Cyborg Sample Policy¶
Warning
JSON formatted policy file is deprecated since Cyborg 5.0.0(Victoria). Use YAML formatted file. Use oslopolicy-convert-json-to-yaml tool to convert the existing JSON to YAML formatted policy file in backward compatible way.
The following is a sample cyborg policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary, and it should not be copied into a deployment. Doing so will result in duplicate policy definitions. It is here to help explain which policy operations protect specific cyborg APIs, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default.
If you wish build a policy file, you can also use tox -e genpolicy
to
generate it.
The sample policy file can also be downloaded in file form.
# Default rule for System Admin APIs.
#"system_admin_api": "role:admin and system_scope:all"
# Default rule for System level read only APIs.
#"system_reader_api": "role:reader and system_scope:all"
# Default rule for Project level admin APIs.
#"project_admin_api": "role:admin and project_id:%(project_id)s"
# Default rule for Project level non admin APIs.
#"project_member_api": "role:member and project_id:%(project_id)s"
# Default rule for Project level read only APIs.
#"project_reader_api": "role:reader and project_id:%(project_id)s"
# Default rule for system_admin+owner APIs.
#"system_admin_or_owner": "rule:system_admin_api or rule:project_member_api"
# Default rule for System+Project read only APIs.
#"system_or_project_reader": "rule:system_reader_api or rule:project_reader_api"
# DEPRECATED
# "public_api" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# legacy rule of Internal flag for public API routes
#"public_api": "is_public_api:True"
# DEPRECATED
# "allow" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# legacy rule: any access will be passed
#"allow": "@"
# DEPRECATED
# "deny" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# legacy rule: all access will be forbidden
#"deny": "!"
# DEPRECATED
# "default" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# Legacy rule for default rule
#"default": "rule:admin_or_owner"
# DEPRECATED
# "admin_api" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# Legacy rule for cloud admin access
#"admin_api": "role:admin or role:administrator"
# DEPRECATED
# "is_admin" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# Full read/write API access
#"is_admin": "rule:admin_api"
# DEPRECATED
# "admin_or_owner" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# Admin or owner API access
#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
# DEPRECATED
# "admin_or_user" has been deprecated since W.
# Cyborg API policies are introducing new default roles with
# scope_type capabilities. We will start to deprecate old policies
# from WALLABY release, and are going to ignore all the old policies
# silently from X release. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the policy API.
# Admin or user API access
#"admin_or_user": "is_admin:True or user_id:%(user_id)s"
# Retrieve all device_profiles
# GET /v2/device_profiles
# Intended scope(s): system, project
#"cyborg:device_profile:get_all": "rule:system_or_project_reader"
# DEPRECATED
# "cyborg:device_profile:get_all":"rule:admin_or_owner" has been
# deprecated since W in favor of
# "cyborg:device_profile:get_all":"rule:system_or_project_reader".
# request admin_or_owmer rule is too strict for listing device_profile
# Retrieve a specific device_profile
# GET /v2/device_profiles/{device_profiles_uuid}
# Intended scope(s): system, project
#"cyborg:device_profile:get_one": "rule:system_or_project_reader"
# DEPRECATED
# "cyborg:device_profile:get_one":"rule:admin_or_owner" has been
# deprecated since W in favor of
# "cyborg:device_profile:get_one":"rule:system_or_project_reader".
# request admin_or_owmer rule is too strict for retrieving a
# device_profile
# Create a device_profile
# POST /v2/device_profiles
# Intended scope(s): system
#"cyborg:device_profile:create": "rule:system_admin_api"
# DEPRECATED
# "cyborg:device_profile:create":"rule:is_admin" has been deprecated
# since W in favor of
# "cyborg:device_profile:create":"rule:system_admin_api".
# project_admin_or_owner is too permissive, introduce system_scoped
# admin for creation
# Delete device_profile(s)
# DELETE /v2/device_profiles/{device_profiles_uuid}
# DELETE /v2/device_profiles?value={device_profile_name1}
# Intended scope(s): system
#"cyborg:device_profile:delete": "rule:system_admin_api"
# DEPRECATED
# "cyborg:device_profile:delete":"rule:admin_or_owner" has been
# deprecated since W in favor of
# "cyborg:device_profile:delete":"rule:system_admin_api".
# project_admin_or_owner is too permissive, introduce system_scoped
# admin for deletion
# Show device detail
#"cyborg:device:get_one": "rule:allow"
# Retrieve all device records
#"cyborg:device:get_all": "rule:allow"
# Show deployable detail
#"cyborg:deployable:get_one": "rule:allow"
# Retrieve all deployable records
#"cyborg:deployable:get_all": "rule:allow"
# FPGA programming.
#"cyborg:deployable:program": "rule:allow"
# Retrieve accelerator request records.
#"cyborg:arq:get_all": "rule:default"
# Get an accelerator request record.
#"cyborg:arq:get_one": "rule:default"
# Create accelerator request records.
#"cyborg:arq:create": "rule:allow"
# Delete accelerator request records.
#"cyborg:arq:delete": "rule:default"
# Update accelerator request records.
#"cyborg:arq:update": "rule:default"
# Show fpga detail
#"cyborg:fpga:get_one": "rule:allow"
# Retrieve all fpga records
#"cyborg:fpga:get_all": "rule:allow"
# Update fpga records
#"cyborg:fpga:update": "rule:allow"