From b72f3d0f3c6278521b70bbaaefb9fe81063619a2 Mon Sep 17 00:00:00 2001
From: ricolin <rlin@vexxhost.com>
Date: Wed, 23 Nov 2022 22:43:10 +0800
Subject: [PATCH] Avoid unrequired policy setup
OpenStack services already moved to use policy in code.
No need to have policy file at this point, at least no need to put
default policy rule to policy.yaml file anymore.
To put in duplicate rules, will cause unnecessay logs and process.
Also not healthy for policy in code maintain as the `default` rules in
openstack-helm might override actual default rules in code which we
might not even mean to change it at all.
Change-Id: I29ea57aa80444ed64673818e597c9ca346ba7b2f
---
aodh/Chart.yaml | 2 +-
aodh/values.yaml | 16 +--
ceilometer/Chart.yaml | 2 +-
ceilometer/values.yaml | 14 +--
cinder/Chart.yaml | 2 +-
cinder/values.yaml | 117 +-----------------
designate/Chart.yaml | 2 +-
designate/values.yaml | 107 +---------------
glance/Chart.yaml | 2 +-
glance/values.yaml | 56 +--------
heat/Chart.yaml | 2 +-
heat/values.yaml | 90 +-------------
magnum/Chart.yaml | 2 +-
magnum/values.yaml | 44 +------
mistral/Chart.yaml | 2 +-
mistral/values.yaml | 53 +-------
neutron/Chart.yaml | 2 +-
neutron/values.yaml | 191 +----------------------------
placement/Chart.yaml | 2 +-
placement/values.yaml | 39 +-----
releasenotes/notes/aodh.yaml | 1 +
releasenotes/notes/ceilometer.yaml | 1 +
releasenotes/notes/cinder.yaml | 1 +
releasenotes/notes/designate.yaml | 1 +
releasenotes/notes/glance.yaml | 1 +
releasenotes/notes/heat.yaml | 1 +
releasenotes/notes/magnum.yaml | 1 +
releasenotes/notes/mistral.yaml | 1 +
releasenotes/notes/neutron.yaml | 1 +
releasenotes/notes/placement.yaml | 1 +
releasenotes/notes/senlin.yaml | 1 +
senlin/Chart.yaml | 2 +-
senlin/values.yaml | 48 +-------
33 files changed, 33 insertions(+), 775 deletions(-)
diff --git a/aodh/Chart.yaml b/aodh/Chart.yaml
index 421ecc5395..2d7d5f8525 100644
--- a/aodh/Chart.yaml
+++ b/aodh/Chart.yaml
@@ -16,7 +16,7 @@ apiVersion: v1
appVersion: v1.0.0
description: Openstack-Helm Aodh
name: aodh
-version: 0.2.5
+version: 0.2.6
home: https://docs.openstack.org/aodh/latest/
sources:
- https://opendev.org/openstack/aodh
diff --git a/aodh/values.yaml b/aodh/values.yaml
index 9d2fe68ec0..f8d5eabaed 100644
--- a/aodh/values.yaml
+++ b/aodh/values.yaml
@@ -449,21 +449,7 @@ conf:
filter:http_proxy_to_wsgi:
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
oslo_config_project: aodh
- policy:
- context_is_admin: 'role:admin'
- segregation: 'rule:context_is_admin'
- admin_or_owner: 'rule:context_is_admin or project_id:%(project_id)s'
- default: 'rule:admin_or_owner'
- telemetry:get_alarm: 'rule:admin_or_owner'
- telemetry:get_alarms: 'rule:admin_or_owner'
- telemetry:query_alarm: 'rule:admin_or_owner'
- telemetry:create_alarm: ''
- telemetry:change_alarm: 'rule:admin_or_owner'
- telemetry:delete_alarm: 'rule:admin_or_owner'
- telemetry:get_alarm_state: 'rule:admin_or_owner'
- telemetry:change_alarm_state: 'rule:admin_or_owner'
- telemetry:alarm_history: 'rule:admin_or_owner'
- telemetry:query_alarm_history: 'rule:admin_or_owner'
+ policy: {}
aodh:
DEFAULT:
debug: false
diff --git a/ceilometer/Chart.yaml b/ceilometer/Chart.yaml
index ea302c0085..845dad68f7 100644
--- a/ceilometer/Chart.yaml
+++ b/ceilometer/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Ceilometer
name: ceilometer
-version: 0.2.6
+version: 0.2.7
home: https://docs.openstack.org/ceilometer/latest/
sources:
- https://opendev.org/openstack/ceilometer
diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml
index 0e146346fd..1106192477 100644
--- a/ceilometer/values.yaml
+++ b/ceilometer/values.yaml
@@ -1450,19 +1450,7 @@ conf:
type: "gauge"
publishers:
- notifier://
- policy:
- 'context_is_admin': 'role:admin'
- 'segregation': 'rule:context_is_admin'
- 'telemetry:compute_statistics': ''
- 'telemetry:create_samples': ''
- 'telemetry:events:index': ''
- 'telemetry:events:show': ''
- 'telemetry:get_meters': ''
- 'telemetry:get_resource': ''
- 'telemetry:get_resources': ''
- 'telemetry:get_sample': ''
- 'telemetry:get_samples': ''
- 'telemetry:query_sample': ''
+ policy: {}
audit_api_map:
DEFAULT:
target_endpoint_type: None
diff --git a/cinder/Chart.yaml b/cinder/Chart.yaml
index 435b975c9a..e20765961a 100644
--- a/cinder/Chart.yaml
+++ b/cinder/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Cinder
name: cinder
-version: 0.3.1
+version: 0.3.2
home: https://docs.openstack.org/cinder/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png
sources:
diff --git a/cinder/values.yaml b/cinder/values.yaml
index 1036f4d22a..7633d97739 100644
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@@ -468,122 +468,7 @@ conf:
filter:audit:
paste.filter_factory: keystonemiddleware.audit:filter_factory
audit_map_file: /etc/cinder/api_audit_map.conf
- policy:
- context_is_admin: role:admin
- admin_or_owner: is_admin:True or project_id:%(project_id)s
- default: rule:admin_or_owner
- admin_api: is_admin:True
- volume:create: ''
- volume:delete: rule:admin_or_owner
- volume:get: rule:admin_or_owner
- volume:get_all: rule:admin_or_owner
- volume:get_volume_metadata: rule:admin_or_owner
- volume:create_volume_metadata: rule:admin_or_owner
- volume:delete_volume_metadata: rule:admin_or_owner
- volume:update_volume_metadata: rule:admin_or_owner
- volume:get_volume_admin_metadata: rule:admin_api
- volume:update_volume_admin_metadata: rule:admin_api
- volume:get_snapshot: rule:admin_or_owner
- volume:get_all_snapshots: rule:admin_or_owner
- volume:create_snapshot: rule:admin_or_owner
- volume:delete_snapshot: rule:admin_or_owner
- volume:update_snapshot: rule:admin_or_owner
- volume:get_snapshot_metadata: rule:admin_or_owner
- volume:delete_snapshot_metadata: rule:admin_or_owner
- volume:update_snapshot_metadata: rule:admin_or_owner
- volume:extend: rule:admin_or_owner
- volume:update_readonly_flag: rule:admin_or_owner
- volume:retype: rule:admin_or_owner
- volume:update: rule:admin_or_owner
- volume_extension:types_manage: rule:admin_api
- volume_extension:types_extra_specs: rule:admin_api
- volume_extension:access_types_qos_specs_id: rule:admin_api
