:update",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Update Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "PATCH", "path": "/volume/targets/{volume_target_id}"}],
operations=[Operation(method="PATCH", path="/volume/connectors/{volume_connector_id}"), Operation(method="PATCH", path="/volume/targets/{volume_target_id}")],
),
base.APIRule(
name="baremetal:volume:view_target_properties",
check_str=("(role:reader and system_scope:all) or (role:admin)"),
description="Ability to view volume target properties",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "GET", "path": "/volume/targets/{volume_target_id}"}],
operations=[Operation(method="GET", path="/volume/connectors/{volume_connector_id}"), Operation(method="GET", path="/volume/targets/{volume_target_id}")],
),
base.APIRule(
name="baremetal:conductor:get",
check_str=("role:reader and system_scope:all"),
description="Retrieve Conductor records",
scope_types=["system"],
operations=[{"method": "GET", "path": "/conductors"}, {"method": "GET", "path": "/conductors/{hostname}"}],
operations=[Operation(method="GET", path="/conductors"), Operation(method="GET", path="/conductors/{hostname}")],
),
base.APIRule(
name="baremetal:allocation:get",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(allocation.owner)s)"),
description="Retrieve Allocation records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/allocations/{allocation_id}"}, {"method": "GET", "path": "/nodes/{node_ident}/allocation"}],
operations=[Operation(method="GET", path="/allocations/{allocation_id}"), Operation(method="GET", path="/nodes/{node_ident}/allocation")],
),
base.APIRule(
name="baremetal:allocation:list",
check_str=("role:reader"),
description="Retrieve multiple Allocation records, filtered by owner",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/allocations"}],
operations=[Operation(method="GET", path="/allocations")],
),
base.APIRule(
name="baremetal:allocation:list_all",
check_str=("role:reader and system_scope:all"),
description="Retrieve multiple Allocation records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/allocations"}],
operations=[Operation(method="GET", path="/allocations")],
),
base.APIRule(
name="baremetal:allocation:create",
check_str=("((role:member or role:_member_) and system_scope:all) or (role:member or role:_member_)"),
description="Create Allocation records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/allocations"}],
operations=[Operation(method="POST", path="/allocations")],
),
base.APIRule(
name="baremetal:allocation:create_restricted",
check_str=("(role:member or role:_member_) and system_scope:all"),
description="Create Allocation records with a specific owner.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/allocations"}],
operations=[Operation(method="POST", path="/allocations")],
),
base.APIRule(
name="baremetal:allocation:delete",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(allocation.owner)s)"),
description="Delete Allocation records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/allocations/{allocation_id}"}, {"method": "DELETE", "path": "/nodes/{node_ident}/allocation"}],
operations=[Operation(method="DELETE", path="/allocations/{allocation_id}"), Operation(method="DELETE", path="/nodes/{node_ident}/allocation")],
),
base.APIRule(
name="baremetal:allocation:update",
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(allocation.owner)s)"),
description="Change name and extra fields of an allocation",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/allocations/{allocation_id}"}],
operations=[Operation(method="PATCH", path="/allocations/{allocation_id}")],
),
base.APIRule(
name="baremetal:allocation:create_pre_rbac",
check_str=("(rule:is_member and role:baremetal_admin) or (is_admin_project:True and role:admin)"),
description="Logical restrictor to prevent legacy allocation rule missuse - Requires blank allocations to originate from the legacy baremetal_admin.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/allocations/{allocation_id}"}],
operations=[Operation(method="PATCH", path="/allocations/{allocation_id}")],
),
base.APIRule(
name="baremetal:events:post",
check_str=("role:admin and system_scope:all"),
description="Post events",
scope_types=["system"],
operations=[{"method": "POST", "path": "/events"}],
operations=[Operation(method="POST", path="/events")],
),
base.APIRule(
name="baremetal:deploy_template:get",
check_str=("role:reader and system_scope:all"),
description="Retrieve Deploy Template records",
scope_types=["system"],
operations=[{"method": "GET", "path": "/deploy_templates"}, {"method": "GET", "path": "/deploy_templates/{deploy_template_ident}"}],
operations=[Operation(method="GET", path="/deploy_templates"), Operation(method="GET", path="/deploy_templates/{deploy_template_ident}")],
),
base.APIRule(
name="baremetal:deploy_template:create",
check_str=("role:admin and system_scope:all"),
description="Create Deploy Template records",
scope_types=["system"],
operations=[{"method": "POST", "path": "/deploy_templates"}],
operations=[Operation(method="POST", path="/deploy_templates")],
),
base.APIRule(
name="baremetal:deploy_template:delete",
check_str=("role:admin and system_scope:all"),
description="Delete Deploy Template records",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/deploy_templates/{deploy_template_ident}"}],
operations=[Operation(method="DELETE", path="/deploy_templates/{deploy_template_ident}")],
),
base.APIRule(
name="baremetal:deploy_template:update",
check_str=("role:admin and system_scope:all"),
description="Update Deploy Template records",
scope_types=["system"],
operations=[{"method": "PATCH", "path": "/deploy_templates/{deploy_template_ident}"}],
operations=[Operation(method="PATCH", path="/deploy_templates/{deploy_template_ident}")],
),
)

24
skyline_apiserver/policy/manager/ironic_inspector.py
View File

@@ -15,6 +15,8 @@
# flake8: noqa
# fmt: off
from skyline_apiserver.schemas.policy_manager import Operation
from . import base
list_rules = (
@@ -43,77 +45,77 @@ list_rules = (
check_str=("rule:public_api"),
description="Access the API root for available versions information",
scope_types=["project"],
operations=[{"method": "GET", "path": "/"}],
operations=[Operation(method="GET", path="/")],
),
base.APIRule(
name="introspection:version",
check_str=("rule:public_api"),
description="Access the versioned API root for version information",
scope_types=["project"],
operations=[{"method": "GET", "path": "/{version}"}],
operations=[Operation(method="GET", path="/{version}")],
),
base.APIRule(
name="introspection:continue",
check_str=("rule:public_api"),
description="Ramdisk callback to continue introspection",
scope_types=["project"],
operations=[{"method": "POST", "path": "/continue"}],
operations=[Operation(method="POST", path="/continue")],
),
base.APIRule(
name="introspection:status",
check_str=("role:reader and system_scope:all"),
description="Get introspection status",
scope_types=["project"],
operations=[{"method": "GET", "path": "/introspection"}, {"method": "GET", "path": "/introspection/{node_id}"}],
operations=[Operation(method="GET", path="/introspection"), Operation(method="GET", path="/introspection/{node_id}")],
),
base.APIRule(
name="introspection:start",
check_str=("role:admin and system_scope:all"),
description="Start introspection",
scope_types=["project"],
operations=[{"method": "POST", "path": "/introspection/{node_id}"}],
operations=[Operation(method="POST", path="/introspection/{node_id}")],
),
base.APIRule(
name="introspection:abort",
check_str=("role:admin and system_scope:all"),
description="Abort introspection",
scope_types=["project"],
operations=[{"method": "POST", "path": "/introspection/{node_id}/abort"}],
operations=[Operation(method="POST", path="/introspection/{node_id}/abort")],
),
base.APIRule(
name="introspection:data",
check_str=("role:admin and system_scope:all"),
description="Get introspection data",
scope_types=["project"],
operations=[{"method": "GET", "path": "/introspection/{node_id}/data"}],
operations=[Operation(method="GET", path="/introspection/{node_id}/data")],
),
base.APIRule(
name="introspection:reapply",
check_str=("role:admin and system_scope:all"),
description="Reapply introspection on stored data",
scope_types=["project"],
operations=[{"method": "POST", "path": "/introspection/{node_id}/data/unprocessed"}],
operations=[Operation(method="POST", path="/introspection/{node_id}/data/unprocessed")],
),
base.APIRule(
name="introspection:rule:get",
check_str=("role:admin and system_scope:all"),
description="Get introspection rule(s)",
scope_types=["project"],
operations=[{"method": "GET", "path": "/rules"}, {"method": "GET", "path": "/rules/{rule_id}"}],
operations=[Operation(method="GET", path="/rules"), Operation(method="GET", path="/rules/{rule_id}")],
),
base.APIRule(
name="introspection:rule:delete",
check_str=("role:admin and system_scope:all"),
description="Delete introspection rule(s)",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/rules"}, {"method": "DELETE", "path": "/rules/{rule_id}"}],
operations=[Operation(method="DELETE", path="/rules"), Operation(method="DELETE", path="/rules/{rule_id}")],
),
base.APIRule(
name="introspection:rule:create",
check_str=("role:admin and system_scope:all"),
description="Create introspection rule",
scope_types=["project"],
operations=[{"method": "POST", "path": "/rules"}],
operations=[Operation(method="POST", path="/rules")],
),
)

