policy.yaml¶
Use the policy.yaml file to define additional access controls that apply to
the Rating service:
#"context_is_admin": "role:admin"
# DEPRECATED
# "admin_or_owner" has been deprecated since 22.0.0.
# CloudKitty API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
#"default": ""
# Default rule for Project level non admin APIs.
#"project_member_api": "role:member and project_id:%(project_id)s"
# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or (role:admin and
# is_admin_project:True) or project_id:%(project_id)s" has been
# deprecated since 22.0.0 in favor of
# "project_member_api":"role:member and project_id:%(project_id)s".
# CloudKitty API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_member_api"
# Default rule for Project level read only APIs.
#"project_reader_api": "role:reader and project_id:%(project_id)s"
# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or (role:admin and
# is_admin_project:True) or project_id:%(project_id)s" has been
# deprecated since 22.0.0 in favor of
# "project_reader_api":"role:reader and project_id:%(project_id)s".
# CloudKitty API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_reader_api"
# Default rule for Project Member or admin APIs.
#"project_member_or_admin": "rule:project_member_api or rule:context_is_admin"
# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or (role:admin and
# is_admin_project:True) or project_id:%(project_id)s" has been
# deprecated since 22.0.0 in favor of
# "project_member_or_admin":"rule:project_member_api or
# rule:context_is_admin".
# CloudKitty API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_member_or_admin"
# Default rule for Project reader or admin APIs.
#"project_reader_or_admin": "rule:project_reader_api or rule:context_is_admin"
# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or (role:admin and
# is_admin_project:True) or project_id:%(project_id)s" has been
# deprecated since 22.0.0 in favor of
# "project_reader_or_admin":"rule:project_reader_api or
# rule:context_is_admin".
# CloudKitty API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_reader_or_admin"
# Return the list of every services mapped to a collector.
# LIST /v1/collector/mappings
# Intended scope(s): project
#"collector:list_mappings": "role:admin"
# Return a service to collector mapping.
# GET /v1/collector/mappings/{service_id}
# Intended scope(s): project
#"collector:get_mapping": "role:admin"
# Manage a service to collector mapping.
# POST /v1/collector/mappings
# DELETE /v1/collector/mappings/{service_id}
# Intended scope(s): project
#"collector:manage_mapping": "role:admin"
# Query the enable state of a collector.
# GET /v1/collector/states/{collector_id}
# Intended scope(s): project
#"collector:get_state": "role:admin"
# Set the enable state of a collector.
# PUT /v1/collector/states/{collector_id}
# Intended scope(s): project
#"collector:update_state": "role:admin"
# List available services information in Cloudkitty.
# LIST /v1/info/services
# Intended scope(s): project
#"info:list_services_info": ""
# Get specified service information.
# GET /v1/info/services/{metric_id}
# Intended scope(s): project
#"info:get_service_info": ""
# List available metrics information in Cloudkitty.
# LIST /v1/info/metrics
# Intended scope(s): project
#"info:list_metrics_info": ""
# Get specified metric information.
# GET /v1/info/metrics/{metric_id}
# Intended scope(s): project
#"info:get_metric_info": ""
# Get current configuration in Cloudkitty.
# GET /v1/info/config
# Intended scope(s): project
#"info:get_config": ""
# Return the list of loaded modules in Cloudkitty.
# LIST /v1/rating/modules
# Intended scope(s): project
#"rating:list_modules": "role:admin"
# Get specified module.
# GET /v1/rating/modules/{module_id}
# Intended scope(s): project
#"rating:get_module": "role:admin"
# Change the state and priority of a module.
# PUT /v1/rating/modules/{module_id}
# Intended scope(s): project
#"rating:update_module": "role:admin"
# Get an instant quote based on multiple resource descriptions.
# POST /v1/rating/quote
# Intended scope(s): project
#"rating:quote": ""
# Trigger a rating module list reload.
# GET /v1/rating/reload_modules
# Intended scope(s): project
#"rating:module_config": "role:admin"
# Return the list of rated tenants.
# GET /v1/report/tenants
# Intended scope(s): project
#"report:list_tenants": "role:admin"
# Return the summary to pay for a given period.
# GET /v1/report/summary
# Intended scope(s): project
#"report:get_summary": "rule:project_reader_or_admin"
# Return the amount to pay for a given period.
# GET /v1/report/total
# Intended scope(s): project
#"report:get_total": "rule:project_reader_or_admin"
# Return a list of rated resources for a time period and a tenant.
# GET /v1/storage/dataframes
# Intended scope(s): project
#"storage:list_data_frames": "rule:project_reader_or_admin"
# Add one or several DataFrames
# POST /v2/dataframes
# Intended scope(s): project
#"dataframes:add": "role:admin"
# Get DataFrames
# GET /v2/dataframes
# Intended scope(s): project
#"dataframes:get": "rule:project_reader_or_admin"
# Returns the list of loaded modules in Cloudkitty.
# GET /v2/rating/modules
# Intended scope(s): project
#"v2_rating:list_modules": "role:admin"
# Get specified module.
# GET /v2/rating/modules/{module_id}
# Intended scope(s): project
#"v2_rating:get_module": "role:admin"
# Change the state and priority of a module.
# PUT /v2/rating/modules/{module_id}
# Intended scope(s): project
#"v2_rating:update_module": "role:admin"
# Get the state of one or several scopes
# GET /v2/scope
# Intended scope(s): project
#"scope:get_state": "role:admin"
# Reset the state of one or several scopes
# PUT /v2/scope
# Intended scope(s): project
#"scope:reset_state": "role:admin"
# Enables operators to patch a storage scope
# PATCH /v2/scope
# Intended scope(s): project
#"scope:patch_state": "role:admin"
# Enables operators to create a storage scope
# POST /v2/scope
# Intended scope(s): project
#"scope:post_state": "role:admin"
# Get a rating summary
# GET /v2/summary
# Intended scope(s): project
#"summary:get_summary": "rule:project_reader_or_admin"
# Schedule a scope for reprocessing
# POST /v2/task/reprocesses
# Intended scope(s): project
#"schedule:task_reprocesses": "role:admin"
# Get reprocessing schedule tasks for scopes.
# GET /v2/task/reprocesses
# Intended scope(s): project
#"schedule:get_task_reprocesses": "role:admin"