- volume_extension:access_types_extra_specs: rule:admin_api
- volume_extension:volume_type_access: rule:admin_or_owner
- volume_extension:volume_type_access:addProjectAccess: rule:admin_api
- volume_extension:volume_type_access:removeProjectAccess: rule:admin_api
- volume_extension:volume_type_encryption: rule:admin_api
- volume_extension:volume_encryption_metadata: rule:admin_or_owner
- volume_extension:extended_snapshot_attributes: rule:admin_or_owner
- volume_extension:volume_image_metadata: rule:admin_or_owner
- volume_extension:quotas:show: ''
- volume_extension:quotas:update: rule:admin_api
- volume_extension:quotas:delete: rule:admin_api
- volume_extension:quota_classes: rule:admin_api
- volume_extension:quota_classes:validate_setup_for_nested_quota_use: rule:admin_api
- volume_extension:volume_admin_actions:reset_status: rule:admin_api
- volume_extension:snapshot_admin_actions:reset_status: rule:admin_api
- volume_extension:backup_admin_actions:reset_status: rule:admin_api
- volume_extension:volume_admin_actions:force_delete: rule:admin_api
- volume_extension:volume_admin_actions:force_detach: rule:admin_api
- volume_extension:snapshot_admin_actions:force_delete: rule:admin_api
- volume_extension:backup_admin_actions:force_delete: rule:admin_api
- volume_extension:volume_admin_actions:migrate_volume: rule:admin_api
- volume_extension:volume_admin_actions:migrate_volume_completion: rule:admin_api
- volume_extension:volume_actions:upload_public: rule:admin_api
- volume_extension:volume_actions:upload_image: rule:admin_or_owner
- volume_extension:volume_host_attribute: rule:admin_api
- volume_extension:volume_tenant_attribute: rule:admin_or_owner
- volume_extension:volume_mig_status_attribute: rule:admin_api
- volume_extension:hosts: rule:admin_api
- volume_extension:services:index: rule:admin_api
- volume_extension:services:update: rule:admin_api
- volume_extension:volume_manage: rule:admin_api
- volume_extension:volume_unmanage: rule:admin_api
- volume_extension:list_manageable: rule:admin_api
- volume_extension:capabilities: rule:admin_api
- volume:create_transfer: rule:admin_or_owner
- volume:accept_transfer: ''
- volume:delete_transfer: rule:admin_or_owner
- volume:get_transfer: rule:admin_or_owner
- volume:get_all_transfers: rule:admin_or_owner
- volume_extension:replication:promote: rule:admin_api
- volume_extension:replication:reenable: rule:admin_api
- volume:failover_host: rule:admin_api
- volume:freeze_host: rule:admin_api
- volume:thaw_host: rule:admin_api
- backup:create: ''
- backup:delete: rule:admin_or_owner
- backup:get: rule:admin_or_owner
- backup:get_all: rule:admin_or_owner
- backup:restore: rule:admin_or_owner
- backup:backup-import: rule:admin_api
- backup:backup-export: rule:admin_api
- backup:update: rule:admin_or_owner
- snapshot_extension:snapshot_actions:update_snapshot_status: ''
- snapshot_extension:snapshot_manage: rule:admin_api
- snapshot_extension:snapshot_unmanage: rule:admin_api
- snapshot_extension:list_manageable: rule:admin_api
- consistencygroup:create: group:nobody
- consistencygroup:delete: group:nobody
- consistencygroup:update: group:nobody
- consistencygroup:get: group:nobody
- consistencygroup:get_all: group:nobody
- consistencygroup:create_cgsnapshot: group:nobody
- consistencygroup:delete_cgsnapshot: group:nobody
- consistencygroup:get_cgsnapshot: group:nobody
- consistencygroup:get_all_cgsnapshots: group:nobody
- group:group_types_manage: rule:admin_api
- group:group_types_specs: rule:admin_api
- group:access_group_types_specs: rule:admin_api
- group:group_type_access: rule:admin_or_owner
- group:create: ''
- group:delete: rule:admin_or_owner
- group:update: rule:admin_or_owner
- group:get: rule:admin_or_owner
- group:get_all: rule:admin_or_owner
- group:create_group_snapshot: ''
- group:delete_group_snapshot: rule:admin_or_owner
- group:update_group_snapshot: rule:admin_or_owner
- group:get_group_snapshot: rule:admin_or_owner
- group:get_all_group_snapshots: rule:admin_or_owner
- scheduler_extension:scheduler_stats:get_pools: rule:admin_api
- message:delete: rule:admin_or_owner
- message:get: rule:admin_or_owner
- message:get_all: rule:admin_or_owner
- clusters:get: rule:admin_api
- clusters:get_all: rule:admin_api
- clusters:update: rule:admin_api
+ policy: {}
api_audit_map:
DEFAULT:
target_endpoint_type: None
diff --git a/designate/Chart.yaml b/designate/Chart.yaml
index 8f3971e1c8..56dc87027f 100644
--- a/designate/Chart.yaml
+++ b/designate/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Designate
name: designate
-version: 0.2.7
+version: 0.2.8
home: https://docs.openstack.org/designate/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Designate/OpenStack_Project_Designate_vertical.jpg
sources:
diff --git a/designate/values.yaml b/designate/values.yaml
index 7abd43d54e..ea2c2aaca0 100644
--- a/designate/values.yaml
+++ b/designate/values.yaml
@@ -441,112 +441,7 @@ conf:
paste.filter_factory: designate.api.middleware:FaultWrapperMiddleware.factory
filter:validation_API_v2:
paste.filter_factory: designate.api.middleware:APIv2ValidationErrorMiddleware.factory
- policy:
- admin: role:admin or is_admin:True
- primary_zone: target.zone_type:SECONDARY
- owner: tenant:%(tenant_id)s
- admin_or_owner: rule:admin or rule:owner
- target: tenant:%(target_tenant_id)s
- owner_or_target: rule:target or rule:owner
- admin_or_owner_or_target: rule:owner_or_target or rule:admin
- admin_or_target: rule:admin or rule:target
- zone_primary_or_admin: ('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)
- default: rule:admin_or_owner
- all_tenants: rule:admin
- edit_managed_records: rule:admin
- use_low_ttl: rule:admin
- get_quotas: rule:admin_or_owner
- get_quota: rule:admin_or_owner
- set_quota: rule:admin
- reset_quotas: rule:admin
- create_tld: rule:admin
- find_tlds: rule:admin
- get_tld: rule:admin
- update_tld: rule:admin
- delete_tld: rule:admin
- create_tsigkey: rule:admin
- find_tsigkeys: rule:admin
- get_tsigkey: rule:admin
- update_tsigkey: rule:admin
- delete_tsigkey: rule:admin
- find_tenants: rule:admin
- get_tenant: rule:admin
- count_tenants: rule:admin
- create_zone: rule:admin_or_owner