386
skyline_apiserver/policy/manager/keystone.py
View File

File diff suppressed because it is too large Load Diff

128
skyline_apiserver/policy/manager/magnum.py
View File

@@ -15,6 +15,8 @@
# flake8: noqa
# fmt: off
from skyline_apiserver.schemas.policy_manager import Operation
from . import base
list_rules = (
@@ -53,441 +55,441 @@ list_rules = (
check_str=("rule:deny_cluster_user"),
description="Create a new bay.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/bays"}],
operations=[Operation(method="POST", path="/v1/bays")],
),
base.APIRule(
name="bay:delete",
check_str=("rule:deny_cluster_user"),
description="Delete a bay.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/bays/{bay_ident}"}],
operations=[Operation(method="DELETE", path="/v1/bays/{bay_ident}")],
),
base.APIRule(
name="bay:detail",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of bays with detail.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/bays"}],
operations=[Operation(method="GET", path="/v1/bays")],
),
base.APIRule(
name="bay:get",
check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given bay.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/bays/{bay_ident}"}],
operations=[Operation(method="GET", path="/v1/bays/{bay_ident}")],
),
base.APIRule(
name="bay:get_all",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of bays.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/bays/"}],
operations=[Operation(method="GET", path="/v1/bays/")],
),
base.APIRule(
name="bay:update",
check_str=("rule:deny_cluster_user"),
description="Update an existing bay.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/bays/{bay_ident}"}],
operations=[Operation(method="PATCH", path="/v1/bays/{bay_ident}")],
),
base.APIRule(
name="baymodel:create",
check_str=("rule:deny_cluster_user"),
description="Create a new baymodel.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/baymodels"}],
operations=[Operation(method="POST", path="/v1/baymodels")],
),
base.APIRule(
name="baymodel:delete",
check_str=("rule:deny_cluster_user"),
description="Delete a baymodel.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/baymodels/{baymodel_ident}"}],
operations=[Operation(method="DELETE", path="/v1/baymodels/{baymodel_ident}")],
),
base.APIRule(
name="baymodel:detail",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of baymodel with detail.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/baymodels"}],
operations=[Operation(method="GET", path="/v1/baymodels")],
),
base.APIRule(
name="baymodel:get",
check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given baymodel.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/baymodels/{baymodel_ident}"}],
operations=[Operation(method="GET", path="/v1/baymodels/{baymodel_ident}")],
),
base.APIRule(
name="baymodel:get_all",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of baymodel.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/baymodels"}],
operations=[Operation(method="GET", path="/v1/baymodels")],
),
base.APIRule(
name="baymodel:update",
check_str=("rule:deny_cluster_user"),
description="Update an existing baymodel.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/baymodels/{baymodel_ident}"}],
operations=[Operation(method="PATCH", path="/v1/baymodels/{baymodel_ident}")],
),
base.APIRule(
name="baymodel:publish",
check_str=("rule:admin_api"),
description="Publish an existing baymodel.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/baymodels"}, {"method": "PATCH", "path": "/v1/baymodels"}],
operations=[Operation(method="POST", path="/v1/baymodels"), Operation(method="PATCH", path="/v1/baymodels")],
),
base.APIRule(
name="certificate:create",
check_str=("rule:admin_or_user or rule:cluster_user"),
description="Sign a new certificate by the CA.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/certificates"}],
operations=[Operation(method="POST", path="/v1/certificates")],
),
base.APIRule(
name="certificate:get",
check_str=("rule:admin_or_user or rule:cluster_user"),
description="Retrieve CA information about the given bay/cluster.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/certificates/{bay_uuid/cluster_uuid}"}],
operations=[Operation(method="GET", path="/v1/certificates/{bay_uuid/cluster_uuid}")],
),
base.APIRule(
name="certificate:rotate_ca",
check_str=("rule:admin_or_owner"),
description="Rotate the CA certificate on the given bay/cluster.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/certificates/{bay_uuid/cluster_uuid}"}],
operations=[Operation(method="PATCH", path="/v1/certificates/{bay_uuid/cluster_uuid}")],
),
base.APIRule(
name="cluster:create",
check_str=("rule:deny_cluster_user"),
description="Create a new cluster.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters"}],
operations=[Operation(method="POST", path="/v1/clusters")],
),
base.APIRule(
name="cluster:delete",
check_str=("rule:deny_cluster_user"),
description="Delete a cluster.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_ident}"}],
operations=[Operation(method="DELETE", path="/v1/clusters/{cluster_ident}")],
),
base.APIRule(
name="cluster:delete_all_projects",
check_str=("rule:admin_api"),
description="Delete a cluster from any project.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_ident}"}],
operations=[Operation(method="DELETE", path="/v1/clusters/{cluster_ident}")],
),
base.APIRule(
name="cluster:detail",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of clusters with detail.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters"}],
operations=[Operation(method="GET", path="/v1/clusters")],
),
base.APIRule(
name="cluster:detail_all_projects",
check_str=("rule:admin_api"),
description="Retrieve a list of clusters with detail across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters"}],
operations=[Operation(method="GET", path="/v1/clusters")],
),
base.APIRule(
name="cluster:get",
check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given cluster.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_ident}"}],
operations=[Operation(method="GET", path="/v1/clusters/{cluster_ident}")],
),
base.APIRule(
name="cluster:get_one_all_projects",
check_str=("rule:admin_api"),
description="Retrieve information about the given cluster across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_ident}"}],
operations=[Operation(method="GET", path="/v1/clusters/{cluster_ident}")],
),
base.APIRule(
name="cluster:get_all",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of clusters.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/"}],
operations=[Operation(method="GET", path="/v1/clusters/")],
),
base.APIRule(
name="cluster:get_all_all_projects",
check_str=("rule:admin_api"),
description="Retrieve a list of all clusters across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/"}],
operations=[Operation(method="GET", path="/v1/clusters/")],
),
base.APIRule(
name="cluster:update",
check_str=("rule:deny_cluster_user"),
description="Update an existing cluster.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}],
operations=[Operation(method="PATCH", path="/v1/clusters/{cluster_ident}")],
),
base.APIRule(
name="cluster:update_health_status",
check_str=("rule:admin_or_user or rule:cluster_user"),
description="Update the health status of an existing cluster.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}],
operations=[Operation(method="PATCH", path="/v1/clusters/{cluster_ident}")],
),
base.APIRule(
name="cluster:update_all_projects",
check_str=("rule:admin_api"),
description="Update an existing cluster.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}],
operations=[Operation(method="PATCH", path="/v1/clusters/{cluster_ident}")],
),
base.APIRule(
name="cluster:resize",
check_str=("rule:deny_cluster_user"),
description="Resize an existing cluster.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/resize"}],
operations=[Operation(method="POST", path="/v1/clusters/{cluster_ident}/actions/resize")],
),
base.APIRule(
name="cluster:upgrade",
check_str=("rule:deny_cluster_user"),
description="Upgrade an existing cluster.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/upgrade"}],
operations=[Operation(method="POST", path="/v1/clusters/{cluster_ident}/actions/upgrade")],
),
base.APIRule(
name="cluster:upgrade_all_projects",
check_str=("rule:admin_api"),
description="Upgrade an existing cluster across all projects.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/upgrade"}],
operations=[Operation(method="POST", path="/v1/clusters/{cluster_ident}/actions/upgrade")],
),
base.APIRule(
name="clustertemplate:create",
check_str=("rule:deny_cluster_user"),
description="Create a new cluster template.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clustertemplates"}],
operations=[Operation(method="POST", path="/v1/clustertemplates")],
),
base.APIRule(
name="clustertemplate:delete",
check_str=("rule:admin_or_owner"),
description="Delete a cluster template.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
operations=[Operation(method="DELETE", path="/v1/clustertemplate/{clustertemplate_ident}")],
),
base.APIRule(
name="clustertemplate:delete_all_projects",
check_str=("rule:admin_api"),
description="Delete a cluster template from any project.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
operations=[Operation(method="DELETE", path="/v1/clustertemplate/{clustertemplate_ident}")],
),
base.APIRule(
name="clustertemplate:detail_all_projects",
check_str=("rule:admin_api"),
description="Retrieve a list of cluster templates with detail across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
operations=[Operation(method="GET", path="/v1/clustertemplates")],
),
base.APIRule(
name="clustertemplate:detail",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of cluster templates with detail.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
operations=[Operation(method="GET", path="/v1/clustertemplates")],
),
base.APIRule(
name="clustertemplate:get",
check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given cluster template.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
operations=[Operation(method="GET", path="/v1/clustertemplate/{clustertemplate_ident}")],
),
base.APIRule(
name="clustertemplate:get_one_all_projects",
check_str=("rule:admin_api"),
description="Retrieve information about the given cluster template across project.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
operations=[Operation(method="GET", path="/v1/clustertemplate/{clustertemplate_ident}")],
),
base.APIRule(
name="clustertemplate:get_all",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of cluster templates.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
operations=[Operation(method="GET", path="/v1/clustertemplates")],
),
base.APIRule(
name="clustertemplate:get_all_all_projects",
check_str=("rule:admin_api"),
description="Retrieve a list of cluster templates across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
operations=[Operation(method="GET", path="/v1/clustertemplates")],
),
base.APIRule(
name="clustertemplate:update",
check_str=("rule:admin_or_owner"),
description="Update an existing cluster template.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
operations=[Operation(method="PATCH", path="/v1/clustertemplate/{clustertemplate_ident}")],
),
base.APIRule(
name="clustertemplate:update_all_projects",
check_str=("rule:admin_api"),
description="Update an existing cluster template.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
operations=[Operation(method="PATCH", path="/v1/clustertemplate/{clustertemplate_ident}")],
),
base.APIRule(
name="clustertemplate:publish",
check_str=("rule:admin_api"),
description="Publish an existing cluster template.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clustertemplates"}, {"method": "PATCH", "path": "/v1/clustertemplates"}],
operations=[Operation(method="POST", path="/v1/clustertemplates"), Operation(method="PATCH", path="/v1/clustertemplates")],
),
base.APIRule(
name="federation:create",
check_str=("rule:deny_cluster_user"),
description="Create a new federation.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/federations"}],
operations=[Operation(method="POST", path="/v1/federations")],
),
base.APIRule(
name="federation:delete",
check_str=("rule:deny_cluster_user"),
description="Delete a federation.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/federations/{federation_ident}"}],
operations=[Operation(method="DELETE", path="/v1/federations/{federation_ident}")],
),
base.APIRule(
name="federation:detail",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of federations with detail.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/federations"}],
operations=[Operation(method="GET", path="/v1/federations")],
),
base.APIRule(
name="federation:get",
check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given federation.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/federations/{federation_ident}"}],
operations=[Operation(method="GET", path="/v1/federations/{federation_ident}")],
),
base.APIRule(
name="federation:get_all",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of federations.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/federations/"}],
operations=[Operation(method="GET", path="/v1/federations/")],
),
base.APIRule(
name="federation:update",
check_str=("rule:deny_cluster_user"),
description="Update an existing federation.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/federations/{federation_ident}"}],
operations=[Operation(method="PATCH", path="/v1/federations/{federation_ident}")],
),
base.APIRule(
name="magnum-service:get_all",
check_str=("rule:admin_api"),
description="Retrieve a list of magnum-services.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/mservices"}],
operations=[Operation(method="GET", path="/v1/mservices")],
),
base.APIRule(
name="quota:create",
check_str=("rule:admin_api"),
description="Create quota.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/quotas"}],
operations=[Operation(method="POST", path="/v1/quotas")],
),
base.APIRule(
name="quota:delete",
check_str=("rule:admin_api"),
description="Delete quota for a given project_id and resource.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/quotas/{project_id}/{resource}"}],
operations=[Operation(method="DELETE", path="/v1/quotas/{project_id}/{resource}")],
),
base.APIRule(
name="quota:get",
check_str=("rule:admin_or_owner"),
description="Retrieve Quota information for the given project_id.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas/{project_id}/{resource}"}],
operations=[Operation(method="GET", path="/v1/quotas/{project_id}/{resource}")],
),
base.APIRule(
name="quota:get_all",
check_str=("rule:admin_api"),
description="Retrieve a list of quotas.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas"}],
operations=[Operation(method="GET", path="/v1/quotas")],
),
base.APIRule(
name="quota:update",
check_str=("rule:admin_api"),
description="Update quota for a given project_id.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/quotas/{project_id}/{resource}"}],
operations=[Operation(method="PATCH", path="/v1/quotas/{project_id}/{resource}")],
),
base.APIRule(
name="stats:get_all",
check_str=("rule:admin_or_owner"),
description="Retrieve magnum stats.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/stats"}],
operations=[Operation(method="GET", path="/v1/stats")],
),
base.APIRule(
name="nodegroup:get",
check_str=("rule:admin_or_owner"),
description="Retrieve information about the given nodegroup.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroup/{nodegroup}"}],
operations=[Operation(method="GET", path="/v1/clusters/{cluster_id}/nodegroup/{nodegroup}")],
),
base.APIRule(
name="nodegroup:get_all",
check_str=("rule:admin_or_owner"),
description="Retrieve a list of nodegroups that belong to a cluster.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/"}],
operations=[Operation(method="GET", path="/v1/clusters/{cluster_id}/nodegroups/")],
),
base.APIRule(
name="nodegroup:get_all_all_projects",
check_str=("rule:admin_api"),
description="Retrieve a list of nodegroups across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/"}],
operations=[Operation(method="GET", path="/v1/clusters/{cluster_id}/nodegroups/")],
),
base.APIRule(
name="nodegroup:get_one_all_projects",
check_str=("rule:admin_api"),
description="Retrieve infornation for a given nodegroup.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}],
operations=[Operation(method="GET", path="/v1/clusters/{cluster_id}/nodegroups/{nodegroup}")],
),
base.APIRule(
name="nodegroup:create",
check_str=("rule:admin_or_owner"),
description="Create a new nodegroup.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_id}/nodegroups/"}],
operations=[Operation(method="POST", path="/v1/clusters/{cluster_id}/nodegroups/")],
),
base.APIRule(
name="nodegroup:delete",
check_str=("rule:admin_or_owner"),
description="Delete a nodegroup.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}],
operations=[Operation(method="DELETE", path="/v1/clusters/{cluster_id}/nodegroups/{nodegroup}")],
),
base.APIRule(
name="nodegroup:update",
check_str=("rule:admin_or_owner"),
description="Update an existing nodegroup.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}],
operations=[Operation(method="PATCH", path="/v1/clusters/{cluster_id}/nodegroups/{nodegroup}")],
),
)

