diff --git a/config/bundle_bionic.yaml b/config/bundle_bionic.yaml index c53f58d..353ed62 100644 --- a/config/bundle_bionic.yaml +++ b/config/bundle_bionic.yaml @@ -735,7 +735,7 @@ applications: bindings: "": *oam-space options: - extra_packages: python-apt postgresql-contrib postgresql-.*-debversion postgresql-plpython-.* + extra_packages: python-apt postgresql-contrib postgresql-.*-debversion postgresql-plpython.* max_connections: 500 max_prepared_transactions: 500 num_units: 2 diff --git a/config/bundle_focal.yaml b/config/bundle_focal.yaml index 38594d2..903476e 100644 --- a/config/bundle_focal.yaml +++ b/config/bundle_focal.yaml @@ -629,6 +629,15 @@ applications: - 103 - 104 - 105 + lma-server: + charm: cs:ubuntu + num_units: 3 + bindings: + "": *oam-space + to: + - 300 + - 301 + - 302 neutron-gateway: charm: cs:neutron-gateway num_units: 3 @@ -808,362 +817,6 @@ applications: - lxd:101 - lxd:102 -# LMA stack applications - landscape-server: - charm: cs:landscape-server - series: bionic - bindings: - "": *oam-space - options: - install_sources: |- - - 'deb http://192.168.1.12/ppa.launchpad.net/landscape/19.10/ubuntu bionic main' - install_keys: |- - - | - -----BEGIN PGP PUBLIC KEY BLOCK----- - Version: SKS 1.1.6 - Comment: Hostname: keyserver.ubuntu.com - mI0ESXN/egEEAOgRYISU9dnQm4BB5ZEEwKT+NKUDNd/DhMYdtBMw9Yk7S5cyoqpbtwoPJVzK - AXxq+ng5e3yYypSv98pLMr5UF09FGaeyGlD4s1uaVFWkFCO4jsTg7pWIY6qzO/jMxB5+Yu/G - 0GjWQMNKxFk0oHMa0PhNBZtdPacVz65mOVmCsh/lABEBAAG0G0xhdW5jaHBhZCBQUEEgZm9y - IExhbmRzY2FwZYi2BBMBAgAgBQJJc396AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQ - boWobkZStOb+rwP+ONKUWeX+MTIPqGWkknBPV7jm8nyyIUojC4IhS+9YR6GYnn0hMABSkEHm - IV73feKmrT2GESYI1UdYeKiOkWsPN/JyBk+eTvKet0qsw5TluqiHSW+LEi/+zUyrS3dDMX3o - yaLgYa+UkjIyxnaKLkQuCiS+D+fYwnJulIkhaKObtdE= - =UwRd - -----END PGP PUBLIC KEY BLOCK----- - license-file: include-base64://../secrets/ldslicense.txt - #root-url: http://landscape.example.com/ - num_units: 3 - to: - - 300 - - 301 - - 302 - landscape-rabbitmq-server: - charm: cs:rabbitmq-server - bindings: - "": *oam-space - cluster: *oam-space - amqp: *oam-space - num_units: 3 - options: - source: *openstack-origin - min-cluster-size: 3 - cluster-partition-handling: pause_minority - to: - - lxd:300 - - lxd:301 - - lxd:302 - landscape-postgresql: - charm: cs:postgresql - series: bionic - bindings: - "": *oam-space - options: - extra_packages: python-apt postgresql-contrib postgresql-.*-debversion postgresql-plpython-.* - max_connections: 500 - max_prepared_transactions: 500 - num_units: 2 - to: - - lxd:300 - - lxd:301 - landscape-haproxy: - charm: cs:haproxy - bindings: - "": *oam-space - options: - default_timeouts: "queue 60000, connect 5000, client 120000, server 120000" - services: "" - source: backports - ssl_cert: SELFSIGNED - global_default_bind_options: "no-tlsv10" - num_units: 1 - to: - - lxd:302 - graylog: - charm: cs:graylog - bindings: - "": *oam-space - num_units: 1 - options: - channel: "4/stable" - jvm_heap_size: '1G' - rest_transport_uri: http://graylog.example.com:9001 - index_rotation_period: PT3H - to: - - 200 - graylog-mongodb: - charm: cs:mongodb - bindings: - "": *oam-space - num_units: 1 - options: - nagios_context: *nagios-context - to: - - lxd:200 - elasticsearch: - charm: cs:elasticsearch - bindings: - "": *oam-space - num_units: 2 - options: - firewall_enabled: False - es-heap-size: 2 - gpg-key: | - -----BEGIN PGP PUBLIC KEY BLOCK----- - Version: SKS 1.1.6 - Comment: Hostname: keyserver.ubuntu.com - - mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBDA+bGFOwy - hbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9CUliQe324qvObU2Q - RtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZj3SF1SPO+TB5QrHkrQHBsmX+ - Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj - 1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEB - AAG0RUVsYXN0aWNzZWFyY2ggKEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3Bz - QGVsYXN0aWNzZWFyY2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYC - AwECHgECF4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 - nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/7C2GuGCO - lbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKmTxcDTFrV7SmVPxCB - cQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe8d7sw+XvxB2aN4gnTlRzjL1n - TRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3 - vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUlzcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNM - KGTABFG1yRx9r+wa/fvqP6OTRzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hp - lnpU+PBQZJ5XJ2I+1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA - 07xx7Bj+Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt - KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0KwwEwSk/UDu - ToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0c3MIAIE9hAR20mqJ - WLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12JTavnJ5MLaETlggXY+zDef9sy - TPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZ - EyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWg - R7U2r+a210W6vnUxU4oN0PmMcursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNt - fllxIu9XYmiBERQ/qPDlGRlOgVTd9xUfHFkzB52c70E= - =92oX - -----END PGP PUBLIC KEY BLOCK----- - apt-repository: 'deb http://192.168.1.12/artifacts.elastic.co/packages/6.x/apt stable main' - to: - - 201 - - 202 - filebeat: - charm: cs:filebeat - options: - logpath: "/var/log/*.log /var/log/*/*.log /var/log/syslog" - install_keys: |- - - | - -----BEGIN PGP PUBLIC KEY BLOCK----- - Version: SKS 