- get_zones: rule:admin_or_owner
- get_zone: rule:admin_or_owner
- get_zone_servers: rule:admin_or_owner
- find_zones: rule:admin_or_owner
- find_zone: rule:admin_or_owner
- update_zone: rule:admin_or_owner
- delete_zone: rule:admin_or_owner
- xfr_zone: rule:admin_or_owner
- abandon_zone: rule:admin
- count_zones: rule:admin_or_owner
- count_zones_pending_notify: rule:admin_or_owner
- purge_zones: rule:admin
- touch_zone: rule:admin_or_owner
- create_recordset: rule:zone_primary_or_admin
- get_recordsets: rule:admin_or_owner
- get_recordset: rule:admin_or_owner
- find_recordsets: rule:admin_or_owner
- find_recordset: rule:admin_or_owner
- update_recordset: rule:zone_primary_or_admin
- delete_recordset: rule:zone_primary_or_admin
- count_recordset: rule:admin_or_owner
- create_record: rule:admin_or_owner
- get_records: rule:admin_or_owner
- get_record: rule:admin_or_owner
- find_records: rule:admin_or_owner
- find_record: rule:admin_or_owner
- update_record: rule:admin_or_owner
- delete_record: rule:admin_or_owner
- count_records: rule:admin_or_owner
- use_sudo: rule:admin
- create_blacklist: rule:admin
- find_blacklist: rule:admin
- find_blacklists: rule:admin
- get_blacklist: rule:admin
- update_blacklist: rule:admin
- delete_blacklist: rule:admin
- use_blacklisted_zone: rule:admin
- create_pool: rule:admin
- find_pools: rule:admin
- find_pool: rule:admin
- get_pool: rule:admin
- update_pool: rule:admin
- delete_pool: rule:admin
- zone_create_forced_pool: rule:admin
- diagnostics_ping: rule:admin
- diagnostics_sync_zones: rule:admin
- diagnostics_sync_zone: rule:admin
- diagnostics_sync_record: rule:admin
- create_zone_transfer_request: rule:admin_or_owner
- get_zone_transfer_request: rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s
- get_zone_transfer_request_detailed: rule:admin_or_owner
- find_zone_transfer_requests: '@'
- find_zone_transfer_request: '@'
- update_zone_transfer_request: rule:admin_or_owner
- delete_zone_transfer_request: rule:admin_or_owner
- create_zone_transfer_accept: rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s
- get_zone_transfer_accept: rule:admin_or_owner
- find_zone_transfer_accepts: rule:admin
- find_zone_transfer_accept: rule:admin
- update_zone_transfer_accept: rule:admin
- delete_zone_transfer_accept: rule:admin
- create_zone_import: rule:admin_or_owner
- find_zone_imports: rule:admin_or_owner
- get_zone_import: rule:admin_or_owner
- update_zone_import: rule:admin_or_owner
- delete_zone_import: rule:admin_or_owner
- zone_export: rule:admin_or_owner
- create_zone_export: rule:admin_or_owner
- find_zone_exports: rule:admin_or_owner
- get_zone_export: rule:admin_or_owner
- update_zone_export: rule:admin_or_owner
- find_service_status: rule:admin
- find_service_statuses: rule:admin
- update_service_service_status: rule:admin
+ policy: {}
designate:
DEFAULT:
debug: false
diff --git a/glance/Chart.yaml b/glance/Chart.yaml
index 6404c73d7d..7ce28411a1 100644
--- a/glance/Chart.yaml
+++ b/glance/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Glance
name: glance
-version: 0.4.0
+version: 0.4.1
home: https://docs.openstack.org/glance/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
sources:
diff --git a/glance/values.yaml b/glance/values.yaml
index dfaac1521f..69f703e11e 100644
--- a/glance/values.yaml
+++ b/glance/values.yaml
@@ -189,61 +189,7 @@ conf:
oslo_config_program: glance-api
filter:http_proxy_to_wsgi:
paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
- policy:
- metadef_default: ''
- metadef_admin: 'role:admin'
- context_is_admin: role:admin
- default: role:admin
- add_image: ''
- delete_image: ''
- get_image: ''
- get_images: ''
- modify_image: ''
- publicize_image: role:admin
- copy_from: ''
- download_image: ''
- upload_image: ''
- delete_image_location: ''
- get_image_location: ''
- set_image_location: ''
- add_member: ''
- delete_member: ''
- get_member: ''
- get_members: ''
- modify_member: ''
- manage_image_cache: role:admin
- get_task: role:admin
- get_tasks: role:admin
- add_task: role:admin
- modify_task: role:admin
- deactivate: ''
- reactivate: ''
- get_metadef_namespace: rule:metadef_default
- get_metadef_namespaces: rule:metadef_default
- modify_metadef_namespace: rule:metadef_admin
- add_metadef_namespace: rule:metadef_admin
- delete_metadef_namespace: rule:metadef_admin
- get_metadef_object: rule:metadef_default
- get_metadef_objects: rule:metadef_default
- modify_metadef_object: rule:metadef_admin
- add_metadef_object: rule:metadef_admin
- delete_metadef_object: rule:metadef_admin
- list_metadef_resource_types: rule:metadef_default
- get_metadef_resource_type: rule:metadef_default
- add_metadef_resource_type_association: rule:metadef_admin
- remove_metadef_resource_type_association: rule:metadef_admin
- get_metadef_property: rule:metadef_default
- get_metadef_properties: rule:metadef_default
- modify_metadef_property: rule:metadef_admin
- add_metadef_property: rule:metadef_admin
- remove_metadef_property: rule:metadef_admin
- get_metadef_tag: rule:metadef_default
- get_metadef_tags: rule:metadef_default
- modify_metadef_tag: rule:metadef_admin
- add_metadef_tag: rule:metadef_admin
- add_metadef_tags: rule:metadef_admin
- delete_metadef_tag: rule:metadef_admin
- delete_metadef_tags: rule:metadef_admin
+ policy: {}
glance_sudoers: |
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
Defaults !requiretty
diff --git a/heat/Chart.yaml b/heat/Chart.yaml
index 97cfd98293..05cd5adc25 100644
--- a/heat/Chart.yaml
+++ b/heat/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Heat
name: heat
-version: 0.3.0
+version: 0.3.1
home: https://docs.openstack.org/heat/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
sources:
diff --git a/heat/values.yaml b/heat/values.yaml
index 3dd9fdac09..555af53a33 100644
--- a/heat/values.yaml
+++ b/heat/values.yaml
@@ -340,95 +340,7 @@ conf:
paste.filter_factory: oslo_middleware.request_id:RequestId.factory
filter:osprofiler:
paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
- policy:
- context_is_admin: role:admin and is_admin_project:True
- project_admin: role:admin
- deny_stack_user: not role:heat_stack_user
- deny_everybody: "!"