342
skyline_apiserver/policy/manager/manila.py
View File

File diff suppressed because it is too large Load Diff

38
skyline_apiserver/policy/manager/masakari.py
View File

@@ -15,6 +15,8 @@
# flake8: noqa
# fmt: off
from skyline_apiserver.schemas.policy_manager import Operation
from . import base
list_rules = (
@@ -68,126 +70,126 @@ list_rules = (
check_str=("rule:admin_api"),
description="List available extensions.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/extensions"}],
operations=[Operation(method="GET", path="/extensions")],
),
base.APIRule(
name="os_masakari_api:extensions:detail",
check_str=("rule:admin_api"),
description="Shows information for an extension.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/extensions/{extensions_id}"}],
operations=[Operation(method="GET", path="/extensions/{extensions_id}")],
),
base.APIRule(
name="os_masakari_api:os-hosts:index",
check_str=("rule:admin_api"),
description="Lists IDs, names, type, reserved, on_maintenance for all hosts.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/segments/{segment_id}/hosts"}],
operations=[Operation(method="GET", path="/segments/{segment_id}/hosts")],
),
base.APIRule(
name="os_masakari_api:os-hosts:detail",
check_str=("rule:admin_api"),
description="Shows details for a host.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/segments/{segment_id}/hosts/{host_id}"}],
operations=[Operation(method="GET", path="/segments/{segment_id}/hosts/{host_id}")],
),
base.APIRule(
name="os_masakari_api:os-hosts:create",
check_str=("rule:admin_api"),
description="Creates a host under given segment.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/segments/{segment_id}/hosts"}],
operations=[Operation(method="POST", path="/segments/{segment_id}/hosts")],
),
base.APIRule(
name="os_masakari_api:os-hosts:update",
check_str=("rule:admin_api"),
description="Updates the editable attributes of an existing host.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/segments/{segment_id}/hosts/{host_id}"}],
operations=[Operation(method="PUT", path="/segments/{segment_id}/hosts/{host_id}")],
),
base.APIRule(
name="os_masakari_api:os-hosts:delete",
check_str=("rule:admin_api"),
description="Deletes a host from given segment.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/segments/{segment_id}/hosts/{host_id}"}],
operations=[Operation(method="DELETE", path="/segments/{segment_id}/hosts/{host_id}")],
),
base.APIRule(
name="os_masakari_api:notifications:index",
check_str=("rule:admin_api"),
description="Lists IDs, notification types, host_name, generated_time, payload and status for all notifications.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/notifications"}],
operations=[Operation(method="GET", path="/notifications")],
),
base.APIRule(
name="os_masakari_api:notifications:detail",
check_str=("rule:admin_api"),
description="Shows details for a notification.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/notifications/{notification_id}"}],
operations=[Operation(method="GET", path="/notifications/{notification_id}")],
),
base.APIRule(
name="os_masakari_api:notifications:create",
check_str=("rule:admin_api"),
description="Creates a notification.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/notifications"}],
operations=[Operation(method="POST", path="/notifications")],
),
base.APIRule(
name="os_masakari_api:segments:index",
check_str=("rule:admin_api"),
description="Lists IDs, names, description, recovery_method, service_type for all segments.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/segments"}],
operations=[Operation(method="GET", path="/segments")],
),
base.APIRule(
name="os_masakari_api:segments:detail",
check_str=("rule:admin_api"),
description="Shows details for a segment.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/segments/{segment_id}"}],
operations=[Operation(method="GET", path="/segments/{segment_id}")],
),
base.APIRule(
name="os_masakari_api:segments:create",
check_str=("rule:admin_api"),
description="Creates a segment.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/segments"}],
operations=[Operation(method="POST", path="/segments")],
),
base.APIRule(
name="os_masakari_api:segments:update",
check_str=("rule:admin_api"),
description="Updates the editable attributes of an existing host.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/segments/{segment_id}"}],
operations=[Operation(method="PUT", path="/segments/{segment_id}")],
),
base.APIRule(
name="os_masakari_api:segments:delete",
check_str=("rule:admin_api"),
description="Deletes a segment.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/segments/{segment_id}"}],
operations=[Operation(method="DELETE", path="/segments/{segment_id}")],
),
base.APIRule(
name="os_masakari_api:versions:index",
check_str=("@"),
description="List all versions.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/"}],
operations=[Operation(method="GET", path="/")],
),
base.APIRule(
name="os_masakari_api:vmoves:index",
check_str=("rule:admin_api"),
description="Lists IDs, notification_id, instance_id, source_host, dest_host, status and type for all VM moves.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/notifications/{notification_id}/vmoves"}],
operations=[Operation(method="GET", path="/notifications/{notification_id}/vmoves")],
),
base.APIRule(
name="os_masakari_api:vmoves:detail",
check_str=("rule:admin_api"),
description="Shows details for one VM move.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/notifications/{notification_id}/vmoves/{vmove_id}"}],
operations=[Operation(method="GET", path="/notifications/{notification_id}/vmoves/{vmove_id}")],
),
)

