Watcher’s public API calls may be restricted to certain sets of users using a policy configuration file. This document explains exactly how policies are configured and what they apply to.
A policy is composed of a set of rules that are used in determining if a particular action may be performed by the authorized tenant.
A policy configuration file is a simply JSON object that contain sets of rules. Each top-level key is the name of a rule. Each rule is a string that describes an action that may be performed in the Watcher API.
The actions that may have a rule enforced on them are:
strategy:get_all
, strategy:detail
- List available strategiesGET /v1/strategies
GET /v1/strategies/detail
strategy:get
- Retrieve a specific strategy entityGET /v1/strategies/<STRATEGY_UUID>
GET /v1/strategies/<STRATEGY_NAME>
goal:get_all
, goal:detail
- List available goalsGET /v1/goals
GET /v1/goals/detail
goal:get
- Retrieve a specific goal entityGET /v1/goals/<GOAL_UUID>
GET /v1/goals/<GOAL_NAME>
audit_template:get_all
, audit_template:detail
- List available
audit_templatesGET /v1/audit_templates
GET /v1/audit_templates/detail
audit_template:get
- Retrieve a specific audit template entityGET /v1/audit_templates/<AUDIT_TEMPLATE_UUID>
GET /v1/audit_templates/<AUDIT_TEMPLATE_NAME>
audit_template:create
- Create an audit template entityPOST /v1/audit_templates
audit_template:delete
- Delete an audit template entityDELETE /v1/audit_templates/<AUDIT_TEMPLATE_UUID>
DELETE /v1/audit_templates/<AUDIT_TEMPLATE_NAME>
audit_template:update
- Update an audit template entityPATCH /v1/audit_templates/<AUDIT_TEMPLATE_UUID>
PATCH /v1/audit_templates/<AUDIT_TEMPLATE_NAME>
audit:get_all
, audit:detail
- List available auditsGET /v1/audits
GET /v1/audits/detail
audit:get
- Retrieve a specific audit entityGET /v1/audits/<AUDIT_UUID>
audit:create
- Create an audit entityPOST /v1/audits
audit:delete
- Delete an audit entityDELETE /v1/audits/<AUDIT_UUID>
audit:update
- Update an audit entityPATCH /v1/audits/<AUDIT_UUID>
action_plan:get_all
, action_plan:detail
- List available action plansGET /v1/action_plans
GET /v1/action_plans/detail
action_plan:get
- Retrieve a specific action plan entityGET /v1/action_plans/<ACTION_PLAN_UUID>
action_plan:delete
- Delete an action plan entityDELETE /v1/action_plans/<ACTION_PLAN_UUID>
action_plan:update
- Update an action plan entityPATCH /v1/audits/<ACTION_PLAN_UUID>
action:get_all
, action:detail
- List available actionGET /v1/actions
GET /v1/actions/detail
action:get
- Retrieve a specific action plan entityGET /v1/actions/<ACTION_UUID>
service:get_all
, service:detail
- List available Watcher servicesGET /v1/services
GET /v1/services/detail
service:get
- Retrieve a specific Watcher service entityGET /v1/services/<SERVICE_ID>
To limit an action to a particular role or roles, you list the roles like so
{
"audit:create": ["role:admin", "role:superuser"]
}
The above would add a rule that only allowed users that had roles of either “admin” or “superuser” to launch an audit.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.