- cloudformation:ListStacks: rule:deny_stack_user
- cloudformation:CreateStack: rule:deny_stack_user
- cloudformation:DescribeStacks: rule:deny_stack_user
- cloudformation:DeleteStack: rule:deny_stack_user
- cloudformation:UpdateStack: rule:deny_stack_user
- cloudformation:CancelUpdateStack: rule:deny_stack_user
- cloudformation:DescribeStackEvents: rule:deny_stack_user
- cloudformation:ValidateTemplate: rule:deny_stack_user
- cloudformation:GetTemplate: rule:deny_stack_user
- cloudformation:EstimateTemplateCost: rule:deny_stack_user
- cloudformation:DescribeStackResource: ''
- cloudformation:DescribeStackResources: rule:deny_stack_user
- cloudformation:ListStackResources: rule:deny_stack_user
- cloudwatch:DeleteAlarms: rule:deny_stack_user
- cloudwatch:DescribeAlarmHistory: rule:deny_stack_user
- cloudwatch:DescribeAlarms: rule:deny_stack_user
- cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user
- cloudwatch:DisableAlarmActions: rule:deny_stack_user
- cloudwatch:EnableAlarmActions: rule:deny_stack_user
- cloudwatch:GetMetricStatistics: rule:deny_stack_user
- cloudwatch:ListMetrics: rule:deny_stack_user
- cloudwatch:PutMetricAlarm: rule:deny_stack_user
- cloudwatch:PutMetricData: ''
- cloudwatch:SetAlarmState: rule:deny_stack_user
- actions:action: rule:deny_stack_user
- build_info:build_info: rule:deny_stack_user
- events:index: rule:deny_stack_user
- events:show: rule:deny_stack_user
- resource:index: rule:deny_stack_user
- resource:metadata: ''
- resource:signal: ''
- resource:mark_unhealthy: rule:deny_stack_user
- resource:show: rule:deny_stack_user
- stacks:abandon: rule:deny_stack_user
- stacks:create: rule:deny_stack_user
- stacks:delete: rule:deny_stack_user
- stacks:detail: rule:deny_stack_user
- stacks:export: rule:deny_stack_user
- stacks:generate_template: rule:deny_stack_user
- stacks:global_index: rule:deny_everybody
- stacks:index: rule:deny_stack_user
- stacks:list_resource_types: rule:deny_stack_user
- stacks:list_template_versions: rule:deny_stack_user
- stacks:list_template_functions: rule:deny_stack_user
- stacks:lookup: ''
- stacks:preview: rule:deny_stack_user
- stacks:resource_schema: rule:deny_stack_user
- stacks:show: rule:deny_stack_user
- stacks:template: rule:deny_stack_user
- stacks:environment: rule:deny_stack_user
- stacks:files: rule:deny_stack_user
- stacks:update: rule:deny_stack_user
- stacks:update_patch: rule:deny_stack_user
- stacks:preview_update: rule:deny_stack_user
- stacks:preview_update_patch: rule:deny_stack_user
- stacks:validate_template: rule:deny_stack_user
- stacks:snapshot: rule:deny_stack_user
- stacks:show_snapshot: rule:deny_stack_user
- stacks:delete_snapshot: rule:deny_stack_user
- stacks:list_snapshots: rule:deny_stack_user
- stacks:restore_snapshot: rule:deny_stack_user
- stacks:list_outputs: rule:deny_stack_user
- stacks:show_output: rule:deny_stack_user
- software_configs:global_index: rule:deny_everybody
- software_configs:index: rule:deny_stack_user
- software_configs:create: rule:deny_stack_user
- software_configs:show: rule:deny_stack_user
- software_configs:delete: rule:deny_stack_user
- software_deployments:index: rule:deny_stack_user
- software_deployments:create: rule:deny_stack_user
- software_deployments:show: rule:deny_stack_user
- software_deployments:update: rule:deny_stack_user
- software_deployments:delete: rule:deny_stack_user
- software_deployments:metadata: ''
- service:index: rule:context_is_admin
- resource_types:OS::Nova::Flavor: rule:project_admin
- resource_types:OS::Cinder::EncryptedVolumeType: rule:project_admin
- resource_types:OS::Cinder::VolumeType: rule:project_admin
- resource_types:OS::Cinder::Quota: rule:project_admin
- resource_types:OS::Manila::ShareType: rule:project_admin
- resource_types:OS::Neutron::QoSPolicy: rule:project_admin
- resource_types:OS::Neutron::QoSBandwidthLimitRule: rule:project_admin
- resource_types:OS::Nova::HostAggregate: rule:project_admin
- resource_types:OS::Cinder::QoSSpecs: rule:project_admin
+ policy: {}
heat:
DEFAULT:
log_config_append: /etc/heat/logging.conf
diff --git a/magnum/Chart.yaml b/magnum/Chart.yaml
index 3f4ccf6d8d..37bdece4b4 100644
--- a/magnum/Chart.yaml
+++ b/magnum/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Magnum
name: magnum
-version: 0.2.7
+version: 0.2.8
home: https://docs.openstack.org/magnum/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Magnum/OpenStack_Project_Magnum_vertical.png
sources:
diff --git a/magnum/values.yaml b/magnum/values.yaml
index f4d042a192..4280f0babf 100644
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@@ -68,49 +68,7 @@ conf:
paste.filter_factory: oslo_middleware:Healthcheck.factory
backends: disable_by_file
disable_by_file_path: /etc/magnum/healthcheck_disable
- policy:
- context_is_admin: role:admin
- admin_or_owner: is_admin:True or project_id:%(project_id)s
- default: rule:admin_or_owner
- admin_api: rule:context_is_admin
- admin_or_user: is_admin:True or user_id:%(user_id)s
- cluster_user: user_id:%(trustee_user_id)s
- deny_cluster_user: not domain_id:%(trustee_domain_id)s
- bay:create: rule:deny_cluster_user
- bay:delete: rule:deny_cluster_user
- bay:detail: rule:deny_cluster_user
- bay:get: rule:deny_cluster_user
- bay:get_all: rule:deny_cluster_user
- bay:update: rule:deny_cluster_user
- baymodel:create: rule:deny_cluster_user
- baymodel:delete: rule:deny_cluster_user
- baymodel:detail: rule:deny_cluster_user
- baymodel:get: rule:deny_cluster_user
- baymodel:get_all: rule:deny_cluster_user
- baymodel:update: rule:deny_cluster_user
- baymodel:publish: rule:admin_or_owner
- cluster:create: rule:deny_cluster_user