516
skyline_apiserver/policy/manager/neutron.py
View File

File diff suppressed because it is too large Load Diff

392
skyline_apiserver/policy/manager/nova.py
View File

File diff suppressed because it is too large Load Diff

160
skyline_apiserver/policy/manager/octavia.py
View File

@@ -15,6 +15,8 @@
# flake8: noqa
# fmt: off
from skyline_apiserver.schemas.policy_manager import Operation
from . import base
list_rules = (
@@ -103,553 +105,553 @@ list_rules = (
check_str=("rule:load-balancer:read"),
description="List Flavors",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/flavors"}],
operations=[Operation(method="GET", path="/v2.0/lbaas/flavors")],
),
base.APIRule(
name="os_load-balancer_api:flavor:post",
check_str=("rule:load-balancer:admin"),
description="Create a Flavor",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2.0/lbaas/flavors"}],
operations=[Operation(method="POST", path="/v2.0/lbaas/flavors")],
),
base.APIRule(
name="os_load-balancer_api:flavor:put",
check_str=("rule:load-balancer:admin"),
description="Update a Flavor",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2.0/lbaas/flavors/{flavor_id}"}],
operations=[Operation(method="PUT", path="/v2.0/lbaas/flavors/{flavor_id}")],
),
base.APIRule(
name="os_load-balancer_api:flavor:get_one",
check_str=("rule:load-balancer:read"),
description="Show Flavor details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/flavors/{flavor_id}"}],
operations=[Operation(method="GET", path="/v2.0/lbaas/flavors/{flavor_id}")],
),
base.APIRule(
name="os_load-balancer_api:flavor:delete",
check_str=("rule:load-balancer:admin"),
description="Remove a Flavor",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2.0/lbaas/flavors/{flavor_id}"}],
operations=[Operation(method="DELETE", path="/v2.0/lbaas/flavors/{flavor_id}")],
),
base.APIRule(
name="os_load-balancer_api:flavor-profile:get_all",
check_str=("rule:load-balancer:admin"),
description="List Flavor Profiles",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/flavorprofiles"}],
operations=[Operation(method="GET", path="/v2.0/lbaas/flavorprofiles")],
),
base.APIRule(
name="os_load-balancer_api:flavor-profile:post",
check_str=("rule:load-balancer:admin"),
description="Create a Flavor Profile",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2.0/lbaas/flavorprofiles"}],
operations=[Operation(method="POST", path="/v2.0/lbaas/flavorprofiles")],
),
base.APIRule(
name="os_load-balancer_api:flavor-profile:put",
check_str=("rule:load-balancer:admin"),
description="Update a Flavor Profile",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}],
operations=[Operation(method="PUT", path="/v2.0/lbaas/flavorprofiles/{flavor_profile_id}")],
),
base.APIRule(
name="os_load-balancer_api:flavor-profile:get_one",
check_str=("rule:load-balancer:admin"),
description="Show Flavor Profile details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}],
operations=[Operation(method="GET", path="/v2.0/lbaas/flavorprofiles/{flavor_profile_id}")],
),
base.APIRule(
name="os_load-balancer_api:flavor-profile:delete",
check_str=("rule:load-balancer:admin"),
description="Remove a Flavor Profile",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}],
operations=[Operation(method="DELETE", path="/v2.0/lbaas/flavorprofiles/{flavor_profile_id}")],
),
base.APIRule(
name="os_load-balancer_api:availability-zone:get_all",
check_str=("rule:load-balancer:read"),
description="List Availability Zones",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzones"}],
operations=[Operation(method="GET", path="/v2.0/lbaas/availabilityzones")],
),
base.APIRule(
name="os_load-balancer_api:availability-zone:post",
check_str=("rule:load-balancer:admin"),
description="Create an Availability Zone",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2.0/lbaas/availabilityzones"}],
operations=[Operation(method="POST", path="/v2.0/lbaas/availabilityzones")],
),
base.APIRule(
name="os_load-balancer_api:availability-zone:put",
check_str=("rule:load-balancer:admin"),
description="Update an Availability Zone",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}],
operations=[Operation(method="PUT", path="/v2.0/lbaas/availabilityzones/{availability_zone_id}")],
),
base.APIRule(
name="os_load-balancer_api:availability-zone:get_one",
check_str=("rule:load-balancer:read"),
description="Show Availability Zone details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}],
operations=[Operation(method="GET", path="/v2.0/lbaas/availabilityzones/{availability_zone_id}")],
),
base.APIRule(
name="os_load-balancer_api:availability-zone:delete",
check_str=("rule:load-balancer:admin"),
description="Remove an Availability Zone",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}],
operations=[Operation(method="DELETE", path="/v2.0/lbaas/availabilityzones/{availability_zone_id}")],
),
base.APIRule(
name="os_load-balancer_api:availability-zone-profile:get_all",
check_str=("rule:load-balancer:admin"),
description="List Availability Zones",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzoneprofiles"}],
operations=[Operation(method="GET", path="/v2.0/lbaas/availabilityzoneprofiles")],
),
base.APIRule(
name="os_load-balancer_api:availability-zone-profile:post",
check_str=("rule:load-balancer:admin"),
description="Create an Availability Zone",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2.0/lbaas/availabilityzoneprofiles"}],
operations=[Operation(method="POST", path="/v2.0/lbaas/availabilityzoneprofiles")],
),
base.APIRule(
name="os_load-balancer_api:availability-zone-profile:put",
check_str=("rule:load-balancer:admin"),
description="Update an Availability Zone",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}],
operations=[Operation(method="PUT", path="/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}")],
),
base.APIRule(
name="os_load-balancer_api:availability-zone-profile:get_one",
check_str=("rule:load-balancer:admin"),
description="Show Availability Zone details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}],
operations=[Operation(method="GET", path="/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}")],
),
base.APIRule(
name="os_load-balancer_api:availability-zone-profile:delete",
check_str=("rule:load-balancer:admin"),
description="Remove an Availability Zone",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}],
operations=[Operation(method="DELETE", path="/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}")],
),
base.APIRule(
name="os_load-balancer_api:healthmonitor:get_all",
check_str=("rule:load-balancer:read"),
description="List Health Monitors of a Pool",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors"}],
operations=[Operation(method="GET", path="/v2/lbaas/healthmonitors")],
),
base.APIRule(
name="os_load-balancer_api:healthmonitor:get_all-global",
check_str=("rule:load-balancer:read-global"),
description="List Health Monitors including resources owned by others",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors"}],
operations=[Operation(method="GET", path="/v2/lbaas/healthmonitors")],
),
base.APIRule(
name="os_load-balancer_api:healthmonitor:post",
check_str=("rule:load-balancer:write"),
description="Create a Health Monitor",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/healthmonitors"}],
operations=[Operation(method="POST", path="/v2/lbaas/healthmonitors")],
),
base.APIRule(
name="os_load-balancer_api:healthmonitor:get_one",
check_str=("rule:load-balancer:read"),
description="Show Health Monitor details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}],
operations=[Operation(method="GET", path="/v2/lbaas/healthmonitors/{healthmonitor_id}")],
),
base.APIRule(
name="os_load-balancer_api:healthmonitor:put",
check_str=("rule:load-balancer:write"),
description="Update a Health Monitor",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}],
operations=[Operation(method="PUT", path="/v2/lbaas/healthmonitors/{healthmonitor_id}")],
),
base.APIRule(
name="os_load-balancer_api:healthmonitor:delete",
check_str=("rule:load-balancer:write"),
description="Remove a Health Monitor",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}],
operations=[Operation(method="DELETE", path="/v2/lbaas/healthmonitors/{healthmonitor_id}")],
),
base.APIRule(
name="os_load-balancer_api:l7policy:get_all",
check_str=("rule:load-balancer:read"),
description="List L7 Policys",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies"}],
operations=[Operation(method="GET", path="/v2/lbaas/l7policies")],
),
base.APIRule(
name="os_load-balancer_api:l7policy:get_all-global",
check_str=("rule:load-balancer:read-global"),
description="List L7 Policys including resources owned by others",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies"}],
operations=[Operation(method="GET", path="/v2/lbaas/l7policies")],
),
base.APIRule(
name="os_load-balancer_api:l7policy:post",
check_str=("rule:load-balancer:write"),
description="Create a L7 Policy",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/l7policies"}],
operations=[Operation(method="POST", path="/v2/lbaas/l7policies")],
),
base.APIRule(
name="os_load-balancer_api:l7policy:get_one",
check_str=("rule:load-balancer:read"),
description="Show L7 Policy details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}"}],
operations=[Operation(method="GET", path="/v2/lbaas/l7policies/{l7policy_id}")],
),
base.APIRule(
name="os_load-balancer_api:l7policy:put",
check_str=("rule:load-balancer:write"),
description="Update a L7 Policy",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}"}],
operations=[Operation(method="PUT", path="/v2/lbaas/l7policies/{l7policy_id}")],
),
base.APIRule(
name="os_load-balancer_api:l7policy:delete",
check_str=("rule:load-balancer:write"),
description="Remove a L7 Policy",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}"}],
operations=[Operation(method="DELETE", path="/v2/lbaas/l7policies/{l7policy_id}")],
),
base.APIRule(
name="os_load-balancer_api:l7rule:get_all",
check_str=("rule:load-balancer:read"),
description="List L7 Rules",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules"}],
operations=[Operation(method="GET", path="/v2/lbaas/l7policies/{l7policy_id}/rules")],
),
base.APIRule(
name="os_load-balancer_api:l7rule:post",
check_str=("rule:load-balancer:write"),
description="Create a L7 Rule",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules"}],
operations=[Operation(method="POST", path="/v2/lbaas/l7policies/{l7policy_id}/rules")],
),
base.APIRule(
name="os_load-balancer_api:l7rule:get_one",
check_str=("rule:load-balancer:read"),
description="Show L7 Rule details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}],
operations=[Operation(method="GET", path="/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}")],
),
base.APIRule(
name="os_load-balancer_api:l7rule:put",
check_str=("rule:load-balancer:write"),
description="Update a L7 Rule",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}],
operations=[Operation(method="PUT", path="/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}")],
),
base.APIRule(
name="os_load-balancer_api:l7rule:delete",
check_str=("rule:load-balancer:write"),
description="Remove a L7 Rule",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}],
operations=[Operation(method="DELETE", path="/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}")],
),
base.APIRule(
name="os_load-balancer_api:listener:get_all",
check_str=("rule:load-balancer:read"),
description="List Listeners",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/listeners"}],
operations=[Operation(method="GET", path="/v2/lbaas/listeners")],
),
base.APIRule(
name="os_load-balancer_api:listener:get_all-global",
check_str=("rule:load-balancer:read-global"),
description="List Listeners including resources owned by others",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/listeners"}],
operations=[Operation(method="GET", path="/v2/lbaas/listeners")],
),
base.APIRule(
name="os_load-balancer_api:listener:post",
check_str=("rule:load-balancer:write"),
description="Create a Listener",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/listeners"}],
operations=[Operation(method="POST", path="/v2/lbaas/listeners")],
),
base.APIRule(
name="os_load-balancer_api:listener:get_one",
check_str=("rule:load-balancer:read"),
description="Show Listener details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/listeners/{listener_id}"}],
operations=[Operation(method="GET", path="/v2/lbaas/listeners/{listener_id}")],
),
base.APIRule(
name="os_load-balancer_api:listener:put",
check_str=("rule:load-balancer:write"),
description="Update a Listener",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/listeners/{listener_id}"}],
operations=[Operation(method="PUT", path="/v2/lbaas/listeners/{listener_id}")],
),
base.APIRule(
name="os_load-balancer_api:listener:delete",
check_str=("rule:load-balancer:write"),
description="Remove a Listener",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/listeners/{listener_id}"}],
operations=[Operation(method="DELETE", path="/v2/lbaas/listeners/{listener_id}")],
),
base.APIRule(
name="os_load-balancer_api:listener:get_stats",
check_str=("rule:load-balancer:read"),
description="Show Listener statistics",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/listeners/{listener_id}/stats"}],
operations=[Operation(method="GET", path="/v2/lbaas/listeners/{listener_id}/stats")],
),
base.APIRule(
name="os_load-balancer_api:loadbalancer:get_all",
check_str=("rule:load-balancer:read"),
description="List Load Balancers",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers"}],
operations=[Operation(method="GET", path="/v2/lbaas/loadbalancers")],
),
base.APIRule(
name="os_load-balancer_api:loadbalancer:get_all-global",
check_str=("rule:load-balancer:read-global"),
description="List Load Balancers including resources owned by others",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers"}],
operations=[Operation(method="GET", path="/v2/lbaas/loadbalancers")],
),
base.APIRule(
name="os_load-balancer_api:loadbalancer:post",
check_str=("rule:load-balancer:write"),
description="Create a Load Balancer",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/loadbalancers"}],
operations=[Operation(method="POST", path="/v2/lbaas/loadbalancers")],
),
base.APIRule(
name="os_load-balancer_api:loadbalancer:get_one",
check_str=("rule:load-balancer:read"),
description="Show Load Balancer details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}],
operations=[Operation(method="GET", path="/v2/lbaas/loadbalancers/{loadbalancer_id}")],
),
base.APIRule(
name="os_load-balancer_api:loadbalancer:put",
check_str=("rule:load-balancer:write"),
description="Update a Load Balancer",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}],
operations=[Operation(method="PUT", path="/v2/lbaas/loadbalancers/{loadbalancer_id}")],
),
base.APIRule(
name="os_load-balancer_api:loadbalancer:delete",
check_str=("rule:load-balancer:write"),
description="Remove a Load Balancer",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}],
operations=[Operation(method="DELETE", path="/v2/lbaas/loadbalancers/{loadbalancer_id}")],
),
base.APIRule(
name="os_load-balancer_api:loadbalancer:get_stats",
check_str=("rule:load-balancer:read"),
description="Show Load Balancer statistics",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/stats"}],
operations=[Operation(method="GET", path="/v2/lbaas/loadbalancers/{loadbalancer_id}/stats")],
),
base.APIRule(
name="os_load-balancer_api:loadbalancer:get_status",
check_str=("rule:load-balancer:read"),
description="Show Load Balancer status",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/status"}],
operations=[Operation(method="GET", path="/v2/lbaas/loadbalancers/{loadbalancer_id}/status")],
),
base.APIRule(
name="os_load-balancer_api:loadbalancer:put_failover",
check_str=("rule:load-balancer:admin"),
description="Failover a Load Balancer",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/failover"}],
operations=[Operation(method="PUT", path="/v2/lbaas/loadbalancers/{loadbalancer_id}/failover")],
),
base.APIRule(
name="os_load-balancer_api:member:get_all",
check_str=("rule:load-balancer:read"),
description="List Members of a Pool",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}/members"}],
operations=[Operation(method="GET", path="/v2/lbaas/pools/{pool_id}/members")],
),
base.APIRule(
name="os_load-balancer_api:member:post",
check_str=("rule:load-balancer:write"),
description="Create a Member",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/pools/{pool_id}/members"}],
operations=[Operation(method="POST", path="/v2/lbaas/pools/{pool_id}/members")],
),
base.APIRule(
name="os_load-balancer_api:member:get_one",
check_str=("rule:load-balancer:read"),
description="Show Member details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}],
operations=[Operation(method="GET", path="/v2/lbaas/pools/{pool_id}/members/{member_id}")],
),
base.APIRule(
name="os_load-balancer_api:member:put",
check_str=("rule:load-balancer:write"),
description="Update a Member",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}],
operations=[Operation(method="PUT", path="/v2/lbaas/pools/{pool_id}/members/{member_id}")],
),
base.APIRule(
name="os_load-balancer_api:member:delete",
check_str=("rule:load-balancer:write"),
description="Remove a Member",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}],
operations=[Operation(method="DELETE", path="/v2/lbaas/pools/{pool_id}/members/{member_id}")],
),
base.APIRule(
name="os_load-balancer_api:pool:get_all",
check_str=("rule:load-balancer:read"),
description="List Pools",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools"}],
operations=[Operation(method="GET", path="/v2/lbaas/pools")],
),
base.APIRule(
name="os_load-balancer_api:pool:get_all-global",
check_str=("rule:load-balancer:read-global"),
description="List Pools including resources owned by others",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools"}],
operations=[Operation(method="GET", path="/v2/lbaas/pools")],
),
base.APIRule(
name="os_load-balancer_api:pool:post",
check_str=("rule:load-balancer:write"),
description="Create a Pool",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/pools"}],
operations=[Operation(method="POST", path="/v2/lbaas/pools")],
),
base.APIRule(
name="os_load-balancer_api:pool:get_one",
check_str=("rule:load-balancer:read"),
description="Show Pool details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}"}],
operations=[Operation(method="GET", path="/v2/lbaas/pools/{pool_id}")],
),
base.APIRule(
name="os_load-balancer_api:pool:put",
check_str=("rule:load-balancer:write"),
description="Update a Pool",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/pools/{pool_id}"}],
operations=[Operation(method="PUT", path="/v2/lbaas/pools/{pool_id}")],
),
base.APIRule(
name="os_load-balancer_api:pool:delete",
check_str=("rule:load-balancer:write"),
description="Remove a Pool",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}"}],
operations=[Operation(method="DELETE", path="/v2/lbaas/pools/{pool_id}")],
),
base.APIRule(
name="os_load-balancer_api:provider:get_all",
check_str=("rule:load-balancer:read"),
description="List enabled providers",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/providers"}],
operations=[Operation(method="GET", path="/v2/lbaas/providers")],
),
base.APIRule(
name="os_load-balancer_api:quota:get_all",
check_str=("rule:load-balancer:read-quota"),
description="List Quotas",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/quotas"}],
operations=[Operation(method="GET", path="/v2/lbaas/quotas")],
),
base.APIRule(
name="os_load-balancer_api:quota:get_all-global",
check_str=("rule:load-balancer:read-quota-global"),
description="List Quotas including resources owned by others",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/quotas"}],
operations=[Operation(method="GET", path="/v2/lbaas/quotas")],
),
base.APIRule(
name="os_load-balancer_api:quota:get_one",
check_str=("rule:load-balancer:read-quota"),
description="Show Quota details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/quotas/{project_id}"}],
operations=[Operation(method="GET", path="/v2/lbaas/quotas/{project_id}")],
),
base.APIRule(
name="os_load-balancer_api:quota:put",
check_str=("rule:load-balancer:write-quota"),
description="Update a Quota",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/quotas/{project_id}"}],
operations=[Operation(method="PUT", path="/v2/lbaas/quotas/{project_id}")],
),
base.APIRule(
name="os_load-balancer_api:quota:delete",
check_str=("rule:load-balancer:write-quota"),
description="Reset a Quota",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/quotas/{project_id}"}],
operations=[Operation(method="DELETE", path="/v2/lbaas/quotas/{project_id}")],
),
base.APIRule(
name="os_load-balancer_api:quota:get_defaults",
check_str=("rule:load-balancer:read-quota"),
description="Show Default Quota for a Project",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/quotas/{project_id}/default"}],
operations=[Operation(method="GET", path="/v2/lbaas/quotas/{project_id}/default")],
),
base.APIRule(
name="os_load-balancer_api:amphora:get_all",
check_str=("rule:load-balancer:admin"),
description="List Amphorae",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/octavia/amphorae"}],
operations=[Operation(method="GET", path="/v2/octavia/amphorae")],
),
base.APIRule(
name="os_load-balancer_api:amphora:get_one",
check_str=("rule:load-balancer:admin"),
description="Show Amphora details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/octavia/amphorae/{amphora_id}"}],
operations=[Operation(method="GET", path="/v2/octavia/amphorae/{amphora_id}")],
),
base.APIRule(
name="os_load-balancer_api:amphora:delete",
check_str=("rule:load-balancer:admin"),
description="Delete an Amphora",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/octavia/amphorae/{amphora_id}"}],
operations=[Operation(method="DELETE", path="/v2/octavia/amphorae/{amphora_id}")],
),
base.APIRule(
name="os_load-balancer_api:amphora:put_config",
check_str=("rule:load-balancer:admin"),
description="Update Amphora Agent Configuration",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/octavia/amphorae/{amphora_id}/config"}],
operations=[Operation(method="PUT", path="/v2/octavia/amphorae/{amphora_id}/config")],
),
base.APIRule(
name="os_load-balancer_api:amphora:put_failover",
check_str=("rule:load-balancer:admin"),
description="Failover Amphora",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/octavia/amphorae/{amphora_id}/failover"}],
operations=[Operation(method="PUT", path="/v2/octavia/amphorae/{amphora_id}/failover")],
),
base.APIRule(
name="os_load-balancer_api:amphora:get_stats",
check_str=("rule:load-balancer:admin"),
description="Show Amphora statistics",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/octavia/amphorae/{amphora_id}/stats"}],
operations=[Operation(method="GET", path="/v2/octavia/amphorae/{amphora_id}/stats")],
),
base.APIRule(
name="os_load-balancer_api:provider-flavor:get_all",
check_str=("rule:load-balancer:admin"),
description="List the provider flavor capabilities.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/providers/{provider}/flavor_capabilities"}],
operations=[Operation(method="GET", path="/v2/lbaas/providers/{provider}/flavor_capabilities")],
),
base.APIRule(
name="os_load-balancer_api:provider-availability-zone:get_all",
check_str=("rule:load-balancer:admin"),
description="List the provider availability zone capabilities.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/providers/{provider}/availability_zone_capabilities"}],
operations=[Operation(method="GET", path="/v2/lbaas/providers/{provider}/availability_zone_capabilities")],
),
)

