policy.json

配置策略。每次进行API调用时,会采取对应的检查,policy.json文件发生更新后会立即生效。

目前支持的策略有三种:rule、role或者generic。

其中rule后面会跟一个文件名,例如

  1. "get_floatingip": "rule:admin_or_owner",

其策略为rule:admin_or_owner,表明要从文件中读取具体策略内容。
role策略后面会跟一个role名称,表明只有指定role才可以执行。
generic策略则根据参数来进行比较。

  1. {
  2. "context_is_admin": "role:admin",
  3. "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
  4. "context_is_advsvc": "role:advsvc",
  5. "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
  6. "admin_only": "rule:context_is_admin",
  7. "regular_user": "",
  8. "shared": "field:networks:shared=True",
  9. "shared_firewalls": "field:firewalls:shared=True",
  10. "external": "field:networks:router:external=True",
  11. "default": "rule:admin_or_owner",
  12. "create_subnet": "rule:admin_or_network_owner",
  13. "get_subnet": "rule:admin_or_owner or rule:shared",
  14. "update_subnet": "rule:admin_or_network_owner",
  15. "delete_subnet": "rule:admin_or_network_owner",
  16. "create_network": "",
  17. "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
  18. "get_network:router:external": "rule:regular_user",
  19. "get_network:segments": "rule:admin_only",
  20. "get_network:provider:network_type": "rule:admin_only",
  21. "get_network:provider:physical_network": "rule:admin_only",
  22. "get_network:provider:segmentation_id": "rule:admin_only",
  23. "get_network:queue_id": "rule:admin_only",
  24. "create_network:shared": "rule:admin_only",
  25. "create_network:router:external": "rule:admin_only",
  26. "create_network:segments": "rule:admin_only",
  27. "create_network:provider:network_type": "rule:admin_only",
  28. "create_network:provider:physical_network": "rule:admin_only",
  29. "create_network:provider:segmentation_id": "rule:admin_only",
  30. "update_network": "rule:admin_or_owner",
  31. "update_network:segments": "rule:admin_only",
  32. "update_network:shared": "rule:admin_only",
  33. "update_network:provider:network_type": "rule:admin_only",
  34. "update_network:provider:physical_network": "rule:admin_only",
  35. "update_network:provider:segmentation_id": "rule:admin_only",
  36. "update_network:router:external": "rule:admin_only",
  37. "delete_network": "rule:admin_or_owner",
  38. "create_port": "",
  39. "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
  40. "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
  41. "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
  42. "create_port:binding:host_id": "rule:admin_only",
  43. "create_port:binding:profile": "rule:admin_only",
  44. "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
  45. "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
  46. "get_port:queue_id": "rule:admin_only",
  47. "get_port:binding:vif_type": "rule:admin_only",
  48. "get_port:binding:vif_details": "rule:admin_only",
  49. "get_port:binding:host_id": "rule:admin_only",
  50. "get_port:binding:profile": "rule:admin_only",
  51. "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
  52. "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
  53. "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
  54. "update_port:binding:host_id": "rule:admin_only",
  55. "update_port:binding:profile": "rule:admin_only",
  56. "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
  57. "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
  58. "get_router:ha": "rule:admin_only",
  59. "create_router": "rule:regular_user",
  60. "create_router:external_gateway_info:enable_snat": "rule:admin_only",
  61. "create_router:distributed": "rule:admin_only",
  62. "create_router:ha": "rule:admin_only",
  63. "get_router": "rule:admin_or_owner",
  64. "get_router:distributed": "rule:admin_only",
  65. "update_router:external_gateway_info:enable_snat": "rule:admin_only",
  66. "update_router:distributed": "rule:admin_only",
  67. "update_router:ha": "rule:admin_only",
  68. "delete_router": "rule:admin_or_owner",
  69. "add_router_interface": "rule:admin_or_owner",
  70. "remove_router_interface": "rule:admin_or_owner",
  71. "create_firewall": "",
  72. "get_firewall": "rule:admin_or_owner",
  73. "create_firewall:shared": "rule:admin_only",
  74. "get_firewall:shared": "rule:admin_only",
  75. "update_firewall": "rule:admin_or_owner",
  76. "update_firewall:shared": "rule:admin_only",
  77. "delete_firewall": "rule:admin_or_owner",
  78. "create_firewall_policy": "",
  79. "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
  80. "create_firewall_policy:shared": "rule:admin_or_owner",
  81. "update_firewall_policy": "rule:admin_or_owner",
  82. "delete_firewall_policy": "rule:admin_or_owner",
  83. "create_firewall_rule": "",
  84. "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
  85. "update_firewall_rule": "rule:admin_or_owner",
  86. "delete_firewall_rule": "rule:admin_or_owner",
  87. "create_qos_queue": "rule:admin_only",
  88. "get_qos_queue": "rule:admin_only",
  89. "update_agent": "rule:admin_only",
  90. "delete_agent": "rule:admin_only",
  91. "get_agent": "rule:admin_only",
  92. "create_dhcp-network": "rule:admin_only",
  93. "delete_dhcp-network": "rule:admin_only",
  94. "get_dhcp-networks": "rule:admin_only",
  95. "create_l3-router": "rule:admin_only",
  96. "delete_l3-router": "rule:admin_only",
  97. "get_l3-routers": "rule:admin_only",
  98. "get_dhcp-agents": "rule:admin_only",
  99. "get_l3-agents": "rule:admin_only",
  100. "get_loadbalancer-agent": "rule:admin_only",
  101. "get_loadbalancer-pools": "rule:admin_only",
  102. "create_floatingip": "rule:regular_user",
  103. "update_floatingip": "rule:admin_or_owner",
  104. "delete_floatingip": "rule:admin_or_owner",
  105. "get_floatingip": "rule:admin_or_owner",
  106. "create_network_profile": "rule:admin_only",
  107. "update_network_profile": "rule:admin_only",
  108. "delete_network_profile": "rule:admin_only",
  109. "get_network_profiles": "",
  110. "get_network_profile": "",
  111. "update_policy_profiles": "rule:admin_only",
  112. "get_policy_profiles": "",
  113. "get_policy_profile": "",
  114. "create_metering_label": "rule:admin_only",
  115. "delete_metering_label": "rule:admin_only",
  116. "get_metering_label": "rule:admin_only",
  117. "create_metering_label_rule": "rule:admin_only",
  118. "delete_metering_label_rule": "rule:admin_only",
  119. "get_metering_label_rule": "rule:admin_only",
  120. "get_service_provider": "rule:regular_user",
  121. "get_lsn": "rule:admin_only",
  122. "create_lsn": "rule:admin_only"
  123. }