- cluster:delete: rule:deny_cluster_user
- cluster:detail: rule:deny_cluster_user
- cluster:get: rule:deny_cluster_user
- cluster:get_all: rule:deny_cluster_user
- cluster:update: rule:deny_cluster_user
- clustertemplate:create: rule:deny_cluster_user
- clustertemplate:delete: rule:deny_cluster_user
- clustertemplate:detail: rule:deny_cluster_user
- clustertemplate:get: rule:deny_cluster_user
- clustertemplate:get_all: rule:deny_cluster_user
- clustertemplate:update: rule:deny_cluster_user
- clustertemplate:publish: rule:admin_or_owner
- rc:create: rule:default
- rc:delete: rule:default
- rc:detail: rule:default
- rc:get: rule:default
- rc:get_all: rule:default
- rc:update: rule:default
- certificate:create: rule:admin_or_user or rule:cluster_user
- certificate:get: rule:admin_or_user or rule:cluster_user
- magnum-service:get_all: rule:admin_api
+ policy: {}
magnum:
DEFAULT:
log_config_append: /etc/magnum/logging.conf
diff --git a/mistral/Chart.yaml b/mistral/Chart.yaml
index 4ed1e11af3..21af26f770 100644
--- a/mistral/Chart.yaml
+++ b/mistral/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Mistral
name: mistral
-version: 0.2.6
+version: 0.2.7
home: https://docs.openstack.org/mistral/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Mistral/OpenStack_Project_Mistral_vertical.png
sources:
diff --git a/mistral/values.yaml b/mistral/values.yaml
index dd65149852..e22e2530a7 100644
--- a/mistral/values.yaml
+++ b/mistral/values.yaml
@@ -416,58 +416,7 @@ conf:
- name: /tmp/rally-jobs/mistral_params.json
template: |
{"env": {"env_param": "env_param_value"}}
- policy:
- admin_only: is_admin:True
- admin_or_owner: is_admin:True or project_id:%(project_id)s
- default: rule:admin_or_owner
- action_executions:delete: rule:admin_or_owner
- action_execution:create: rule:admin_or_owner
- action_executions:get: rule:admin_or_owner
- action_executions:list: rule:admin_or_owner
- action_executions:update: rule:admin_or_owner
- actions:create: rule:admin_or_owner
- actions:delete: rule:admin_or_owner
- actions:get: rule:admin_or_owner
- actions:list: rule:admin_or_owner
- actions:update: rule:admin_or_owner
- cron_triggers:create: rule:admin_or_owner
- cron_triggers:delete: rule:admin_or_owner
- cron_triggers:get: rule:admin_or_owner
- cron_triggers:list: rule:admin_or_owner
- environments:create: rule:admin_or_owner
- environments:delete: rule:admin_or_owner
- environments:get: rule:admin_or_owner
- environments:list: rule:admin_or_owner
- environments:update: rule:admin_or_owner
- executions:create: rule:admin_or_owner
- executions:delete: rule:admin_or_owner
- executions:get: rule:admin_or_owner
- executions:list: rule:admin_or_owner
- executions:update: rule:admin_or_owner
- members:create: rule:admin_or_owner
- members:delete: rule:admin_or_owner
- members:get: rule:admin_or_owner
- members:list: rule:admin_or_owner
- members:update: rule:admin_or_owner
- services:list: rule:admin_or_owner
- tasks:get: rule:admin_or_owner
- tasks:list: rule:admin_or_owner
- tasks:update: rule:admin_or_owner
- workbooks:create: rule:admin_or_owner
- workbooks:delete: rule:admin_or_owner
- workbooks:get: rule:admin_or_owner
- workbooks:list: rule:admin_or_owner
- workbooks:update: rule:admin_or_owner
- workflows:create: rule:admin_or_owner
- workflows:delete: rule:admin_or_owner
- workflows:get: rule:admin_or_owner
- workflows:list: rule:admin_or_owner
- workflows:update: rule:admin_or_owner
- event_triggers:create: rule:admin_or_owner
- event_triggers:delete: rule:admin_or_owner
- event_triggers:get: rule:admin_or_owner
- event_triggers:list: rule:admin_or_owner
- event_triggers:update: rule:admin_or_owner
+ policy: {}
mistral:
DEFAULT:
log_config_append: /etc/mistral/logging.conf
diff --git a/neutron/Chart.yaml b/neutron/Chart.yaml
index a324603cd8..1c7435b86f 100644
--- a/neutron/Chart.yaml
+++ b/neutron/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Neutron
name: neutron
-version: 0.3.0
+version: 0.3.1
home: https://docs.openstack.org/neutron/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png
sources:
diff --git a/neutron/values.yaml b/neutron/values.yaml
index f1eb8d1000..cc2d441a2b 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -1163,196 +1163,7 @@ conf:
paste.app_factory: neutron.api.v2.router:APIRouter.factory
filter:osprofiler:
paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
- policy:
- context_is_admin: role:admin
- owner: tenant_id:%(tenant_id)s
- admin_or_owner: rule:context_is_admin or rule:owner
- context_is_advsvc: role:advsvc
- admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s
- admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner
- admin_only: rule:context_is_admin
- regular_user: ''
- shared: field:networks:shared=True
- shared_subnetpools: field:subnetpools:shared=True
- shared_address_scopes: field:address_scopes:shared=True
- external: field:networks:router:external=True
- default: rule:admin_or_owner
- create_subnet: rule:admin_or_network_owner
- create_subnet:segment_id: rule:admin_only
- create_subnet:service_types: rule:admin_only
- get_subnet: rule:admin_or_owner or rule:shared
- get_subnet:segment_id: rule:admin_only
- update_subnet: rule:admin_or_network_owner
- update_subnet:service_types: rule:admin_only
- delete_subnet: rule:admin_or_network_owner
- create_subnetpool: ''
- create_subnetpool:shared: rule:admin_only
- create_subnetpool:is_default: rule:admin_only
- get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools
- update_subnetpool: rule:admin_or_owner
- update_subnetpool:is_default: rule:admin_only
- delete_subnetpool: rule:admin_or_owner
- create_address_scope: ''