68
skyline_apiserver/policy/manager/placement.py
View File

@@ -15,6 +15,8 @@
# flake8: noqa
# fmt: off
from skyline_apiserver.schemas.policy_manager import Operation
from . import base
list_rules = (
@@ -48,231 +50,231 @@ list_rules = (
check_str=("rule:system_reader_api"),
description="List resource providers.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers"}],
operations=[Operation(method="GET", path="/resource_providers")],
),
base.APIRule(
name="placement:resource_providers:create",
check_str=("rule:system_admin_api"),
description="Create resource provider.",
scope_types=["system"],
operations=[{"method": "POST", "path": "/resource_providers"}],
operations=[Operation(method="POST", path="/resource_providers")],
),
base.APIRule(
name="placement:resource_providers:show",
check_str=("rule:system_reader_api"),
description="Show resource provider.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}"}],
operations=[Operation(method="GET", path="/resource_providers/{uuid}")],
),
base.APIRule(
name="placement:resource_providers:update",
check_str=("rule:system_admin_api"),
description="Update resource provider.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/resource_providers/{uuid}"}],
operations=[Operation(method="PUT", path="/resource_providers/{uuid}")],
),
base.APIRule(
name="placement:resource_providers:delete",
check_str=("rule:system_admin_api"),
description="Delete resource provider.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}"}],
operations=[Operation(method="DELETE", path="/resource_providers/{uuid}")],
),
base.APIRule(
name="placement:resource_classes:list",
check_str=("rule:system_reader_api"),
description="List resource classes.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_classes"}],
operations=[Operation(method="GET", path="/resource_classes")],
),
base.APIRule(
name="placement:resource_classes:create",
check_str=("rule:system_admin_api"),
description="Create resource class.",
scope_types=["system"],
operations=[{"method": "POST", "path": "/resource_classes"}],
operations=[Operation(method="POST", path="/resource_classes")],
),
base.APIRule(
name="placement:resource_classes:show",
check_str=("rule:system_reader_api"),
description="Show resource class.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_classes/{name}"}],
operations=[Operation(method="GET", path="/resource_classes/{name}")],
),
base.APIRule(
name="placement:resource_classes:update",
check_str=("rule:system_admin_api"),
description="Update resource class.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/resource_classes/{name}"}],
operations=[Operation(method="PUT", path="/resource_classes/{name}")],
),
base.APIRule(
name="placement:resource_classes:delete",
check_str=("rule:system_admin_api"),
description="Delete resource class.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/resource_classes/{name}"}],
operations=[Operation(method="DELETE", path="/resource_classes/{name}")],
),
base.APIRule(
name="placement:resource_providers:inventories:list",
check_str=("rule:system_reader_api"),
description="List resource provider inventories.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/inventories"}],
operations=[Operation(method="GET", path="/resource_providers/{uuid}/inventories")],
),
base.APIRule(
name="placement:resource_providers:inventories:create",
check_str=("rule:system_admin_api"),
description="Create one resource provider inventory.",
scope_types=["system"],
operations=[{"method": "POST", "path": "/resource_providers/{uuid}/inventories"}],
operations=[Operation(method="POST", path="/resource_providers/{uuid}/inventories")],
),
base.APIRule(
name="placement:resource_providers:inventories:show",
check_str=("rule:system_reader_api"),
description="Show resource provider inventory.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}],
operations=[Operation(method="GET", path="/resource_providers/{uuid}/inventories/{resource_class}")],
),
base.APIRule(
name="placement:resource_providers:inventories:update",
check_str=("rule:system_admin_api"),
description="Update resource provider inventory.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/inventories"}, {"method": "PUT", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}],
operations=[Operation(method="PUT", path="/resource_providers/{uuid}/inventories"), Operation(method="PUT", path="/resource_providers/{uuid}/inventories/{resource_class}")],
),
base.APIRule(
name="placement:resource_providers:inventories:delete",
check_str=("rule:system_admin_api"),
description="Delete resource provider inventory.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}/inventories"}, {"method": "DELETE", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}],
operations=[Operation(method="DELETE", path="/resource_providers/{uuid}/inventories"), Operation(method="DELETE", path="/resource_providers/{uuid}/inventories/{resource_class}")],
),
base.APIRule(
name="placement:resource_providers:aggregates:list",
check_str=("rule:system_reader_api"),
description="List resource provider aggregates.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/aggregates"}],
operations=[Operation(method="GET", path="/resource_providers/{uuid}/aggregates")],
),
base.APIRule(
name="placement:resource_providers:aggregates:update",
check_str=("rule:system_admin_api"),
description="Update resource provider aggregates.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/aggregates"}],
operations=[Operation(method="PUT", path="/resource_providers/{uuid}/aggregates")],
),
base.APIRule(
name="placement:resource_providers:usages",
check_str=("rule:system_reader_api"),
description="List resource provider usages.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/usages"}],
operations=[Operation(method="GET", path="/resource_providers/{uuid}/usages")],
),
base.APIRule(
name="placement:usages",
check_str=("rule:system_or_project_reader"),
description="List total resource usages for a given project.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/usages"}],
operations=[Operation(method="GET", path="/usages")],
),
base.APIRule(
name="placement:traits:list",
check_str=("rule:system_reader_api"),
description="List traits.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/traits"}],
operations=[Operation(method="GET", path="/traits")],
),
base.APIRule(
name="placement:traits:show",
check_str=("rule:system_reader_api"),
description="Show trait.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/traits/{name}"}],
operations=[Operation(method="GET", path="/traits/{name}")],
),
base.APIRule(
name="placement:traits:update",
check_str=("rule:system_admin_api"),
description="Update trait.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/traits/{name}"}],
operations=[Operation(method="PUT", path="/traits/{name}")],
),
base.APIRule(
name="placement:traits:delete",
check_str=("rule:system_admin_api"),
description="Delete trait.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/traits/{name}"}],
operations=[Operation(method="DELETE", path="/traits/{name}")],
),
base.APIRule(
name="placement:resource_providers:traits:list",
check_str=("rule:system_reader_api"),
description="List resource provider traits.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/traits"}],
operations=[Operation(method="GET", path="/resource_providers/{uuid}/traits")],
),
base.APIRule(
name="placement:resource_providers:traits:update",
check_str=("rule:system_admin_api"),
description="Update resource provider traits.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/traits"}],
operations=[Operation(method="PUT", path="/resource_providers/{uuid}/traits")],
),
base.APIRule(
name="placement:resource_providers:traits:delete",
check_str=("rule:system_admin_api"),
description="Delete resource provider traits.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}/traits"}],
operations=[Operation(method="DELETE", path="/resource_providers/{uuid}/traits")],
),
base.APIRule(
name="placement:allocations:manage",
check_str=("rule:system_admin_api"),
description="Manage allocations.",
scope_types=["system"],
operations=[{"method": "POST", "path": "/allocations"}],
operations=[Operation(method="POST", path="/allocations")],
),
base.APIRule(
name="placement:allocations:list",
check_str=("rule:system_reader_api"),
description="List allocations.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/allocations/{consumer_uuid}"}],
operations=[Operation(method="GET", path="/allocations/{consumer_uuid}")],
),
base.APIRule(
name="placement:allocations:update",
check_str=("rule:system_admin_api"),
description="Update allocations.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/allocations/{consumer_uuid}"}],
operations=[Operation(method="PUT", path="/allocations/{consumer_uuid}")],
),
base.APIRule(
name="placement:allocations:delete",
check_str=("rule:system_admin_api"),
description="Delete allocations.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/allocations/{consumer_uuid}"}],
operations=[Operation(method="DELETE", path="/allocations/{consumer_uuid}")],
),
base.APIRule(
name="placement:resource_providers:allocations:list",
check_str=("rule:system_reader_api"),
description="List resource provider allocations.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/allocations"}],
operations=[Operation(method="GET", path="/resource_providers/{uuid}/allocations")],
),
base.APIRule(
name="placement:allocation_candidates:list",
check_str=("rule:system_reader_api"),
description="List allocation candidates.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/allocation_candidates"}],
operations=[Operation(method="GET", path="/allocation_candidates")],
),
base.APIRule(
name="placement:reshaper:reshape",
check_str=("rule:system_admin_api"),
description="Reshape Inventory and Allocations.",
scope_types=["system"],
operations=[{"method": "POST", "path": "/reshaper"}],
operations=[Operation(method="POST", path="/reshaper")],
),
)

