Difference between revisions of "Cyborg/Policy"
< Cyborg
Yumeng bao (talk | contribs) |
Yumeng bao (talk | contribs) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 11: | Line 11: | ||
| /v2 || GET || || || || || || || x || N/A|| N/A || No restrictions on this route | | /v2 || GET || || || || || || || x || N/A|| N/A || No restrictions on this route | ||
|- | |- | ||
− | | rowspan="2" | /v2/device_profiles || GET || x || || || | + | | rowspan="2" | /v2/device_profiles || GET || x(system_admin_or_project_reader) || || || x || || || || admin_or_owner|| cyborg:device_profile:get_all || |
|- | |- | ||
| POST || || || || || || x || || admin|| cyborg:device_profile:create || | | POST || || || || || || x || || admin|| cyborg:device_profile:create || | ||
|- | |- | ||
− | | rowspan="2" | /v2/device_profiles/{device_profiles_uuid} || GET || x || || || | + | | rowspan="2" | /v2/device_profiles/{device_profiles_uuid} || GET || x(system_admin_or_project_reader) || || || x || || || || admin_or_owner || cyborg:device_profile:get_one || |
|- | |- | ||
| DELETE || || || || || || x || || admin_or_owner || cyborg:device_profile:delete || | | DELETE || || || || || || x || || admin_or_owner || cyborg:device_profile:delete || | ||
Line 21: | Line 21: | ||
| /v2/device_profiles?value={device_profile_name1},{device_profile_name2} || DELETE || || || || || || x || || admin_or_owner || cyborg:device_profile:delete || | | /v2/device_profiles?value={device_profile_name1},{device_profile_name2} || DELETE || || || || || || x || || admin_or_owner || cyborg:device_profile:delete || | ||
|- | |- | ||
− | | rowspan="2" | /v2/accelerator_requests || GET || x || || || | + | | rowspan="2" | /v2/accelerator_requests || GET || x(system_or_project_reader) || || || x || || || || admin_or_owner || cyborg:arq:get_all || |
|- | |- | ||
− | | POST || || x || || || || | + | | POST || || x(system_admin_or_project_owner) || || || || x || || any_user || cyborg:arq:create || current rule: any role is allowed to do post action.This is too permissive,instead it should be at least "role:member" with scope_type ["project"] |
|- | |- | ||
− | | rowspan="2" | /v2/accelerator_requests/{arq_uuid} || GET || x || || || | + | | rowspan="2" | /v2/accelerator_requests/{arq_uuid} || GET || x(system_or_project_reader) || || || x || || || || admin_or_owner || cyborg:arq:get_one || |
|- | |- | ||
− | | PATCH || | + | | PATCH || || x(system_admin_or_project_owner) || || || || x || || admin_or_owner || cyborg:arq:update || |
|- | |- | ||
− | | /v2/accelerator_requests?arqs={arq_uuid} || DELETE || | + | | /v2/accelerator_requests?arqs={arq_uuid} || DELETE || || x(system_admin_or_project_owner) || || || || x || || admin_or_owner || cyborg:arq:delete || |
|- | |- | ||
− | | /v2/accelerator_requests?instance={instance_uuid} || DELETE || | + | | /v2/accelerator_requests?instance={instance_uuid} || DELETE || || x(system_admin_or_project_owner) || || || || x || || admin_or_owner || cyborg:arq:delete || |
|- | |- | ||
| rowspan="3" | /v2/devices || GET || || || || x || || || || any_user || cyborg:device:get_all || | | rowspan="3" | /v2/devices || GET || || || || x || || || || any_user || cyborg:device:get_all || |
Latest revision as of 10:22, 21 September 2020
Project-scope(new policy) | System-scope(new policy) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Route | Method | reader | member | admin | reader | member | admin | no auth | legacy policy | RBAC Name | Notes |
/ | GET | x | N/A | N/A | No restrictions on this route | ||||||
/v2 | GET | x | N/A | N/A | No restrictions on this route | ||||||
/v2/device_profiles | GET | x(system_admin_or_project_reader) | x | admin_or_owner | cyborg:device_profile:get_all | ||||||
POST | x | admin | cyborg:device_profile:create | ||||||||
/v2/device_profiles/{device_profiles_uuid} | GET | x(system_admin_or_project_reader) | x | admin_or_owner | cyborg:device_profile:get_one | ||||||
DELETE | x | admin_or_owner | cyborg:device_profile:delete | ||||||||
/v2/device_profiles?value={device_profile_name1},{device_profile_name2} | DELETE | x | admin_or_owner | cyborg:device_profile:delete | |||||||
/v2/accelerator_requests | GET | x(system_or_project_reader) | x | admin_or_owner | cyborg:arq:get_all | ||||||
POST | x(system_admin_or_project_owner) | x | any_user | cyborg:arq:create | current rule: any role is allowed to do post action.This is too permissive,instead it should be at least "role:member" with scope_type ["project"] | ||||||
/v2/accelerator_requests/{arq_uuid} | GET | x(system_or_project_reader) | x | admin_or_owner | cyborg:arq:get_one | ||||||
PATCH | x(system_admin_or_project_owner) | x | admin_or_owner | cyborg:arq:update | |||||||
/v2/accelerator_requests?arqs={arq_uuid} | DELETE | x(system_admin_or_project_owner) | x | admin_or_owner | cyborg:arq:delete | ||||||
/v2/accelerator_requests?instance={instance_uuid} | DELETE | x(system_admin_or_project_owner) | x | admin_or_owner | cyborg:arq:delete | ||||||
/v2/devices | GET | x | any_user | cyborg:device:get_all | |||||||
GET | x | any_user | cyborg:device:get_one | ||||||||
PATCH | x | N/A | cyborg:device:update | Disable or Enable the specified device | |||||||
/v2/deployables/{uuid} | PATCH | x | N/A | cyborg:deployable:update | Update the shell image/FPGA bitstream to custom user logic for the specified deployable. |
Reference:
- When considering which role is appropriate for each API operation, one can follow the recommended migration strategy agreed by Keystone Team: https://etherpad.openstack.org/p/policy-migration-steps
Questions (tied to RBAC Name):
- cyborg:arq:create
- (Yumeng) current rule: any role is allowed to do post action. This is too permissive, instead, it should be at least "role:member" with scope_type ["project"]
- cyborg:device:get_all
- cyborg:device:update
- (Yumeng) Is it necessary to allow a system-scope user to read and update one device? For example, when one device is shared by different projects, we should allow a role at a system-scope level to access this device, right?
- (Yumeng) yes, we agreed on the weekly meeting that a device is a system-level resource, so sys_admin is required for device: update.
- (Yumeng) Is it necessary to allow a system-scope user to read and update one device? For example, when one device is shared by different projects, we should allow a role at a system-scope level to access this device, right?
- cyborg:deployable:update
- (Yumeng) ditto for deployable update
- (Yumeng) we agreed that deployable: update requires project_admin.
- (Yumeng) ditto for deployable update