- create_address_scope:shared: rule:admin_only
- get_address_scope: rule:admin_or_owner or rule:shared_address_scopes
- update_address_scope: rule:admin_or_owner
- update_address_scope:shared: rule:admin_only
- delete_address_scope: rule:admin_or_owner
- create_network: ''
- get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc
- get_network:router:external: rule:regular_user
- get_network:segments: rule:admin_only
- get_network:provider:network_type: rule:admin_only
- get_network:provider:physical_network: rule:admin_only
- get_network:provider:segmentation_id: rule:admin_only
- get_network:queue_id: rule:admin_only
- get_network_ip_availabilities: rule:admin_only
- get_network_ip_availability: rule:admin_only
- create_network:shared: rule:admin_only
- create_network:router:external: rule:admin_only
- create_network:is_default: rule:admin_only
- create_network:segments: rule:admin_only
- create_network:provider:network_type: rule:admin_only
- create_network:provider:physical_network: rule:admin_only
- create_network:provider:segmentation_id: rule:admin_only
- update_network: rule:admin_or_owner
- update_network:segments: rule:admin_only
- update_network:shared: rule:admin_only
- update_network:provider:network_type: rule:admin_only
- update_network:provider:physical_network: rule:admin_only
- update_network:provider:segmentation_id: rule:admin_only
- update_network:router:external: rule:admin_only
- delete_network: rule:admin_or_owner
- create_segment: rule:admin_only
- get_segment: rule:admin_only
- update_segment: rule:admin_only
- delete_segment: rule:admin_only
- network_device: 'field:port:device_owner=~^network:'
- create_port: ''
- create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
- create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner
- create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
- create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
- create_port:binding:host_id: rule:admin_only
- create_port:binding:profile: rule:admin_only
- create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
- create_port:allowed_address_pairs: rule:admin_or_network_owner
- get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
- get_port:queue_id: rule:admin_only
- get_port:binding:vif_type: rule:admin_only
- get_port:binding:vif_details: rule:admin_only
- get_port:binding:host_id: rule:admin_only
- get_port:binding:profile: rule:admin_only
- update_port: rule:admin_or_owner or rule:context_is_advsvc
- update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
- update_port:mac_address: rule:admin_only or rule:context_is_advsvc
- update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
- update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
- update_port:binding:host_id: rule:admin_only
- update_port:binding:profile: rule:admin_only
- update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
- update_port:allowed_address_pairs: rule:admin_or_network_owner
- delete_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
- get_router:ha: rule:admin_only
- create_router: rule:regular_user
- create_router:external_gateway_info:enable_snat: rule:admin_only
- create_router:distributed: rule:admin_only
- create_router:ha: rule:admin_only
- get_router: rule:admin_or_owner
- get_router:distributed: rule:admin_only
- update_router:external_gateway_info:enable_snat: rule:admin_only
- update_router:distributed: rule:admin_only
- update_router:ha: rule:admin_only
- delete_router: rule:admin_or_owner
- add_router_interface: rule:admin_or_owner
- remove_router_interface: rule:admin_or_owner
- create_router:external_gateway_info:external_fixed_ips: rule:admin_only
- update_router:external_gateway_info:external_fixed_ips: rule:admin_only
- insert_rule: rule:admin_or_owner
- remove_rule: rule:admin_or_owner
- create_qos_queue: rule:admin_only
- get_qos_queue: rule:admin_only
- update_agent: rule:admin_only
- delete_agent: rule:admin_only
- get_agent: rule:admin_only
- create_dhcp-network: rule:admin_only
- delete_dhcp-network: rule:admin_only
- get_dhcp-networks: rule:admin_only
- create_l3-router: rule:admin_only
- delete_l3-router: rule:admin_only
- get_l3-routers: rule:admin_only
- get_dhcp-agents: rule:admin_only
- get_l3-agents: rule:admin_only
- get_loadbalancer-agent: rule:admin_only
- get_loadbalancer-pools: rule:admin_only
- get_agent-loadbalancers: rule:admin_only
- get_loadbalancer-hosting-agent: rule:admin_only
- create_floatingip: rule:regular_user
- create_floatingip:floating_ip_address: rule:admin_only
- update_floatingip: rule:admin_or_owner
- delete_floatingip: rule:admin_or_owner
- get_floatingip: rule:admin_or_owner
- create_network_profile: rule:admin_only
- update_network_profile: rule:admin_only
- delete_network_profile: rule:admin_only
- get_network_profiles: ''
- get_network_profile: ''
- update_policy_profiles: rule:admin_only
- get_policy_profiles: ''
- get_policy_profile: ''
- create_metering_label: rule:admin_only
- delete_metering_label: rule:admin_only
- get_metering_label: rule:admin_only
- create_metering_label_rule: rule:admin_only
- delete_metering_label_rule: rule:admin_only
- get_metering_label_rule: rule:admin_only
- get_service_provider: rule:regular_user
- get_lsn: rule:admin_only
- create_lsn: rule:admin_only
- create_flavor: rule:admin_only
- update_flavor: rule:admin_only
- delete_flavor: rule:admin_only
- get_flavors: rule:regular_user
- get_flavor: rule:regular_user
- create_service_profile: rule:admin_only
- update_service_profile: rule:admin_only
- delete_service_profile: rule:admin_only
- get_service_profiles: rule:admin_only
- get_service_profile: rule:admin_only