170
skyline_apiserver/policy/manager/trove.py
View File

@@ -15,6 +15,8 @@
# flake8: noqa
# fmt: off
from skyline_apiserver.schemas.policy_manager import Operation
from . import base
list_rules = (
@@ -38,588 +40,588 @@ list_rules = (
check_str=("rule:admin_or_owner"),
description="Create a database instance.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/instances")],
),
base.APIRule(
name="instance:delete",
check_str=("rule:admin_or_owner"),
description="Delete a database instance.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/instances/{instance_id}")],
),
base.APIRule(
name="instance:force_delete",
check_str=("rule:admin_or_owner"),
description="Forcibly delete a database instance.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/instances/{instance_id}")],
),
base.APIRule(
name="instance:index",
check_str=("rule:admin_or_owner"),
description="List database instances.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/instances")],
),
base.APIRule(
name="instance:detail",
check_str=("rule:admin_or_owner"),
description="List database instances with details.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/detail"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/instances/detail")],
),
base.APIRule(
name="instance:show",
check_str=("rule:admin_or_owner"),
description="Get details of a specific database instance.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/instances/{instance_id}")],
),
base.APIRule(
name="instance:update",
check_str=("rule:admin_or_owner"),
description="Update a database instance to attach/detach configuration",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}"}, {"method": "POST", "path": "/v1.0/{account_id}/instances"}],
operations=[Operation(method="PUT", path="/v1.0/{account_id}/instances/{instance_id}"), Operation(method="POST", path="/v1.0/{account_id}/instances")],
),
base.APIRule(
name="instance:edit",
check_str=("rule:admin_or_owner"),
description="Updates the instance to set or unset one or more attributes.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1.0/{account_id}/instances/{instance_id}"}],
operations=[Operation(method="PATCH", path="/v1.0/{account_id}/instances/{instance_id}")],
),
base.APIRule(
name="instance:restart",
check_str=("rule:admin_or_owner"),
description="Restart a database instance.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (restart)"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/instances/{instance_id}/action (restart)")],
),
base.APIRule(
name="instance:resize_volume",
check_str=("rule:admin_or_owner"),
description="Resize a database instance volume.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (resize)"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/instances/{instance_id}/action (resize)")],
),
base.APIRule(
name="instance:resize_flavor",
check_str=("rule:admin_or_owner"),
description="Resize a database instance flavor.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (resize)"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/instances/{instance_id}/action (resize)")],
),
base.APIRule(
name="instance:reset_status",
check_str=("rule:admin"),
description="Reset the status of a database instance to ERROR.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (reset_status)"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/instances/{instance_id}/action (reset_status)")],
),
base.APIRule(
name="instance:promote_to_replica_source",
check_str=("rule:admin_or_owner"),
description="Promote instance to replica source.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (promote_to_replica_source)"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/instances/{instance_id}/action (promote_to_replica_source)")],
),
base.APIRule(
name="instance:eject_replica_source",
check_str=("rule:admin_or_owner"),
description="Eject the replica source from its replica set.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (eject_replica_source)"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/instances/{instance_id}/action (eject_replica_source)")],
),
base.APIRule(
name="instance:configuration",
check_str=("rule:admin_or_owner"),
description="Get the default configuration template applied to the instance.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/configuration"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/instances/{instance_id}/configuration")],
),
base.APIRule(
name="instance:guest_log_list",
check_str=("rule:admin_or_owner"),
description="Get all informations about all logs of a database instance.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/log"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/instances/{instance_id}/log")],
),
base.APIRule(
name="instance:backups",
check_str=("rule:admin_or_owner"),
description="Get all backups of a database instance.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/backups"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/instances/{instance_id}/backups")],
),
base.APIRule(
name="instance:module_list",
check_str=("rule:admin_or_owner"),
description="Get informations about modules on a database instance.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/modules"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/instances/{instance_id}/modules")],
),
base.APIRule(
name="instance:module_apply",
check_str=("rule:admin_or_owner"),
description="Apply modules to a database instance.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/modules"}, {"method": "POST", "path": "/v1.0/{account_id}/instances"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/instances/{instance_id}/modules"), Operation(method="POST", path="/v1.0/{account_id}/instances")],
),
base.APIRule(
name="instance:module_remove",
check_str=("rule:admin_or_owner"),
description="Remove a module from a database instance.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/modules/{module_id}"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/instances/{instance_id}/modules/{module_id}")],
),
base.APIRule(
name="instance:extension:root:create",
check_str=("rule:admin_or_owner"),
description="Enable the root user of a database instance.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/root"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/instances/{instance_id}/root")],
),
base.APIRule(
name="instance:extension:root:delete",
check_str=("rule:admin_or_owner"),
description="Disable the root user of a database instance.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/root"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/instances/{instance_id}/root")],
),
base.APIRule(
name="instance:extension:root:index",
check_str=("rule:admin_or_owner"),
description="Show whether the root user of a database instance has been ever enabled.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/root"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/instances/{instance_id}/root")],
),
base.APIRule(
name="cluster:extension:root:create",
check_str=("rule:admin_or_owner"),
description="Enable the root user of the instances in a cluster.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/clusters/{cluster}/root")],
),
base.APIRule(
name="cluster:extension:root:delete",
check_str=("rule:admin_or_owner"),
description="Enable the root user of the instances in a cluster.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/clusters/{cluster}/root")],
),
base.APIRule(
name="cluster:extension:root:index",
check_str=("rule:admin_or_owner"),
description="Disable the root of the instances in a cluster.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/clusters/{cluster}/root")],
),
base.APIRule(
name="instance:extension:user:create",
check_str=("rule:admin_or_owner"),
description="Create users for a database instance.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/users"}, {"method": "POST", "path": "/v1.0/{account_id}/instances"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/instances/{instance_id}/users"), Operation(method="POST", path="/v1.0/{account_id}/instances")],
),
base.APIRule(
name="instance:extension:user:delete",
check_str=("rule:admin_or_owner"),
description="Delete a user from a database instance.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/instances/{instance_id}/users/{user}")],
),
base.APIRule(
name="instance:extension:user:index",
check_str=("rule:admin_or_owner"),
description="Get all users of a database instance.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/users"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/instances/{instance_id}/users")],
),
base.APIRule(
name="instance:extension:user:show",
check_str=("rule:admin_or_owner"),
description="Get the information of a single user of a database instance.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/instances/{instance_id}/users/{user}")],
),
base.APIRule(
name="instance:extension:user:update",
check_str=("rule:admin_or_owner"),
description="Update attributes for a user of a database instance.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}"}],
operations=[Operation(method="PUT", path="/v1.0/{account_id}/instances/{instance_id}/users/{user}")],
),
base.APIRule(
name="instance:extension:user:update_all",
check_str=("rule:admin_or_owner"),
description="Update the password for one or more users a database instance.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}/users"}],
operations=[Operation(method="PUT", path="/v1.0/{account_id}/instances/{instance_id}/users")],
),
base.APIRule(
name="instance:extension:user_access:update",
check_str=("rule:admin_or_owner"),
description="Grant access for a user to one or more databases.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases"}],
operations=[Operation(method="PUT", path="/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases")],
),
base.APIRule(
name="instance:extension:user_access:delete",
check_str=("rule:admin_or_owner"),
description="Revoke access for a user to a databases.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases/{database}"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases/{database}")],
),
base.APIRule(
name="instance:extension:user_access:index",
check_str=("rule:admin_or_owner"),
description="Get permissions of a user",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases")],
),
base.APIRule(
name="instance:extension:database:create",
check_str=("rule:admin_or_owner"),
description="Create a set of Schemas",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/databases"}, {"method": "POST", "path": "/v1.0/{account_id}/instances"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/instances/{instance_id}/databases"), Operation(method="POST", path="/v1.0/{account_id}/instances")],
),
base.APIRule(
name="instance:extension:database:delete",
check_str=("rule:admin_or_owner"),
description="Delete a schema from a database.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/databases/{database}"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/instances/{instance_id}/databases/{database}")],
),
base.APIRule(
name="instance:extension:database:index",
check_str=("rule:admin_or_owner"),
description="List all schemas from a database.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/databases"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/instances/{instance_id}/databases")],
),
base.APIRule(
name="instance:extension:database:show",
check_str=("rule:admin_or_owner"),
description="Get informations of a schema(Currently Not Implemented).",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/databases/{database}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/instances/{instance_id}/databases/{database}")],
),
base.APIRule(
name="cluster:create",
check_str=("rule:admin_or_owner"),
description="Create a cluster.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/clusters")],
),
base.APIRule(
name="cluster:delete",
check_str=("rule:admin_or_owner"),
description="Delete a cluster.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/clusters/{cluster}"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/clusters/{cluster}")],
),
base.APIRule(
name="cluster:force_delete",
check_str=("rule:admin_or_owner"),
description="Forcibly delete a cluster.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster} (reset-status)"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/clusters/{cluster} (reset-status)")],
),
base.APIRule(
name="cluster:index",
check_str=("rule:admin_or_owner"),
description="List all clusters",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/clusters")],
),
base.APIRule(
name="cluster:show",
check_str=("rule:admin_or_owner"),
description="Get informations of a cluster.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters/{cluster}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/clusters/{cluster}")],
),
base.APIRule(
name="cluster:show_instance",
check_str=("rule:admin_or_owner"),
description="Get informations of a instance in a cluster.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters/{cluster}/instances/{instance}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/clusters/{cluster}/instances/{instance}")],
),
base.APIRule(
name="cluster:action",
check_str=("rule:admin_or_owner"),
description="Commit an action against a cluster",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster}"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/clusters/{cluster}")],
),
base.APIRule(
name="cluster:reset-status",
check_str=("rule:admin"),
description="Reset the status of a cluster to NONE.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster} (reset-status)"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/clusters/{cluster} (reset-status)")],
),
base.APIRule(
name="backup:create",
check_str=("rule:admin_or_owner"),
description="Create a backup of a database instance.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/backups"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/backups")],
),
base.APIRule(
name="backup:delete",
check_str=("rule:admin_or_owner"),
description="Delete a backup of a database instance.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/backups/{backup}"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/backups/{backup}")],
),
base.APIRule(
name="backup:index",
check_str=("rule:admin_or_owner"),
description="List all backups.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/backups")],
),
base.APIRule(
name="backup:index:all_projects",
check_str=("role:admin"),
description="List backups for all the projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/backups")],
),
base.APIRule(
name="backup:show",
check_str=("rule:admin_or_owner"),
description="Get informations of a backup.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups/{backup}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/backups/{backup}")],
),
base.APIRule(
name="backup_strategy:create",
check_str=("rule:admin_or_owner"),
description="Create a backup strategy.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/backup_strategies"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/backup_strategies")],
),
base.APIRule(
name="backup_strategy:index",
check_str=("rule:admin_or_owner"),
description="List all backup strategies.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/backup_strategies"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/backup_strategies")],
),
base.APIRule(
name="backup_strategy:delete",
check_str=("rule:admin_or_owner"),
description="Delete backup strategies.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/backup_strategies"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/backup_strategies")],
),
base.APIRule(
name="configuration:create",
check_str=("rule:admin_or_owner"),
description="Create a configuration group.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/configurations"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/configurations")],
),
base.APIRule(
name="configuration:delete",
check_str=("rule:admin_or_owner"),
description="Delete a configuration group.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/configurations/{config}"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/configurations/{config}")],
),
base.APIRule(
name="configuration:index",
check_str=("rule:admin_or_owner"),
description="List all configuration groups.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/configurations"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/configurations")],
),
base.APIRule(
name="configuration:show",
check_str=("rule:admin_or_owner"),
description="Get informations of a configuration group.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/configurations/{config}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/configurations/{config}")],
),
base.APIRule(
name="configuration:instances",
check_str=("rule:admin_or_owner"),
description="List all instances which a configuration group has be assigned to.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/configurations/{config}/instances"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/configurations/{config}/instances")],
),
base.APIRule(
name="configuration:update",
check_str=("rule:admin_or_owner"),
description="Update a configuration group(the configuration group will be replaced completely).",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1.0/{account_id}/configurations/{config}"}],
operations=[Operation(method="PUT", path="/v1.0/{account_id}/configurations/{config}")],
),
base.APIRule(
name="configuration:edit",
check_str=("rule:admin_or_owner"),
description="Patch a configuration group.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1.0/{account_id}/configurations/{config}"}],
operations=[Operation(method="PATCH", path="/v1.0/{account_id}/configurations/{config}")],
),
base.APIRule(
name="configuration-parameter:index",
check_str=("rule:admin_or_owner"),
description="List all parameters bind to a datastore version.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters")],
),
base.APIRule(
name="configuration-parameter:show",
check_str=("rule:admin_or_owner"),
description="Get a paramter of a datastore version.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters/{param}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters/{param}")],
),
base.APIRule(
name="configuration-parameter:index_by_version",
check_str=("rule:admin_or_owner"),
description="List all paramters bind to a datastore version by the id of the version(datastore is not provided).",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/versions/{version}/paramters"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/datastores/versions/{version}/paramters")],
),
base.APIRule(
name="configuration-parameter:show_by_version",
check_str=("rule:admin_or_owner"),
description="Get a paramter of a datastore version by it names and the id of the version(datastore is not provided).",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/versions/{version}/paramters/{param}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/datastores/versions/{version}/paramters/{param}")],
),
base.APIRule(
name="datastore:index",
check_str=(""),
description="List all datastores.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/datastores")],
),
base.APIRule(
name="datastore:show",
check_str=(""),
description="Get informations of a datastore.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/datastores/{datastore}")],
),
base.APIRule(
name="datastore:delete",
check_str=("rule:admin"),
description="Delete a datastore.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/datastores/{datastore}"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/datastores/{datastore}")],
),
base.APIRule(
name="datastore:version_show",
check_str=(""),
description="Get a version of a datastore by the version id.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/datastores/{datastore}/versions/{version}")],
),
base.APIRule(
name="datastore:version_show_by_uuid",
check_str=(""),
description="Get a version of a datastore by the version id(without providing the datastore id).",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/versions/{version}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/datastores/versions/{version}")],
),
base.APIRule(
name="datastore:version_index",
check_str=(""),
description="Get all versions of a datastore.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/datastores/{datastore}/versions")],
),
base.APIRule(
name="datastore:list_associated_flavors",
check_str=(""),
description="List all flavors associated with a datastore version.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/flavors"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/datastores/{datastore}/versions/{version}/flavors")],
),
base.APIRule(
name="datastore:list_associated_volume_types",
check_str=(""),
description="List all volume-types associated with a datastore version.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/volume-types"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/datastores/{datastore}/versions/{version}/volume-types")],
),
base.APIRule(
name="flavor:index",
check_str=(""),
description="List all flavors.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/flavors"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/flavors")],
),
base.APIRule(
name="flavor:show",
check_str=(""),
description="Get information of a flavor.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/flavors/{flavor}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/flavors/{flavor}")],
),
base.APIRule(
name="limits:index",
check_str=("rule:admin_or_owner"),
description="List all absolute and rate limit informations.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/limits"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/limits")],
),
base.APIRule(
name="module:create",
check_str=("rule:admin_or_owner"),
description="Create a module.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/modules"}],
operations=[Operation(method="POST", path="/v1.0/{account_id}/modules")],
),
base.APIRule(
name="module:delete",
check_str=("rule:admin_or_owner"),
description="Delete a module.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/modules/{module}"}],
operations=[Operation(method="DELETE", path="/v1.0/{account_id}/modules/{module}")],
),
base.APIRule(
name="module:index",
check_str=("rule:admin_or_owner"),
description="List all modules.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/modules")],
),
base.APIRule(
name="module:show",
check_str=("rule:admin_or_owner"),
description="Get informations of a module.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules/{module}"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/modules/{module}")],
),
base.APIRule(
name="module:instances",
check_str=("rule:admin_or_owner"),
description="List all instances to which a module is applied.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules/{module}/instances"}],
operations=[Operation(method="GET", path="/v1.0/{account_id}/modules/{module}/instances")],
),
base.APIRule(
name="module:update",
check_str=("rule:admin_or_owner"),
description="Update a module.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1.0/{account_id}/modules/{module}"}],
operations=[Operation(method="PUT", path="/v1.0/{account_id}/modules/{module}")],
),
base.APIRule(
name="module:reapply",
check_str=("rule:admin_or_owner"),
description="Reapply a module to all instances.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1.0/{account_id}/modules/{module}/instances"}],
operations=[Operation(method="PUT", path="/v1.0/{account_id}/modules/{module}/instances")],
),
)

