Cyborg Sample Policy¶
Warning
JSON formatted policy file is deprecated since Cyborg 5.0.0(Victoria). Use YAML formatted file. Use oslopolicy-convert-json-to-yaml tool to convert the existing JSON to YAML formatted policy file in backward compatible way.
The following is a sample cyborg policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary, and it should not be copied into a deployment. Doing so will result in duplicate policy definitions. It is here to help explain which policy operations protect specific cyborg APIs, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default.
If you wish build a policy file, you can also use tox -e genpolicy
to
generate it.
The sample policy file can also be downloaded in file form.
# Legacy rule for cloud admin access
#"admin_api": "role:admin or role:administrator"
# Default rule for Project level admin APIs.
#"project_admin_api": "role:admin and project_id:%(project_id)s"
# Default rule for Project level non admin APIs.
#"project_member_api": "role:member and project_id:%(project_id)s"
# Default rule for Project level read only APIs.
#"project_reader_api": "role:reader and project_id:%(project_id)s"
# Default rule for Project Member or admin APIs.
#"project_member_or_admin": "rule:project_member_api or rule:admin_api"
# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since W in favor of
# "project_member_or_admin":"rule:project_member_api or
# rule:admin_api".
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_member_or_admin"
# Default rule for Project reader or admin APIs.
#"project_reader_or_admin": "rule:project_reader_api or rule:admin_api"
# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since W in favor of
# "project_reader_or_admin":"rule:project_reader_api or
# rule:admin_api".
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_reader_or_admin"
# DEPRECATED
# "public_api" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# legacy rule of Internal flag for public API routes
#"public_api": "is_public_api:True"
# DEPRECATED
# "allow" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# legacy rule: any access will be passed
#"allow": "@"
# DEPRECATED
# "deny" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# legacy rule: all access will be forbidden
#"deny": "!"
# DEPRECATED
# "default" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# Legacy rule for default rule
#"default": "rule:admin_or_owner"
# DEPRECATED
# "is_admin" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# Full read/write API access
#"is_admin": "rule:admin_api"
# DEPRECATED
# "admin_or_owner" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# Admin or owner API access
#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
# DEPRECATED
# "admin_or_user" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# Admin or user API access
#"admin_or_user": "is_admin:True or user_id:%(user_id)s"
# Retrieve all device_profiles
# GET /v2/device_profiles
# Intended scope(s): project
#"cyborg:device_profile:get_all": "rule:project_reader_or_admin"
# DEPRECATED
# "cyborg:device_profile:get_all":"rule:admin_or_owner" has been
# deprecated since W in favor of
# "cyborg:device_profile:get_all":"rule:project_reader_or_admin".
# request admin_or_owmer rule is too strict for listing device_profile
# Retrieve a specific device_profile
# GET /v2/device_profiles/{device_profiles_uuid}
# Intended scope(s): project
#"cyborg:device_profile:get_one": "rule:project_reader_or_admin"
# DEPRECATED
# "cyborg:device_profile:get_one":"rule:admin_or_owner" has been
# deprecated since W in favor of
# "cyborg:device_profile:get_one":"rule:project_reader_or_admin".
# request admin_or_owmer rule is too strict for retrieving a
# device_profile
# Create a device_profile
# POST /v2/device_profiles
# Intended scope(s): project
#"cyborg:device_profile:create": "rule:admin_api"
# DEPRECATED
# "cyborg:device_profile:create":"rule:is_admin" has been deprecated
# since W in favor of "cyborg:device_profile:create":"rule:admin_api".
# project_admin_or_owner is too permissive, introduce admin for
# creation
# Delete device_profile(s)
# DELETE /v2/device_profiles/{device_profiles_uuid}
# DELETE /v2/device_profiles?value={device_profile_name1}
# Intended scope(s): project
#"cyborg:device_profile:delete": "rule:admin_api"
# DEPRECATED
# "cyborg:device_profile:delete":"rule:admin_or_owner" has been
# deprecated since W in favor of
# "cyborg:device_profile:delete":"rule:admin_api".
# project_admin_or_owner is too permissive, introduce admin for
# deletion
# Show device detail
#"cyborg:device:get_one": "rule:allow"
# Retrieve all device records
#"cyborg:device:get_all": "rule:allow"
# Disable a device
#"cyborg:device:disable": "rule:admin_api"
# Enable a device
#"cyborg:device:enable": "rule:admin_api"
# Show deployable detail
#"cyborg:deployable:get_one": "rule:allow"
# Retrieve all deployable records
#"cyborg:deployable:get_all": "rule:allow"
# FPGA programming.
#"cyborg:deployable:program": "rule:allow"
# Show attribute detail
#"cyborg:attribute:get_one": "rule:allow"
# Retrieve all attribute records
#"cyborg:attribute:get_all": "rule:allow"
# Create an attribute record
#"cyborg:attribute:create": "rule:allow"
# Delete attribute records.
#"cyborg:attribute:delete": "rule:allow"
# Retrieve accelerator request records.
#"cyborg:arq:get_all": "rule:default"
# Get an accelerator request record.
#"cyborg:arq:get_one": "rule:default"
# Create accelerator request records.
#"cyborg:arq:create": "rule:allow"
# Delete accelerator request records.
#"cyborg:arq:delete": "rule:default"
# Update accelerator request records.
#"cyborg:arq:update": "rule:default"
# Show fpga detail
#"cyborg:fpga:get_one": "rule:allow"
# Retrieve all fpga records
#"cyborg:fpga:get_all": "rule:allow"
# Update fpga records
#"cyborg:fpga:update": "rule:allow"