- get_policy: rule:regular_user
- create_policy: rule:admin_only
- update_policy: rule:admin_only
- delete_policy: rule:admin_only
- get_policy_bandwidth_limit_rule: rule:regular_user
- create_policy_bandwidth_limit_rule: rule:admin_only
- delete_policy_bandwidth_limit_rule: rule:admin_only
- update_policy_bandwidth_limit_rule: rule:admin_only
- get_policy_dscp_marking_rule: rule:regular_user
- create_policy_dscp_marking_rule: rule:admin_only
- delete_policy_dscp_marking_rule: rule:admin_only
- update_policy_dscp_marking_rule: rule:admin_only
- get_rule_type: rule:regular_user
- get_policy_minimum_bandwidth_rule: rule:regular_user
- create_policy_minimum_bandwidth_rule: rule:admin_only
- delete_policy_minimum_bandwidth_rule: rule:admin_only
- update_policy_minimum_bandwidth_rule: rule:admin_only
- restrict_wildcard: "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
- create_rbac_policy: ''
- create_rbac_policy:target_tenant: rule:restrict_wildcard
- update_rbac_policy: rule:admin_or_owner
- update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner
- get_rbac_policy: rule:admin_or_owner
- delete_rbac_policy: rule:admin_or_owner
- create_flavor_service_profile: rule:admin_only
- delete_flavor_service_profile: rule:admin_only
- get_flavor_service_profile: rule:regular_user
- get_auto_allocated_topology: rule:admin_or_owner
- create_trunk: rule:regular_user
- get_trunk: rule:admin_or_owner
- delete_trunk: rule:admin_or_owner
- get_subports: ''
- add_subports: rule:admin_or_owner
- remove_subports: rule:admin_or_owner
+ policy: {}
api_audit_map:
DEFAULT:
target_endpoint_type: None
diff --git a/placement/Chart.yaml b/placement/Chart.yaml
index 3e4a864b9a..312ed00d9a 100644
--- a/placement/Chart.yaml
+++ b/placement/Chart.yaml
@@ -16,7 +16,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Placement
name: placement
-version: 0.3.1
+version: 0.3.2
home: https://docs.openstack.org/placement/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png
sources:
diff --git a/placement/values.yaml b/placement/values.yaml
index 4456a9ecb2..ff33660c6c 100644
--- a/placement/values.yaml
+++ b/placement/values.yaml
@@ -73,44 +73,7 @@ conf:
# - status
a2enmod: null
a2dismod: null
- policy:
- "context_is_admin": "role:admin"
- "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s"
- "default": "rule:admin_or_owner"
- "admin_api": "role:admin"
- "placement:resource_providers:list": "rule:admin_api"
- "placement:resource_providers:create": "rule:admin_api"
- "placement:resource_providers:show": "rule:admin_api"
- "placement:resource_providers:update": "rule:admin_api"
- "placement:resource_providers:delete": "rule:admin_api"
- "placement:resource_classes:list": "rule:admin_api"
- "placement:resource_classes:create": "rule:admin_api"
- "placement:resource_classes:show": "rule:admin_api"
- "placement:resource_classes:update": "rule:admin_api"
- "placement:resource_classes:delete": "rule:admin_api"
- "placement:resource_providers:inventories:list": "rule:admin_api"
- "placement:resource_providers:inventories:create": "rule:admin_api"
- "placement:resource_providers:inventories:show": "rule:admin_api"
- "placement:resource_providers:inventories:update": "rule:admin_api"
- "placement:resource_providers:inventories:delete": "rule:admin_api"
- "placement:resource_providers:aggregates:list": "rule:admin_api"
- "placement:resource_providers:aggregates:update": "rule:admin_api"
- "placement:resource_providers:usages": "rule:admin_api"
- "placement:usages": "rule:admin_api"
- "placement:traits:list": "rule:admin_api"
- "placement:traits:show": "rule:admin_api"
- "placement:traits:update": "rule:admin_api"
- "placement:traits:delete": "rule:admin_api"
- "placement:resource_providers:traits:list": "rule:admin_api"
- "placement:resource_providers:traits:update": "rule:admin_api"
- "placement:resource_providers:traits:delete": "rule:admin_api"
- "placement:allocations:manage": "rule:admin_api"
- "placement:allocations:list": "rule:admin_api"
- "placement:allocations:update": "rule:admin_api"
- "placement:allocations:delete": "rule:admin_api"
- "placement:resource_providers:allocations:list": "rule:admin_api"
- "placement:allocation_candidates:list": "rule:admin_api"
- "placement:reshaper:reshape": "rule:admin_api"
+ policy: {}
placement:
DEFAULT:
debug: false
diff --git a/releasenotes/notes/aodh.yaml b/releasenotes/notes/aodh.yaml
index c47f5737b2..3ac5191008 100644
--- a/releasenotes/notes/aodh.yaml
+++ b/releasenotes/notes/aodh.yaml
@@ -8,4 +8,5 @@ aodh:
- 0.2.3 Enable taint toleration for Openstack services
- 0.2.4 Migrated CronJob resource to batch/v1 API version & PodDisruptionBudget to policy/v1
- 0.2.5 Added OCI registry authentication
+ - 0.2.6 Remove default policy rules
...
diff --git a/releasenotes/notes/ceilometer.yaml b/releasenotes/notes/ceilometer.yaml
index 4b0ee540dd..8c0d112ecd 100644
--- a/releasenotes/notes/ceilometer.yaml
+++ b/releasenotes/notes/ceilometer.yaml
@@ -9,4 +9,5 @@ ceilometer:
- 0.2.4 Update default image values to Wallaby
- 0.2.5 Migrated PodDisruptionBudget resource to policy/v1 API version
- 0.2.6 Added OCI registry authentication
+ - 0.2.7 Remove default policy rules
...
diff --git a/releasenotes/notes/cinder.yaml b/releasenotes/notes/cinder.yaml
index ed15dd28b2..de26fd54f7 100644
--- a/releasenotes/notes/cinder.yaml
+++ b/releasenotes/notes/cinder.yaml
@@ -51,4 +51,5 @@ cinder:
- 0.2.32 Revert "Remove fixed node name from default values and add service cleaner cronjob"
- 0.3.0 Remove support for Train and Ussuri
- 0.3.1 Change ceph-config-helper image tag
+ - 0.3.2 Remove default policy rules
...