158
skyline_apiserver/policy/manager/zun.py
View File

@@ -15,6 +15,8 @@
# flake8: noqa
# fmt: off
from skyline_apiserver.schemas.policy_manager import Operation
from . import base
list_rules = (
@@ -43,546 +45,546 @@ list_rules = (
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Create a new container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
operations=[Operation(method="POST", path="/v1/containers")],
),
base.APIRule(
name="container:create:runtime",
check_str=("rule:context_is_admin"),
description="Create a new container with specified runtime.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
operations=[Operation(method="POST", path="/v1/containers")],
),
base.APIRule(
name="container:create:privileged",
check_str=("rule:deny_everybody"),
description="Create a new privileged container.Warning: the privileged container has a big security risk so be caution if you want to enable this feature",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
operations=[Operation(method="POST", path="/v1/containers")],
),
base.APIRule(
name="container:create:requested_destination",
check_str=("rule:context_is_admin"),
description="Create a container on the requested compute host.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
operations=[Operation(method="POST", path="/v1/containers")],
),
base.APIRule(
name="container:create:image_pull_policy",
check_str=("rule:context_is_admin"),
description="Create a new container with specified image pull policy.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
operations=[Operation(method="POST", path="/v1/containers")],
),
base.APIRule(
name="container:delete",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Delete a container.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}],
operations=[Operation(method="DELETE", path="/v1/containers/{container_ident}")],
),
base.APIRule(
name="container:delete_all_projects",
check_str=("rule:context_is_admin"),
description="Delete a container from all projects.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}],
operations=[Operation(method="DELETE", path="/v1/containers/{container_ident}")],
),
base.APIRule(
name="container:delete_force",
check_str=("rule:context_is_admin"),
description="Forcibly delete a container.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}],
operations=[Operation(method="DELETE", path="/v1/containers/{container_ident}")],
),
base.APIRule(
name="container:get_one",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of a specific container.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}],
operations=[Operation(method="GET", path="/v1/containers/{container_ident}")],
),
base.APIRule(
name="container:get_one:host",
check_str=("rule:context_is_admin"),
description="Retrieve the host field of containers.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
operations=[Operation(method="GET", path="/v1/containers/{container_ident}"), Operation(method="GET", path="/v1/containers"), Operation(method="POST", path="/v1/containers"), Operation(method="PATCH", path="/v1/containers/{container_ident}")],
),
base.APIRule(
name="container:get_one:image_pull_policy",
check_str=("rule:context_is_admin"),
description="Retrieve the image_pull_policy field of containers.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
operations=[Operation(method="GET", path="/v1/containers/{container_ident}"), Operation(method="GET", path="/v1/containers"), Operation(method="POST", path="/v1/containers"), Operation(method="PATCH", path="/v1/containers/{container_ident}")],
),
base.APIRule(
name="container:get_one:privileged",
check_str=("rule:context_is_admin"),
description="Retrieve the privileged field of containers.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
operations=[Operation(method="GET", path="/v1/containers/{container_ident}"), Operation(method="GET", path="/v1/containers"), Operation(method="POST", path="/v1/containers"), Operation(method="PATCH", path="/v1/containers/{container_ident}")],
),
base.APIRule(
name="container:get_one:runtime",
check_str=("rule:context_is_admin"),
description="Retrieve the runtime field of containers.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
operations=[Operation(method="GET", path="/v1/containers/{container_ident}"), Operation(method="GET", path="/v1/containers"), Operation(method="POST", path="/v1/containers"), Operation(method="PATCH", path="/v1/containers/{container_ident}")],
),
base.APIRule(
name="container:get_one_all_projects",
check_str=("rule:context_is_admin"),
description="Retrieve the details of a specific container from all projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}],
operations=[Operation(method="GET", path="/v1/containers/{container_ident}")],
),
base.APIRule(
name="container:get_all",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of all containers.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers"}],
operations=[Operation(method="GET", path="/v1/containers")],
),
base.APIRule(
name="container:get_all_all_projects",
check_str=("rule:context_is_admin"),
description="Retrieve the details of all containers across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers"}],
operations=[Operation(method="GET", path="/v1/containers")],
),
base.APIRule(
name="container:update",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Update a container.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
operations=[Operation(method="PATCH", path="/v1/containers/{container_ident}")],
),
base.APIRule(
name="container:start",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Start a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/start"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/start")],
),
base.APIRule(
name="container:stop",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Stop a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/stop"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/stop")],
),
base.APIRule(
name="container:reboot",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Reboot a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/reboot"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/reboot")],
),
base.APIRule(
name="container:pause",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Pause a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/pause"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/pause")],
),
base.APIRule(
name="container:unpause",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Unpause a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/unpause"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/unpause")],
),
base.APIRule(
name="container:logs",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Get the log of a container",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/logs"}],
operations=[Operation(method="GET", path="/v1/containers/{container_ident}/logs")],
),
base.APIRule(
name="container:execute",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Execute command in a running container",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/execute"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/execute")],
),
base.APIRule(
name="container:execute_resize",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Resize the TTY used by an execute command.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/execute_resize"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/execute_resize")],
),
base.APIRule(
name="container:kill",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Kill a running container",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/kill"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/kill")],
),
base.APIRule(
name="container:rename",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Rename a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/rename"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/rename")],
),
base.APIRule(
name="container:attach",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Attach to a running container",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/attach"}],
operations=[Operation(method="GET", path="/v1/containers/{container_ident}/attach")],
),
base.APIRule(
name="container:resize",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Resize a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/resize"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/resize")],
),
base.APIRule(
name="container:top",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Display the running processes inside the container.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/top"}],
operations=[Operation(method="GET", path="/v1/containers/{container_ident}/top")],
),
base.APIRule(
name="container:get_archive",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Get a tar archive of a path of container.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/get_archive"}],
operations=[Operation(method="GET", path="/v1/containers/{container_ident}/get_archive")],
),
base.APIRule(
name="container:put_archive",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Put a tar archive to be extracted to a path of container",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/containers/{container_ident}/put_archive"}],
operations=[Operation(method="PUT", path="/v1/containers/{container_ident}/put_archive")],
),
base.APIRule(
name="container:stats",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Display the statistics of a container",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/stats"}],
operations=[Operation(method="GET", path="/v1/containers/{container_ident}/stats")],
),
base.APIRule(
name="container:commit",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Commit a container",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/commit"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/commit")],
),
base.APIRule(
name="container:add_security_group",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Add a security group to a specific container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/add_security_group"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/add_security_group")],
),
base.APIRule(
name="container:network_detach",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Detach a network from a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/network_detach"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/network_detach")],
),
base.APIRule(
name="container:network_attach",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Attach a network from a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/network_attach"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/network_attach")],
),
base.APIRule(
name="container:remove_security_group",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Remove security group from a specific container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/remove_security_group"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/remove_security_group")],
),
base.APIRule(
name="container:rebuild",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Rebuild a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/rebuild"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/rebuild")],
),
base.APIRule(
name="container:resize_container",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Resize an existing container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/resize_container"}],
operations=[Operation(method="POST", path="/v1/containers/{container_ident}/resize_container")],
),
base.APIRule(
name="image:pull",
check_str=("rule:context_is_admin"),
description="Pull an image.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/images"}],
operations=[Operation(method="POST", path="/v1/images")],
),
base.APIRule(
name="image:get_all",
check_str=("rule:context_is_admin"),
description="Print a list of available images.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/images"}],
operations=[Operation(method="GET", path="/v1/images")],
),
base.APIRule(
name="image:get_one",
check_str=("rule:context_is_admin"),
description="Retrieve the details of a specific image.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/images/{image_id}"}],
operations=[Operation(method="GET", path="/v1/images/{image_id}")],
),
base.APIRule(
name="image:search",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Search an image.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/images/{image_ident}/search"}],
operations=[Operation(method="GET", path="/v1/images/{image_ident}/search")],
),
base.APIRule(
name="image:delete",
check_str=("rule:context_is_admin"),
description="Delete an image.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/images/{image_ident}"}],
operations=[Operation(method="DELETE", path="/v1/images/{image_ident}")],
),
base.APIRule(
name="zun-service:delete",
check_str=("rule:context_is_admin"),
description="Delete a service.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/services"}],
operations=[Operation(method="DELETE", path="/v1/services")],
),
base.APIRule(
name="zun-service:disable",
check_str=("rule:context_is_admin"),
description="Disable a service.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/services/disable"}],
operations=[Operation(method="PUT", path="/v1/services/disable")],
),
base.APIRule(
name="zun-service:enable",
check_str=("rule:context_is_admin"),
description="Enable a service.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/services/enable"}],
operations=[Operation(method="PUT", path="/v1/services/enable")],
),
base.APIRule(
name="zun-service:force_down",
check_str=("rule:context_is_admin"),
description="Forcibly shutdown a service.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/services/force_down"}],
operations=[Operation(method="PUT", path="/v1/services/force_down")],
),
base.APIRule(
name="zun-service:get_all",
check_str=("rule:context_is_admin"),
description="Show the status of a service.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/services"}],
operations=[Operation(method="GET", path="/v1/services")],
),
base.APIRule(
name="host:get_all",
check_str=("rule:context_is_admin"),
description="List all compute hosts.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/hosts"}],
operations=[Operation(method="GET", path="/v1/hosts")],
),
base.APIRule(
name="host:get",
check_str=("rule:context_is_admin"),
description="Show the details of a specific compute host.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/hosts/{host_ident}"}],
operations=[Operation(method="GET", path="/v1/hosts/{host_ident}")],
),
base.APIRule(
name="capsule:create",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Create a capsule",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/capsules/"}],
operations=[Operation(method="POST", path="/v1/capsules/")],
),
base.APIRule(
name="capsule:delete",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Delete a capsule",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/capsules/{capsule_ident}"}],
operations=[Operation(method="DELETE", path="/v1/capsules/{capsule_ident}")],
),
base.APIRule(
name="capsule:delete_all_projects",
check_str=("rule:context_is_admin"),
description="Delete a container in any project.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/capsules/{capsule_ident}"}],
operations=[Operation(method="DELETE", path="/v1/capsules/{capsule_ident}")],
),
base.APIRule(
name="capsule:get",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of a capsule.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}],
operations=[Operation(method="GET", path="/v1/capsules/{capsule_ident}")],
),
base.APIRule(
name="capsule:get:host",
check_str=("rule:context_is_admin"),
description="Retrieve the host field of a capsule.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}, {"method": "GET", "path": "/v1/capsules"}, {"method": "POST", "path": "/v1/capsules"}],
operations=[Operation(method="GET", path="/v1/capsules/{capsule_ident}"), Operation(method="GET", path="/v1/capsules"), Operation(method="POST", path="/v1/capsules")],
),
base.APIRule(
name="capsule:get_one_all_projects",
check_str=("rule:context_is_admin"),
description="Retrieve the details of a capsule in any project.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}],
operations=[Operation(method="GET", path="/v1/capsules/{capsule_ident}")],
),
base.APIRule(
name="capsule:get_all",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="List all capsules.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/capsules/"}],
operations=[Operation(method="GET", path="/v1/capsules/")],
),
base.APIRule(
name="capsule:get_all_all_projects",
check_str=("rule:context_is_admin"),
description="List all capsules across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/capsules/"}],
operations=[Operation(method="GET", path="/v1/capsules/")],
),
base.APIRule(
name="network:attach_external_network",
check_str=("role:admin"),
description="Attach an unshared external network to a container",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
operations=[Operation(method="POST", path="/v1/containers")],
),
base.APIRule(
name="network:create",
check_str=("role:admin"),
description="Create a network",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/networks"}],
operations=[Operation(method="POST", path="/v1/networks")],
),
base.APIRule(
name="network:delete",
check_str=("role:admin"),
description="Delete a network",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/networks"}],
operations=[Operation(method="DELETE", path="/v1/networks")],
),
base.APIRule(
name="container:actions",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="List actions and show action details for a container",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/"}, {"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/{request_id}"}],
operations=[Operation(method="GET", path="/v1/containers/{container_ident}/container_actions/"), Operation(method="GET", path="/v1/containers/{container_ident}/container_actions/{request_id}")],
),
base.APIRule(
name="container:action:events",
check_str=("rule:context_is_admin"),
description="Add events details in action details for a container.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/{request_id}"}],
operations=[Operation(method="GET", path="/v1/containers/{container_ident}/container_actions/{request_id}")],
),
base.APIRule(
name="availability_zones:get_all",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="List availability zone",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/availability_zones"}],
operations=[Operation(method="GET", path="/v1/availability_zones")],
),
base.APIRule(
name="quota:update",
check_str=("rule:context_is_admin"),
description="Update quotas for a project",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/quotas/{project_id}"}],
operations=[Operation(method="PUT", path="/v1/quotas/{project_id}")],
),
base.APIRule(
name="quota:delete",
check_str=("rule:context_is_admin"),
description="Delete quotas for a project",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/quotas/{project_id}"}],
operations=[Operation(method="DELETE", path="/v1/quotas/{project_id}")],
),
base.APIRule(
name="quota:get",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Get quotas for a project",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas/{project_id}"}],
operations=[Operation(method="GET", path="/v1/quotas/{project_id}")],
),
base.APIRule(
name="quota:get_default",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Get default quotas for a project",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas/defaults"}],
operations=[Operation(method="GET", path="/v1/quotas/defaults")],
),
base.APIRule(
name="quota_class:update",
check_str=("rule:context_is_admin"),
description="Update quotas for specific quota class",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/quota_classes/{quota_class_name}"}],
operations=[Operation(method="PUT", path="/v1/quota_classes/{quota_class_name}")],
),
base.APIRule(
name="quota_class:get",
check_str=("rule:context_is_admin"),
description="List quotas for specific quota class",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quota_classes/{quota_class_name}"}],
operations=[Operation(method="GET", path="/v1/quota_classes/{quota_class_name}")],
),
base.APIRule(
name="registry:create",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Create a new registry.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/registries"}],
operations=[Operation(method="POST", path="/v1/registries")],
),
base.APIRule(
name="registry:delete",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Delete a registry.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/registries/{registry_ident}"}],
operations=[Operation(method="DELETE", path="/v1/registries/{registry_ident}")],
),
base.APIRule(
name="registry:get_one",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of a specific registry.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/registries/{registry_ident}"}],
operations=[Operation(method="GET", path="/v1/registries/{registry_ident}")],
),
base.APIRule(
name="registry:get_all",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of all registries.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/registries"}],
operations=[Operation(method="GET", path="/v1/registries")],
),
base.APIRule(
name="registry:get_all_all_projects",
check_str=("rule:context_is_admin"),
description="Retrieve the details of all registries across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/registries"}],
operations=[Operation(method="GET", path="/v1/registries")],
),
base.APIRule(
name="registry:update",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Update a registry.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/registries/{registry_ident}"}],
operations=[Operation(method="PATCH", path="/v1/registries/{registry_ident}")],
),
)

15
skyline_apiserver/schemas/extension.py
View File

@@ -17,8 +17,7 @@ from __future__ import annotations
from enum import Enum
from typing import Any, Dict, List, Optional
from pydantic import BaseModel, Field
from pydantic.types import UUID4
from pydantic import UUID4, BaseModel, Field
SERVERS_LIST_DOCS_LINKS = "https://docs.openstack.org/api-ref/compute/?expanded=list-servers-detailed-detail#list-servers-detailed" # noqa
VOLUMES_LIST_DOCS_LINKS = "https://docs.openstack.org/api-ref/block-storage/v3/index.html?expanded=list-accessible-volumes-with-details-detail#list-accessible-volumes-with-details" # noqa
@@ -403,10 +402,12 @@ class VolumesResponse(BaseModel):
class VolumeSnapshotChildVolume(BaseModel):
volume_id: str = Field(
None, description="ID of volume", example="00000000-0000-0000-0000-000000000000"
volume_id: Optional[str] = Field(
None, description="ID of volume", examples=["00000000-0000-0000-0000-000000000000"]
)
volume_name: Optional[str] = Field(
None, description="Name of volume", examples=["child-volume-demo"]
)
volume_name: str = Field(None, description="Name of volume", example="child-volume-demo")
class VolumeSnapshotsResponseBase(BaseModel):
@@ -416,7 +417,9 @@ class VolumeSnapshotsResponseBase(BaseModel):
)
project_name: Optional[str] = Field(None, description="Project name")
host: Optional[str] = Field(None, description="Host name")
volume_name: Optional[str] = Field(None, description="Name of volume", example="volume-demo")
volume_name: Optional[str] = Field(
None, description="Name of volume", examples=["volume-demo"]
)
child_volumes: Optional[List[VolumeSnapshotChildVolume]] = Field(
None, description="Child volumes"
)

19
skyline_apiserver/schemas/login.py
View File

@@ -29,15 +29,18 @@ class Credential(BaseModel):
username: str = Field(..., description="Credential username")
password: str = Field(..., description="Credential password for user")
class Config:
schema_extra = {
"example": {
"region": "RegionOne",
"username": "admin",
"domain": "default",
"password": "admin",
},
model_config = {
"json_schema_extra": {
"examples": [
{
"region": "RegionOne",
"username": "admin",
"domain": "default",
"password": "admin",
},
]
}
}
class Domain(BaseModel):

14
skyline_apiserver/schemas/policy_manager.py
View File

@@ -15,9 +15,9 @@
from __future__ import annotations
from enum import Enum
from typing import List, TypedDict
from typing import List
from pydantic import BaseModel, Field
from pydantic import BaseModel, Field, RootModel
class ScopeType(str, Enum):
@@ -26,8 +26,8 @@ class ScopeType(str, Enum):
project = "project"
class ScopeTypesSchema(BaseModel):
__root__: List[ScopeType] = Field(..., description="Scope types list")
class ScopeTypesSchema(RootModel[List[ScopeType]]):
pass
class Method(str, Enum):
@@ -39,7 +39,7 @@ class Method(str, Enum):
HEAD = "HEAD"
class Operation(TypedDict):
class Operation(BaseModel):
method: str
path: str
@@ -49,8 +49,8 @@ class OperationSchema(BaseModel):
path: str = Field(..., description="Operation path")
class OperationsSchema(BaseModel):
__root__: List[OperationSchema] = Field(..., description="Operations list")
class OperationsSchema(RootModel[List[OperationSchema]]):
pass
__all__ = ("ScopeTypesSchema", "Operation", "OperationsSchema")

6
skyline_apiserver/tests/unit/config/test_base.py
View File

@@ -20,8 +20,8 @@ from typing import Any, Dict, List, Optional, Sequence, Tuple, Type
import pytest
from _pytest.fixtures import SubRequest
from pydantic import StrictBool, StrictFloat, StrictInt, StrictStr
from pydantic.error_wrappers import ValidationError
from pydantic import StrictBool, StrictFloat, StrictInt, StrictStr, ValidationError
from pydantic.errors import PydanticSchemaGenerationError
from skyline_apiserver.config.base import Configuration, Group, Opt
from skyline_apiserver.tests.fake import FAKER, FakeOptData
@@ -81,7 +81,7 @@ class TestOpt:
"description": FAKER.text.word(),
"schema": RuntimeError,
},
RuntimeError,
PydanticSchemaGenerationError,
),
),
],

2825
swagger.json
View File

File diff suppressed because it is too large Load Diff