diff --git a/releasenotes/notes/designate.yaml b/releasenotes/notes/designate.yaml
index 459ac59e3a..d0610d6f9b 100644
--- a/releasenotes/notes/designate.yaml
+++ b/releasenotes/notes/designate.yaml
@@ -11,4 +11,5 @@ designate:
- 0.2.5 Migrated PodDisruptionBudget resource to policy/v1 API version
- 0.2.6 Added OCI registry authentication
- 0.2.7 Use HTTP probe instead of TCP probe
+ - 0.2.8 Remove default policy rules
...
diff --git a/releasenotes/notes/glance.yaml b/releasenotes/notes/glance.yaml
index 6be540f5c8..6998bff3ab 100644
--- a/releasenotes/notes/glance.yaml
+++ b/releasenotes/notes/glance.yaml
@@ -34,4 +34,5 @@ glance:
- 0.3.11 Use HTTP probe instead of TCP probe
- 0.3.12 Add support for using Cinder as backend
- 0.4.0 Remove support for Train and Ussuri
+ - 0.4.1 Remove default policy rules
...
diff --git a/releasenotes/notes/heat.yaml b/releasenotes/notes/heat.yaml
index 2db5812beb..540b2b3d04 100644
--- a/releasenotes/notes/heat.yaml
+++ b/releasenotes/notes/heat.yaml
@@ -26,4 +26,5 @@ heat:
- 0.2.17 Use HTTP probe instead of TCP probe
- 0.2.18 Change hook weight for bootstrap job
- 0.3.0 Remove support for Train and Ussuri
+ - 0.3.1 Remove default policy rules
...
diff --git a/releasenotes/notes/magnum.yaml b/releasenotes/notes/magnum.yaml
index 2da90ade18..f93bdf3c27 100644
--- a/releasenotes/notes/magnum.yaml
+++ b/releasenotes/notes/magnum.yaml
@@ -11,4 +11,5 @@ magnum:
- 0.2.5 Update default image values to wallaby
- 0.2.6 Migrated PodDisruptionBudget resource to policy/v1 API version
- 0.2.7 Added OCI registry authentication
+ - 0.2.8 Remove default policy rules
...
diff --git a/releasenotes/notes/mistral.yaml b/releasenotes/notes/mistral.yaml
index 134139075b..99af32440a 100644
--- a/releasenotes/notes/mistral.yaml
+++ b/releasenotes/notes/mistral.yaml
@@ -10,4 +10,5 @@ mistral:
- 0.2.4 Migrated PodDisruptionBudget resource to policy/v1 API version
- 0.2.5 Added OCI registry authentication
- 0.2.6 Use HTTP probe instead of TCP probe
+ - 0.2.7 Remove default policy rules
...
diff --git a/releasenotes/notes/neutron.yaml b/releasenotes/notes/neutron.yaml
index da387333a4..3eaea36069 100644
--- a/releasenotes/notes/neutron.yaml
+++ b/releasenotes/notes/neutron.yaml
@@ -42,4 +42,5 @@ neutron:
- 0.2.26 Use HTTP probe instead of TCP probe
- 0.2.27 Distinguish between port number of internal endpoint and binding port number
- 0.3.0 Remove support for Train and Ussuri
+ - 0.3.1 Remove default policy rules
...
diff --git a/releasenotes/notes/placement.yaml b/releasenotes/notes/placement.yaml
index cdd2ce37c2..8c604c27e2 100644
--- a/releasenotes/notes/placement.yaml
+++ b/releasenotes/notes/placement.yaml
@@ -24,4 +24,5 @@ placement:
- 0.2.13 Support TLS endpoints
- 0.3.0 Remove placement-migrate
- 0.3.1 Remove support for Train and Ussuri
+ - 0.3.2 Remove default policy rules
...
diff --git a/releasenotes/notes/senlin.yaml b/releasenotes/notes/senlin.yaml
index 83a63cae4f..d5d64d20a6 100644
--- a/releasenotes/notes/senlin.yaml
+++ b/releasenotes/notes/senlin.yaml
@@ -10,4 +10,5 @@ senlin:
- 0.2.5 Migrated CronJob resource to batch/v1 API version & PodDisruptionBudget to policy/v1
- 0.2.6 Add helm.sh/hook annotations for Jobs
- 0.2.7 Added OCI registry authentication
+ - 0.2.8 Remove default policy rules
...
diff --git a/senlin/Chart.yaml b/senlin/Chart.yaml
index a7a71e0aad..b9c4e8b62c 100644
--- a/senlin/Chart.yaml
+++ b/senlin/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Senlin
name: senlin
-version: 0.2.7
+version: 0.2.8
home: https://docs.openstack.org/senlin/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Senlin/OpenStack_Project_Senlin_vertical.png
sources:
diff --git a/senlin/values.yaml b/senlin/values.yaml
index a0fcb54587..5bd7f45c9a 100644
--- a/senlin/values.yaml
+++ b/senlin/values.yaml
@@ -123,53 +123,7 @@ conf:
senlin.filter_factory: senlin.api.middleware:webhook_filter
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
- policy:
- context_is_admin: role:admin
- deny_everybody: "!"
- build_info:build_info: ''
- profile_types:index: ''
- profile_types:get: ''
- policy_types:index: ''
- policy_types:get: ''
- clusters:index: ''
- clusters:create: ''
- clusters:delete: ''
- clusters:get: ''
- clusters:action: ''
- clusters:update: ''
- clusters:collect: ''
- profiles:index: ''
- profiles:create: ''
- profiles:get: ''
- profiles:delete: ''
- profiles:update: ''
- profiles:validate: ''
- nodes:index: ''
- nodes:create: ''
- nodes:get: ''
- nodes:action: ''
- nodes:update: ''
- nodes:delete: ''
- policies:index: ''
- policies:create: ''
- policies:get: ''
- policies:update: ''
- policies:delete: ''
- policies:validate: ''
- cluster_policies:index: ''
- cluster_policies:attach: ''
- cluster_policies:detach: ''
- cluster_policies:update: ''
- cluster_policies:get: ''
- receivers:index: ''
- receivers:create: ''
- receivers:get: ''
- receivers:delete: ''
- actions:index: ''
- actions:get: ''
- events:index: ''
- events:get: ''
- webhooks:trigger: ''
+ policy: {}
senlin:
DEFAULT:
log_config_append: /etc/senlin/logging.conf