1.1.6 - Comment: Hostname: keyserver.ubuntu.com - mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBDA+bGFOwy - hbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9CUliQe324qvObU2Q - RtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZj3SF1SPO+TB5QrHkrQHBsmX+ - Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj - 1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEB - AAG0RUVsYXN0aWNzZWFyY2ggKEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3Bz - QGVsYXN0aWNzZWFyY2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYC - AwECHgECF4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 - nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/7C2GuGCO - lbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKmTxcDTFrV7SmVPxCB - cQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe8d7sw+XvxB2aN4gnTlRzjL1n - TRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3 - vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUlzcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNM - KGTABFG1yRx9r+wa/fvqP6OTRzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hp - lnpU+PBQZJ5XJ2I+1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA - 07xx7Bj+Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt - KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0KwwEwSk/UDu - ToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0c3MIAIE9hAR20mqJ - WLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12JTavnJ5MLaETlggXY+zDef9sy - TPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZ - EyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWg - R7U2r+a210W6vnUxU4oN0PmMcursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNt - fllxIu9XYmiBERQ/qPDlGRlOgVTd9xUfHFkzB52c70E= - =92oX - -----END PGP PUBLIC KEY BLOCK----- - install_sources: | - - 'deb http://192.168.1.12/artifacts.elastic.co/packages/6.x/apt stable main' - nagios: - charm: cs:nagios - series: bionic - bindings: - "": *oam-space - num_units: 1 - options: - enable_livestatus: true - check_timeout: 50 - to: - - lxd:202 - openstack-service-checks: - charm: cs:~llama-charmers-next/openstack-service-checks - constraints: *oam-space-constr - bindings: - "": *public-space - identity-credentials: *internal-space - num_units: 1 - to: - - lxd:202 - nrpe-host: - charm: cs:nrpe - bindings: - monitors: *oam-space - options: - nagios_hostname_type: "host" - nagios_host_context: *nagios-context - xfs_errors: "30" - netlinks: | - - bond0 mtu:1500 speed:1000 - - bond1 mtu:9000 speed:50000 - - eno1 mtu:1500 speed:1000 - - eno2 mtu:1500 speed:1000 - - enp25s0f0 mtu:9000 speed:25000 - - enp25s0f1 mtu:9000 speed:25000 - nrpe-container: - charm: cs:nrpe - bindings: - monitors: *oam-space - options: - nagios_hostname_type: unit - nagios_host_context: *nagios-context - disk_root: '' - load: '' - swap: '' - swap_activity: '' - mem: '' - landscape-client: - charm: cs:landscape-client - options: - account-name: "standalone" - #registration-key: include-file://../secrets/landscape-registration.txt - disable-unattended-upgrades: True - # the reason that this has to be done manually is because Landscape server needs an admin user to be - # created first (manual step, see above). Once the user and registration key is set configure the clients' url and ping-url options. - #ping-url: http://landscape.example.com/ping - #url: https://landscape.example.com/message-system - landscape-client-bionic: - charm: cs:landscape-client - options: - account-name: "standalone" - origin: | - deb http://192.168.1.12/ppa.launchpad.net/landscape/19.10/ubuntu bionic main|-----BEGIN PGP PUBLIC KEY BLOCK----- - Version: SKS 1.1.6 - Comment: Hostname: keyserver.ubuntu.com - mI0ESXN/egEEAOgRYISU9dnQm4BB5ZEEwKT+NKUDNd/DhMYdtBMw9Yk7S5cyoqpbtwoPJVzK - AXxq+ng5e3yYypSv98pLMr5UF09FGaeyGlD4s1uaVFWkFCO4jsTg7pWIY6qzO/jMxB5+Yu/G - 0GjWQMNKxFk0oHMa0PhNBZtdPacVz65mOVmCsh/lABEBAAG0G0xhdW5jaHBhZCBQUEEgZm9y - IExhbmRzY2FwZYi2BBMBAgAgBQJJc396AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQ - boWobkZStOb+rwP+ONKUWeX+MTIPqGWkknBPV7jm8nyyIUojC4IhS+9YR6GYnn0hMABSkEHm - IV73feKmrT2GESYI1UdYeKiOkWsPN/JyBk+eTvKet0qsw5TluqiHSW+LEi/+zUyrS3dDMX3o - yaLgYa+UkjIyxnaKLkQuCiS+D+fYwnJulIkhaKObtdE= - =UwRd - -----END PGP PUBLIC KEY BLOCK----- - #registration-key: include-file://../secrets/landscape-registration.txt - disable-unattended-upgrades: True - # the reason that this has to be done manually is because Landscape server needs an admin user to be - # created first (manual step, see above). Once the user and registration key is set configure the clients' url and ping-url options. - #ping-url: http://landscape.example.com/ping - #url: https://landscape.example.com/message-system - prometheus: - charm: cs:prometheus2 - bindings: - "": *oam-space - num_units: 1 - to: - - lxd:201 - prometheus-openstack-exporter: - charm: cs:prometheus-openstack-exporter - constraints: *oam-space-constr - bindings: - "": *public-space - identity-credentials: *internal-space - prometheus-openstack-exporter-service: *oam-space - num_units: 1 - to: - - lxd:201 - grafana: - charm: cs:~prometheus-charmers/grafana - bindings: - "": *oam-space - options: - port: "3000" - install_method: snap - num_units: 1 - to: - - lxd:201 - telegraf: - charm: cs:telegraf - options: - # Contrail services are listening on 8094 - socket_listener_port: '8095' - install_sources: | - - 'deb http://192.168.1.12/ppa.launchpad.net/telegraf-devs/ppa/ubuntu focal main' - install_keys: |- - - | - -----BEGIN PGP PUBLIC KEY BLOCK----- - Version: SKS 1.1.6 - Comment: Hostname: keyserver.ubuntu.com - mQINBFcVSuIBEAC80aj0tAQ6+NhGV/bkSwu6Oj+BpDR50Be3uBv7ttdtvChL5zHTnaxjdK3h - LKSyrDLlmSOkffQ2uO7CxvqeF09MsHhyvrDDx0EY54//xxoAB++PoB2OQqmqldg3Al5Hp4Dz - rllV5CIX5PD8NGX8UpO3HXk5wEwn9G81l8cia3vPveU82EIkHMiJGpk6+L86OMlwXzxkSI3M - xXgNFKQc+ELDYLvGSseYC9vPN3kdmFoo/UjznPPE4fxr4bXit3N8Abl1jYjBa0x6SWkK1BAb - s8w3BXtvyk90z9Oyme69wPD4zAYfFp+kN2nDmTDBMtNCyMu9oatdI5SukMNK4Lcm8eAE6VNs - 04j7BKvGk9+17M8WP9Pw8nIisOwScS9gUlJlLUpnBaJ+sxoOvGQ4mzZxYMKzJh0E58aEX3bS - AyzQfsae8bZLNOTcgotyzzIDJFF9npzu3wmKjeOt/706p4LiDqKUbQK6cI+QcJ/y80ZUK8pB - M043ttSHWLmTBFX2drp6zQGae9+02fX89ZD+5c+MPlubJMYCCKkvQT4OssHfC+dVDQ66rwUy - OObrzsVgikdpIxQVitL3J+Dms56xAkdFfoo+qdxxdv9S/eakc5mfavc/4WVvmFDaJiqJnJRR - Ryw1zApRtuweEEdVn8niy1mahoKpWaw1pTI4AazjWI6xJH1JyQARAQABtB9MYXVuY2hwYWQg - UFBBIGZvciBUZWxlZ3JhZiBEZXZziQI4BBMBAgAiBQJXFUriAhsDBgsJCAcDAgYVCAIJCgsE - FgIDAQIeAQIXgAAKCRDxDL4ByUQG9UgbEACa4IzdeYxH/S5I6MrZfvWNo/JTZ/MZWDD+QlMW - 60ThAemCUSE+NJvZZ1q7ovGFpYnHJT9GQXOwJAX1quDUqyM1uXNmLlOyIVNnmjUTINoLhw2V - iC8E7dMWC9w4Na2fKezmNHH00kNl43ncstIjjZ3pLnDGYm1y0ItiCUcTRgHhx2cUZ/vStz1S - Pdqj4P3i8vuspoYJ2T3VPlM/0G+u9Yjuy3Uzu9RugOyO3UJPoi3+4O2VTNosSBy5MILVCp49 - eigyFVGpq5sT/c86qd1zqmsNWEubrlzDfETS4LMj9epr46ZKPXGQkeryt1m2Oe0HkIdNZ+IQ - 5p+i9fnEy7/1uKTXWQYsg2UWsLA2PvTvwY8JxxMhUFgv12q2w7STntqJyi9PLItYNtbtKoS3 - XZCCMqQLCWMXHY+2ol6rRSfs06H/wzlR8LjDaEXkDVuDmqMtcbgTboZYblsGxst7I/Y4Wgfi - J52uiIyobQ69uJbG0XeRTLZ3WyrBkopEsTX/+sQjVqbADXYU4hBVDgnCf2uN/5dcwSEvDj8/ - +WsToAfEJkscRBsQjTLVzf+eFqHLrbqz/yoYIqBc//IJMBSbxIf5mrOHHLdbOuMCB6PVwpTI - vLFOSDNPuVDX+S1goA8KJTnXpm8jWDynn3XaXx3AlYw4iZ0ETSgQLQLRd6JuPOEGXsGdBA== - =ufaX - -----END PGP PUBLIC KEY BLOCK----- - extra_plugins: | - [[inputs.exec]] - commands = [ "/usr/bin/awk '{print int($1)}' /proc/uptime" ] - name_override = "exec_uptime" - data_format = "value" - bindings: - # overrides private-address exposed to prometheus - prometheus-client: *oam-space - telegraf-prometheus: - charm: cs:telegraf - bindings: - # overrides private-address exposed to prometheus - prometheus-client: *oam-space - options: - install_sources: | - - 'deb http://192.168.1.12/ppa.launchpad.net/telegraf-devs/ppa/ubuntu focal main' - install_keys: |- - - | - -----BEGIN PGP PUBLIC KEY BLOCK----- - Version: SKS 1.1.6 - Comment: Hostname: keyserver.ubuntu.com - mQINBFcVSuIBEAC80aj0tAQ6+NhGV/bkSwu6Oj+BpDR50Be3uBv7ttdtvChL5zHTnaxjdK3h - LKSyrDLlmSOkffQ2uO7CxvqeF09MsHhyvrDDx0EY54//xxoAB++PoB2OQqmqldg3Al5Hp4Dz - rllV5CIX5PD8NGX8UpO3HXk5wEwn9G81l8cia3vPveU82EIkHMiJGpk6+L86OMlwXzxkSI3M - xXgNFKQc+ELDYLvGSseYC9vPN3kdmFoo/UjznPPE4fxr4bXit3N8Abl1jYjBa0x6SWkK1BAb - s8w3BXtvyk90z9Oyme69wPD4zAYfFp+kN2nDmTDBMtNCyMu9oatdI5SukMNK4Lcm8eAE6VNs - 04j7BKvGk9+17M8WP9Pw8nIisOwScS9gUlJlLUpnBaJ+sxoOvGQ4mzZxYMKzJh0E58aEX3bS - AyzQfsae8bZLNOTcgotyzzIDJFF9npzu3wmKjeOt/706p4LiDqKUbQK6cI+QcJ/y80ZUK8pB - M043ttSHWLmTBFX2drp6zQGae9+02fX89ZD+5c+MPlubJMYCCKkvQT4OssHfC+dVDQ66rwUy - OObrzsVgikdpIxQVitL3J+Dms56xAkdFfoo+qdxxdv9S/eakc5mfavc/4WVvmFDaJiqJnJRR - Ryw1zApRtuweEEdVn8niy1mahoKpWaw1pTI4AazjWI6xJH1JyQARAQABtB9MYXVuY2hwYWQg - UFBBIGZvciBUZWxlZ3JhZiBEZXZziQI4BBMBAgAiBQJXFUriAhsDBgsJCAcDAgYVCAIJCgsE - FgIDAQIeAQIXgAAKCRDxDL4ByUQG9UgbEACa4IzdeYxH/S5I6MrZfvWNo/JTZ/MZWDD+QlMW - 60ThAemCUSE+NJvZZ1q7ovGFpYnHJT9GQXOwJAX1quDUqyM1uXNmLlOyIVNnmjUTINoLhw2V - iC8E7dMWC9w4Na2fKezmNHH00kNl43ncstIjjZ3pLnDGYm1y0ItiCUcTRgHhx2cUZ/vStz1S - Pdqj4P3i8vuspoYJ2T3VPlM/0G+u9Yjuy3Uzu9RugOyO3UJPoi3+4O2VTNosSBy5MILVCp49 - eigyFVGpq5sT/c86qd1zqmsNWEubrlzDfETS4LMj9epr46ZKPXGQkeryt1m2Oe0HkIdNZ+IQ - 5p+i9fnEy7/1uKTXWQYsg2UWsLA2PvTvwY8JxxMhUFgv12q2w7STntqJyi9PLItYNtbtKoS3 - XZCCMqQLCWMXHY+2ol6rRSfs06H/wzlR8LjDaEXkDVuDmqMtcbgTboZYblsGxst7I/Y4Wgfi - J52uiIyobQ69uJbG0XeRTLZ3WyrBkopEsTX/+sQjVqbADXYU4hBVDgnCf2uN/5dcwSEvDj8/ - +WsToAfEJkscRBsQjTLVzf+eFqHLrbqz/yoYIqBc//IJMBSbxIf5mrOHHLdbOuMCB6PVwpTI - vLFOSDNPuVDX+S1goA8KJTnXpm8jWDynn3XaXx3AlYw4iZ0ETSgQLQLRd6JuPOEGXsGdBA== - =ufaX - -----END PGP PUBLIC KEY BLOCK----- # canonical-livepatch: # charm: cs:canonical-livepatch # options: @@ -1408,195 +1061,9 @@ relations: - [ "etcd:certificates", "easyrsa:client" ] - [ "etcd:db", "vault:etcd" ] - # vault lma/monitoring - - [ "filebeat:beats-host", "vault:juju-info" ] - - [ "nrpe-container:nrpe-external-master", "vault:nrpe-external-master" ] - - [ "landscape-client:container", "vault:juju-info" ] - - - [ "filebeat:beats-host", "etcd:juju-info" ] - - [ "nrpe-container:nrpe-external-master", "etcd:nrpe-external-master" ] - - [ "landscape-client:container", "etcd:juju-info" ] - - - [ "filebeat:beats-host", "easyrsa:juju-info" ] - - [ "nrpe-container:general-info", "easyrsa:juju-info" ] - - [ "landscape-client:container", "easyrsa:juju-info" ] - - # memcached - - [ "memcached:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "memcached:juju-info", "filebeat:beats-host" ] - - [ "memcached:juju-info", "landscape-client:container" ] - - # grafana - - [ "grafana:juju-info", "filebeat:beats-host" ] - - [ "grafana:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "grafana:juju-info", "landscape-client:container" ] - - # graylog - - [ "graylog:elasticsearch", "elasticsearch:client" ] - - [ "graylog:mongodb", "graylog-mongodb:database" ] - - [ "graylog:beats", "filebeat:logstash" ] - - [ "graylog:nrpe-external-master", "nrpe-host:nrpe-external-master" ] - - [ "graylog:juju-info", "telegraf:juju-info" ] - - [ "graylog:juju-info", "landscape-client:container" ] - - # nagios - - [ "nagios:juju-info", "filebeat:beats-host" ] - - [ "nagios:monitors", "nrpe-container:monitors" ] - - [ "nagios:monitors", "nrpe-host:monitors" ] - - [ "nagios:juju-info", "landscape-client-bionic:container" ] - - # openstack-service-checks - - [ "openstack-service-checks:identity-credentials", "keystone:identity-credentials" ] - - [ "openstack-service-checks:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "openstack-service-checks:juju-info", "filebeat:beats-host" ] - - [ "openstack-service-checks:juju-info", "landscape-client:container" ] - - # graylog-mongodb - - [ "graylog-mongodb:juju-info", "filebeat:beats-host" ] - - [ "graylog-mongodb:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "graylog-mongodb:juju-info", "landscape-client:container" ] - - # elasticsearch - - [ "elasticsearch:juju-info", "filebeat:beats-host" ] - - [ "elasticsearch:juju-info", "telegraf:juju-info" ] - - [ "elasticsearch:nrpe-external-master", "nrpe-host:nrpe-external-master" ] - - [ "elasticsearch:juju-info", "landscape-client:container" ] - - # prometheus - - [ "prometheus:juju-info", "filebeat:beats-host" ] - - [ "prometheus:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "prometheus:juju-info", "telegraf-prometheus:juju-info" ] - - [ "prometheus:grafana-source", "grafana:grafana-source" ] - - [ "prometheus:target", "telegraf:prometheus-client" ] - - [ "prometheus:juju-info", "landscape-client:container" ] - - # prometheus-openstack-exporter - - [ "prometheus-openstack-exporter:identity-credentials", "keystone:identity-credentials" ] - - [ "prometheus-openstack-exporter:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "prometheus-openstack-exporter:prometheus-openstack-exporter-service", "prometheus:target" ] - - [ "prometheus-openstack-exporter:juju-info", "filebeat:beats-host" ] - - [ "prometheus-openstack-exporter:juju-info", "landscape-client:container" ] - # juniper server - [ "juniper-server:juju-info", "ntp:juju-info" ] - # grafana dashboards - - [ "grafana:dashboards", "telegraf:dashboards" ] - - [ "grafana:dashboards", "telegraf-prometheus:dashboards" ] + # lma server + - [ "lma-server:juju-info", "ntp:juju-info" ] - # LMA/landscape subordinates - - [ "nova-compute:juju-info", "filebeat:beats-host" ] -# - [ "nova-compute:juju-info", "telegraf:juju-info" ] - - [ "nova-compute:nrpe-external-master", "nrpe-host:nrpe-external-master" ] - - [ "nova-compute:juju-info", "landscape-client:container" ] - - - [ "ceph-osd:juju-info", "telegraf:juju-info" ] - - - [ "neutron-gateway:juju-info", "filebeat:beats-host" ] - - [ "neutron-gateway:juju-info", "telegraf:juju-info" ] - - [ "neutron-gateway:nrpe-external-master", "nrpe-host:nrpe-external-master" ] - - [ "neutron-gateway:juju-info", "landscape-client:container" ] - - - [ "keystone:juju-info", "filebeat:beats-host" ] - - [ "keystone:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "keystone:juju-info", "landscape-client:container" ] - - - [ "glance:juju-info", "filebeat:beats-host" ] - - [ "glance:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "glance:juju-info", "landscape-client:container" ] - - - [ "cinder:juju-info", "filebeat:beats-host" ] - - [ "cinder:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "cinder:juju-info", "landscape-client:container" ] - -# - [ "cinder2:juju-info", "filebeat:beats-host" ] -# - [ "cinder2:nrpe-external-master", "nrpe-container:nrpe-external-master" ] -# - [ "cinder2:juju-info", "landscape-client:container" ] - - - [ "heat:juju-info", "filebeat:beats-host" ] - - [ "heat:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "heat:juju-info", "landscape-client:container" ] - - - [ "mysql-innodb-cluster:juju-info", "filebeat:beats-host" ] - - [ "mysql-innodb-cluster:juju-info", "nrpe-container:general-info" ] - - [ "mysql-innodb-cluster:juju-info", "landscape-client:container" ] - - - [ "ceph-mon:prometheus", "prometheus:target" ] - - [ "ceph-mon:juju-info", "filebeat:beats-host" ] - - [ "ceph-mon:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "ceph-mon:juju-info", "landscape-client:container" ] - - - [ "neutron-api:juju-info", "filebeat:beats-host" ] - - [ "neutron-api:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "neutron-api:juju-info", "landscape-client:container" ] - - - [ "rabbitmq-server:juju-info", "filebeat:beats-host" ] - - [ "rabbitmq-server:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "rabbitmq-server:juju-info", "landscape-client:container" ] - - - [ "openstack-dashboard:juju-info", "filebeat:beats-host" ] - - [ "openstack-dashboard:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "openstack-dashboard:juju-info", "landscape-client:container" ] - - - [ "nova-cloud-controller:juju-info", "filebeat:beats-host" ] - - [ "nova-cloud-controller:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "nova-cloud-controller:juju-info", "landscape-client:container" ] - - - [ "gnocchi:juju-info", "filebeat:beats-host" ] - - [ "gnocchi:juju-info", "nrpe-container:general-info" ] - - [ "gnocchi:juju-info", "landscape-client:container" ] - - - [ "ceilometer:juju-info", "filebeat:beats-host" ] - - [ "ceilometer:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "ceilometer:juju-info", "landscape-client:container" ] - - - [ "aodh:juju-info", "filebeat:beats-host" ] - - [ "aodh:juju-info", "nrpe-container:general-info" ] - - [ "aodh:juju-info", "landscape-client:container" ] - - - [ "placement:juju-info", "filebeat:beats-host" ] - - [ "placement:juju-info", "nrpe-container:general-info" ] - - [ "placement:juju-info", "landscape-client:container" ] - - - [ "juniper-server:juju-info", "filebeat:beats-host" ] - - [ "juniper-server:juju-info", "telegraf:juju-info" ] - - [ "juniper-server:juju-info", "landscape-client:container" ] - - [ "juniper-server:juju-info", "nrpe-host:general-info" ] - - - [ "hacluster-aodh:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "hacluster-cinder:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "hacluster-glance:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "hacluster-gnocchi:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "hacluster-heat:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "hacluster-horizon:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "hacluster-keystone:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "hacluster-neutron:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "hacluster-nova:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - [ "hacluster-placement:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - - # Landscape - - [ "landscape-server:juju-info", "ntp:juju-info" ] - - [ "landscape-server:juju-info", "filebeat:beats-host" ] - - [ "landscape-server:juju-info", "nrpe-host:general-info" ] - - [ "landscape-server:juju-info", "telegraf:juju-info" ] - - [ "landscape-server:juju-info", "landscape-client-bionic:container" ] - - - [ "landscape-rabbitmq-server:juju-info", "ntp:juju-info" ] - - [ "landscape-rabbitmq-server:juju-info", "filebeat:beats-host" ] - - [ "landscape-rabbitmq-server:nrpe-external-master", "nrpe-host:nrpe-external-master" ] - - [ "landscape-rabbitmq-server:juju-info", "landscape-client:container" ] - - - [ "landscape-postgresql:juju-info", "ntp:juju-info" ] - - [ "landscape-postgresql:juju-info", "filebeat:beats-host" ] - - [ "landscape-postgresql:local-monitors", "nrpe-host:local-monitors" ] - - [ "landscape-postgresql:juju-info", "nrpe-host:general-info" ] - - [ "landscape-postgresql:juju-info", "landscape-client-bionic:container" ] - - - [ "landscape-haproxy:juju-info", "filebeat:beats-host" ] - - [ "landscape-haproxy:juju-info", "nrpe-host:general-info" ] - - [ "landscape-haproxy:local-monitors", "nrpe-host:local-monitors" ] - - [ "landscape-haproxy:juju-info", "landscape-client:container" ] - - - [ "landscape-server:amqp", "landscape-rabbitmq-server:amqp" ] - - [ "landscape-server:website", "landscape-haproxy:reverseproxy" ] - - [ "landscape-server:db", "landscape-postgresql:db-admin" ] diff --git a/config/juju-model-default-cis.yaml b/config/juju-model-default-cis.yaml index 339e449..86c4050 100644 --- a/config/juju-model-default-cis.yaml +++ b/config/juju-model-default-cis.yaml @@ -130,6 +130,12 @@ cloudinit-userdata: | ruleset4="4.2.1.1 4.2.1.2 4.2.1.3 4.2.1.4 4.2.1.5 4.2.1.6 4.2.2.1 4.2.2.2 4.2.2.3 4.2.3 4.3 4.4" ruleset5="5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.2.1 5.2.2 5.2.3 5.2.4 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.2.11 5.2.12 5.2.13 5.2.14 5.2.15 5.2.16 5.2.17 5.2.18 5.2.19 5.2.21 5.2.22 5.3.1 5.3.2 5.3.3 5.3.4 5.4.1.1 5.4.1.2 5.4.1.3 5.4.1.4 5.4.1.5 5.4.2 5.4.3 5.4.4 5.4.5 5.5 5.6" ruleset6="6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.1.10 6.1.11 6.1.12 6.1.13 6.1.14 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11 6.2.12 6.2.13 6.2.14 6.2.15 6.2.16 6.2.17" + - owner: root:root + path: /etc/systemd/network/99-default.link + permissions: '0644' + content: | + [Link] + NamePolicy=keep kernel database onboard path slot preruncmd: - locale-gen en_GB.UTF-8; update-locale - wget -qO - http://192.168.1.12/keys/security-benchmarks.asc | sudo apt-key add - @@ -146,6 +152,7 @@ cloudinit-userdata: | - "! systemd-detect-virt --container && mv /root/99-post-juju.yaml /etc/netplan/99-post-juju.yaml" - "! systemd-detect-virt --container && sudo lxc profile set default security.nesting true" - sudo netplan apply + - "! systemd-detect-virt --container && update-initramfs -u -k all" snap: commands: "00": systemctl restart snapd diff --git a/config/juju-model-default.yaml b/config/juju-model-default.yaml index 9b9e1e8..9687498 100644 --- a/config/juju-model-default.yaml +++ b/config/juju-model-default.yaml @@ -25,6 +25,12 @@ cloudinit-userdata: | link-local: [] ens9: link-local: [] + - owner: root:root + path: /etc/systemd/network/99-default.link + permissions: '0644' + content: | + [Link] + NamePolicy=keep kernel database onboard path slot preruncmd: - locale-gen en_GB.UTF-8; update-locale - "systemd-detect-virt --container && rm -rf /root/99-post-juju.yaml" @@ -32,6 +38,7 @@ cloudinit-userdata: | - "! systemd-detect-virt --container && mv /root/99-post-juju.yaml /etc/netplan/99-post-juju.yaml" - "! systemd-detect-virt --container && sudo lxc profile set default security.nesting true" - sudo netplan apply + - "! systemd-detect-virt --container && update-initramfs -u -k all" snap: commands: "00": systemctl restart snapd diff --git a/config/juju_deploy_focal.sh b/config/juju_deploy_focal.sh index 67da58f..1e9902c 100755 --- a/config/juju_deploy_focal.sh +++ b/config/juju_deploy_focal.sh @@ -13,11 +13,15 @@ juju deploy ./bundle_${series}.yaml \ --overlay ./overlays/ldap.yaml \ --overlay ./overlays/resources.yaml \ --overlay ./overlays/openstack_versioned_overlay_${series}.yaml \ - --overlay ./overlays/lma_offers.yaml \ - --overlay ./overlays/ssl.yaml \ - --overlay ./overlays/ssl_${series}.yaml \ --overlay ./overlays/stsstack.yaml $* +# --overlay ./overlays/lma_offers.yaml \ +# --overlay ./overlays/advanced-routing.yaml \ +# --overlay ./overlays/lma.yaml \ +# --overlay ./overlays/landscape.yaml \ +# --overlay ./overlays/ssl.yaml \ +# --overlay ./overlays/ssl_${series}.yaml \ + # --overlay ./overlays/contrail.yaml \ # --overlay ./overlays/openstack_versioned_overlay.yaml \ # --overlay ./overlays/openstack_versioned_overlay_gemini.yaml \ diff --git a/config/overlays/advanced-routing.yaml b/config/overlays/advanced-routing.yaml new file mode 100644 index 0000000..4f38d6f --- /dev/null +++ b/config/overlays/advanced-routing.yaml @@ -0,0 +1,31 @@ +applications: + external-advanced-routing: + charm: cs:advanced-routing + options: + enable-advanced-routing: true + advanced-routing-config: | + [ { + "type": "table", + "table": "SF1" + }, { + "type": "route", + "default_route": true, + "gateway": "192.168.1.254", + "table": "SF1" + }, { + "type": "rule", + "from-net": "192.168.1.0/24", + "to-net": "192.168.1.0/24", + "priority": 100 + }, { + "type": "rule", + "from-net": "192.168.1.0/24", + "table": "SF1", + "priority": 101 + } ] + # See LP #1871856: + # Charm shouldn't "block" if apply-changes action is configured + action-managed-update: False + +relations: + - [ "external-advanced-routing:juju-info", "aodh:juju-info" ] diff --git a/config/overlays/landscape.yaml b/config/overlays/landscape.yaml new file mode 100644 index 0000000..8049422 --- /dev/null +++ b/config/overlays/landscape.yaml @@ -0,0 +1,151 @@ +variables: + oam-space: &oam-space oam + openstack-origin: &openstack-origin distro + +applications: + landscape-server: + charm: cs:landscape-server + series: bionic + bindings: + "": *oam-space + options: + install_sources: |- + - 'deb http://192.168.1.12/ppa.launchpad.net/landscape/19.10/ubuntu bionic main' + install_keys: |- + - | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: SKS 1.1.6 + Comment: Hostname: keyserver.ubuntu.com + mI0ESXN/egEEAOgRYISU9dnQm4BB5ZEEwKT+NKUDNd/DhMYdtBMw9Yk7S5cyoqpbtwoPJVzK + AXxq+ng5e3yYypSv98pLMr5UF09FGaeyGlD4s1uaVFWkFCO4jsTg7pWIY6qzO/jMxB5+Yu/G + 0GjWQMNKxFk0oHMa0PhNBZtdPacVz65mOVmCsh/lABEBAAG0G0xhdW5jaHBhZCBQUEEgZm9y + IExhbmRzY2FwZYi2BBMBAgAgBQJJc396AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQ + boWobkZStOb+rwP+ONKUWeX+MTIPqGWkknBPV7jm8nyyIUojC4IhS+9YR6GYnn0hMABSkEHm + IV73feKmrT2GESYI1UdYeKiOkWsPN/JyBk+eTvKet0qsw5TluqiHSW+LEi/+zUyrS3dDMX3o + yaLgYa+UkjIyxnaKLkQuCiS+D+fYwnJulIkhaKObtdE= + =UwRd + -----END PGP PUBLIC KEY BLOCK----- + license-file: include-base64://../../secrets/ldslicense.txt + #root-url: http://landscape.example.com/ + num_units: 3 + to: + - 300 + - 301 + - 302 + landscape-rabbitmq-server: + charm: cs:rabbitmq-server + bindings: + "": *oam-space + cluster: *oam-space + amqp: *oam-space + num_units: 3 + options: + source: *openstack-origin + min-cluster-size: 3 + cluster-partition-handling: pause_minority + to: + - lxd:300 + - lxd:301 + - lxd:302 + landscape-postgresql: + charm: cs:postgresql + series: bionic + bindings: + "": *oam-space + options: + extra_packages: python-apt postgresql-contrib postgresql-.*-debversion postgresql-plpython.* + max_connections: 500 + max_prepared_transactions: 500 + num_units: 2 + to: + - lxd:300 + - lxd:301 + landscape-haproxy: + charm: cs:haproxy + bindings: + "": *oam-space + options: + default_timeouts: "queue 60000, connect 5000, client 120000, server 120000" + services: "" + source: backports + ssl_cert: SELFSIGNED + global_default_bind_options: "no-tlsv10" + num_units: 1 + to: + - lxd:302 + landscape-client: + charm: cs:landscape-client + options: + account-name: "standalone" + #registration-key: include-file://../secrets/landscape-registration.txt + disable-unattended-upgrades: True + # the reason that this has to be done manually is because Landscape server needs an admin user to be + # created first (manual step, see above). Once the user and registration key is set configure the clients' url and ping-url options. + #ping-url: http://landscape.example.com/ping + #url: https://landscape.example.com/message-system + landscape-client-bionic: + charm: cs:landscape-client + options: + account-name: "standalone" + origin: | + deb http://192.168.1.12/ppa.launchpad.net/landscape/19.10/ubuntu bionic main|-----BEGIN PGP PUBLIC KEY BLOCK----- + Version: SKS 1.1.6 + Comment: Hostname: keyserver.ubuntu.com + mI0ESXN/egEEAOgRYISU9dnQm4BB5ZEEwKT+NKUDNd/DhMYdtBMw9Yk7S5cyoqpbtwoPJVzK + AXxq+ng5e3yYypSv98pLMr5UF09FGaeyGlD4s1uaVFWkFCO4jsTg7pWIY6qzO/jMxB5+Yu/G + 0GjWQMNKxFk0oHMa0PhNBZtdPacVz65mOVmCsh/lABEBAAG0G0xhdW5jaHBhZCBQUEEgZm9y + IExhbmRzY2FwZYi2BBMBAgAgBQJJc396AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQ + boWobkZStOb+rwP+ONKUWeX+MTIPqGWkknBPV7jm8nyyIUojC4IhS+9YR6GYnn0hMABSkEHm + IV73feKmrT2GESYI1UdYeKiOkWsPN/JyBk+eTvKet0qsw5TluqiHSW+LEi/+zUyrS3dDMX3o + yaLgYa+UkjIyxnaKLkQuCiS+D+fYwnJulIkhaKObtdE= + =UwRd + -----END PGP PUBLIC KEY BLOCK----- + #registration-key: include-file://../secrets/landscape-registration.txt + disable-unattended-upgrades: True + # the reason that this has to be done manually is because Landscape server needs an admin user to be + # created first (manual step, see above). Once the user and registration key is set configure the clients' url and ping-url options. + #ping-url: http://landscape.example.com/ping + #url: https://landscape.example.com/message-system + +relations: + # Landscape Applications + - [ "landscape-server:juju-info", "ntp:juju-info" ] + + - [ "landscape-rabbitmq-server:juju-info", "ntp:juju-info" ] + - [ "landscape-rabbitmq-server:juju-info", "landscape-client:container" ] + + - [ "landscape-postgresql:juju-info", "ntp:juju-info" ] + + - [ "landscape-server:amqp", "landscape-rabbitmq-server:amqp" ] + - [ "landscape-server:website", "landscape-haproxy:reverseproxy" ] + - [ "landscape-server:db", "landscape-postgresql:db-admin" ] + + # landscape-client-bionic + - [ "landscape-client-bionic:container", "landscape-haproxy:juju-info" ] + - [ "landscape-client-bionic:container", "landscape-postgresql:juju-info" ] + - [ "landscape-client-bionic:container", "landscape-server:juju-info" ] + + # landscape-client + - [ "landscape-client:container", "vault:juju-info" ] + - [ "landscape-client:container", "etcd:juju-info" ] + - [ "landscape-client:container", "easyrsa:juju-info" ] + - [ "landscape-client:container", "memcached:juju-info" ] + - [ "landscape-client:container", "nova-compute:juju-info" ] + - [ "landscape-client:container", "neutron-gateway:juju-info" ] + - [ "landscape-client:container", "keystone:juju-info" ] + - [ "landscape-client:container", "glance:juju-info" ] + - [ "landscape-client:container", "cinder:juju-info" ] +# - [ "landscape-client:container", "cinder2:juju-info" ] + - [ "landscape-client:container", "heat:juju-info" ] + - [ "landscape-client:container", "mysql-innodb-cluster:juju-info" ] + - [ "landscape-client:container", "ceph-mon:juju-info" ] + - [ "landscape-client:container", "neutron-api:juju-info" ] + - [ "landscape-client:container", "rabbitmq-server:juju-info" ] + - [ "landscape-client:container", "openstack-dashboard:juju-info" ] + - [ "landscape-client:container", "nova-cloud-controller:juju-info" ] + - [ "landscape-client:container", "gnocchi:juju-info" ] + - [ "landscape-client:container", "ceilometer:juju-info" ] + - [ "landscape-client:container", "aodh:juju-info" ] + - [ "landscape-client:container", "placement:juju-info" ] + - [ "landscape-client:container", "juniper-server:juju-info" ] + diff --git a/config/overlays/lma.yaml b/config/overlays/lma.yaml new file mode 100644 index 0000000..1382dda --- /dev/null +++ b/config/overlays/lma.yaml @@ -0,0 +1,415 @@ +variables: + oam-space: &oam-space oam + public-space: &public-space oam + internal-space: &internal-space oam + nagios-context: &nagios-context arif-nc01 + oam-space-constr: &oam-space-constr spaces=oam + +applications: + graylog: + charm: cs:graylog + bindings: + "": *oam-space + num_units: 1 + options: + channel: "4/stable" + jvm_heap_size: '1G' + rest_transport_uri: http://graylog.example.com:9001 + index_rotation_period: PT3H + to: + - 200 + graylog-mongodb: + charm: cs:mongodb + bindings: + "": *oam-space + num_units: 1 + options: + nagios_context: *nagios-context + to: + - lxd:200 + elasticsearch: + charm: cs:elasticsearch + bindings: + "": *oam-space + num_units: 2 + options: + firewall_enabled: False + es-heap-size: 2 + gpg-key: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: SKS 1.1.6 + Comment: Hostname: keyserver.ubuntu.com + + mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBDA+bGFOwy + hbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9CUliQe324qvObU2Q + RtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZj3SF1SPO+TB5QrHkrQHBsmX+ + Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj + 1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEB + AAG0RUVsYXN0aWNzZWFyY2ggKEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3Bz + QGVsYXN0aWNzZWFyY2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYC + AwECHgECF4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 + nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/7C2GuGCO + lbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKmTxcDTFrV7SmVPxCB + cQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe8d7sw+XvxB2aN4gnTlRzjL1n + TRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3 + vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUlzcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNM + KGTABFG1yRx9r+wa/fvqP6OTRzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hp + lnpU+PBQZJ5XJ2I+1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA + 07xx7Bj+Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt + KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0KwwEwSk/UDu + ToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0c3MIAIE9hAR20mqJ + WLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12JTavnJ5MLaETlggXY+zDef9sy + TPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZ + EyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWg + R7U2r+a210W6vnUxU4oN0PmMcursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNt + fllxIu9XYmiBERQ/qPDlGRlOgVTd9xUfHFkzB52c70E= + =92oX + -----END PGP PUBLIC KEY BLOCK----- + apt-repository: 'deb http://192.168.1.12/artifacts.elastic.co/packages/6.x/apt stable main' + to: + - 201 + - 202 + filebeat: + charm: cs:filebeat + options: + logpath: "/var/log/*.log /var/log/*/*.log /var/log/syslog" + install_keys: |- + - | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: SKS 1.1.6 + Comment: Hostname: keyserver.ubuntu.com + mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBDA+bGFOwy + hbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9CUliQe324qvObU2Q + RtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZj3SF1SPO+TB5QrHkrQHBsmX+ + Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj + 1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEB + AAG0RUVsYXN0aWNzZWFyY2ggKEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3Bz + QGVsYXN0aWNzZWFyY2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYC + AwECHgECF4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 + nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/7C2GuGCO + lbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKmTxcDTFrV7SmVPxCB + cQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe8d7sw+XvxB2aN4gnTlRzjL1n + TRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3 + vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUlzcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNM + KGTABFG1yRx9r+wa/fvqP6OTRzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hp + lnpU+PBQZJ5XJ2I+1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA + 07xx7Bj+Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt + KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0KwwEwSk/UDu + ToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0c3MIAIE9hAR20mqJ + WLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12JTavnJ5MLaETlggXY+zDef9sy + TPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZ + EyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWg + R7U2r+a210W6vnUxU4oN0PmMcursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNt + fllxIu9XYmiBERQ/qPDlGRlOgVTd9xUfHFkzB52c70E= + =92oX + -----END PGP PUBLIC KEY BLOCK----- + install_sources: | + - 'deb http://192.168.1.12/artifacts.elastic.co/packages/6.x/apt stable main' + nagios: + charm: cs:nagios + series: bionic + bindings: + "": *oam-space + num_units: 1 + options: + enable_livestatus: true + check_timeout: 50 + to: + - lxd:202 + openstack-service-checks: + charm: cs:~llama-charmers-next/openstack-service-checks + constraints: *oam-space-constr + bindings: + "": *public-space + identity-credentials: *internal-space + num_units: 1 + to: + - lxd:202 + nrpe-host: + charm: cs:nrpe + bindings: + monitors: *oam-space + options: + nagios_hostname_type: "host" + nagios_host_context: *nagios-context + xfs_errors: "30" + netlinks: | + - bond0 mtu:1500 speed:1000 + - bond1 mtu:9000 speed:50000 + - eno1 mtu:1500 speed:1000 + - eno2 mtu:1500 speed:1000 + - enp25s0f0 mtu:9000 speed:25000 + - enp25s0f1 mtu:9000 speed:25000 + nrpe-container: + charm: cs:nrpe + bindings: + monitors: *oam-space + options: + nagios_hostname_type: unit + nagios_host_context: *nagios-context + disk_root: '' + load: '' + swap: '' + swap_activity: '' + mem: '' + prometheus: + charm: cs:prometheus2 + bindings: + "": *oam-space + num_units: 1 + to: + - lxd:201 + prometheus-openstack-exporter: + charm: cs:prometheus-openstack-exporter + constraints: *oam-space-constr + bindings: + "": *public-space + identity-credentials: *internal-space + prometheus-openstack-exporter-service: *oam-space + num_units: 1 + to: + - lxd:201 + grafana: + charm: cs:~prometheus-charmers/grafana + bindings: + "": *oam-space + options: + port: "3000" + install_method: snap + num_units: 1 + to: + - lxd:201 + telegraf: + charm: cs:telegraf + options: + # Contrail services are listening on 8094 + socket_listener_port: '8095' + install_sources: | + - 'deb http://192.168.1.12/ppa.launchpad.net/telegraf-devs/ppa/ubuntu focal main' + install_keys: |- + - | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: SKS 1.1.6 + Comment: Hostname: keyserver.ubuntu.com + mQINBFcVSuIBEAC80aj0tAQ6+NhGV/bkSwu6Oj+BpDR50Be3uBv7ttdtvChL5zHTnaxjdK3h + LKSyrDLlmSOkffQ2uO7CxvqeF09MsHhyvrDDx0EY54//xxoAB++PoB2OQqmqldg3Al5Hp4Dz + rllV5CIX5PD8NGX8UpO3HXk5wEwn9G81l8cia3vPveU82EIkHMiJGpk6+L86OMlwXzxkSI3M + xXgNFKQc+ELDYLvGSseYC9vPN3kdmFoo/UjznPPE4fxr4bXit3N8Abl1jYjBa0x6SWkK1BAb + s8w3BXtvyk90z9Oyme69wPD4zAYfFp+kN2nDmTDBMtNCyMu9oatdI5SukMNK4Lcm8eAE6VNs + 04j7BKvGk9+17M8WP9Pw8nIisOwScS9gUlJlLUpnBaJ+sxoOvGQ4mzZxYMKzJh0E58aEX3bS + AyzQfsae8bZLNOTcgotyzzIDJFF9npzu3wmKjeOt/706p4LiDqKUbQK6cI+QcJ/y80ZUK8pB + M043ttSHWLmTBFX2drp6zQGae9+02fX89ZD+5c+MPlubJMYCCKkvQT4OssHfC+dVDQ66rwUy + OObrzsVgikdpIxQVitL3J+Dms56xAkdFfoo+qdxxdv9S/eakc5mfavc/4WVvmFDaJiqJnJRR + Ryw1zApRtuweEEdVn8niy1mahoKpWaw1pTI4AazjWI6xJH1JyQARAQABtB9MYXVuY2hwYWQg + UFBBIGZvciBUZWxlZ3JhZiBEZXZziQI4BBMBAgAiBQJXFUriAhsDBgsJCAcDAgYVCAIJCgsE + FgIDAQIeAQIXgAAKCRDxDL4ByUQG9UgbEACa4IzdeYxH/S5I6MrZfvWNo/JTZ/MZWDD+QlMW + 60ThAemCUSE+NJvZZ1q7ovGFpYnHJT9GQXOwJAX1quDUqyM1uXNmLlOyIVNnmjUTINoLhw2V + iC8E7dMWC9w4Na2fKezmNHH00kNl43ncstIjjZ3pLnDGYm1y0ItiCUcTRgHhx2cUZ/vStz1S + Pdqj4P3i8vuspoYJ2T3VPlM/0G+u9Yjuy3Uzu9RugOyO3UJPoi3+4O2VTNosSBy5MILVCp49 + eigyFVGpq5sT/c86qd1zqmsNWEubrlzDfETS4LMj9epr46ZKPXGQkeryt1m2Oe0HkIdNZ+IQ + 5p+i9fnEy7/1uKTXWQYsg2UWsLA2PvTvwY8JxxMhUFgv12q2w7STntqJyi9PLItYNtbtKoS3 + XZCCMqQLCWMXHY+2ol6rRSfs06H/wzlR8LjDaEXkDVuDmqMtcbgTboZYblsGxst7I/Y4Wgfi + J52uiIyobQ69uJbG0XeRTLZ3WyrBkopEsTX/+sQjVqbADXYU4hBVDgnCf2uN/5dcwSEvDj8/ + +WsToAfEJkscRBsQjTLVzf+eFqHLrbqz/yoYIqBc//IJMBSbxIf5mrOHHLdbOuMCB6PVwpTI + vLFOSDNPuVDX+S1goA8KJTnXpm8jWDynn3XaXx3AlYw4iZ0ETSgQLQLRd6JuPOEGXsGdBA== + =ufaX + -----END PGP PUBLIC KEY BLOCK----- + extra_plugins: | + [[inputs.exec]] + commands = [ "/usr/bin/awk '{print int($1)}' /proc/uptime" ] + name_override = "exec_uptime" + data_format = "value" + bindings: + # overrides private-address exposed to prometheus + prometheus-client: *oam-space + telegraf-prometheus: + charm: cs:telegraf + bindings: + # overrides private-address exposed to prometheus + prometheus-client: *oam-space + options: + install_sources: | + - 'deb http://192.168.1.12/ppa.launchpad.net/telegraf-devs/ppa/ubuntu focal main' + install_keys: |- + - | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: SKS 1.1.6 + Comment: Hostname: keyserver.ubuntu.com + mQINBFcVSuIBEAC80aj0tAQ6+NhGV/bkSwu6Oj+BpDR50Be3uBv7ttdtvChL5zHTnaxjdK3h + LKSyrDLlmSOkffQ2uO7CxvqeF09MsHhyvrDDx0EY54//xxoAB++PoB2OQqmqldg3Al5Hp4Dz + rllV5CIX5PD8NGX8UpO3HXk5wEwn9G81l8cia3vPveU82EIkHMiJGpk6+L86OMlwXzxkSI3M + xXgNFKQc+ELDYLvGSseYC9vPN3kdmFoo/UjznPPE4fxr4bXit3N8Abl1jYjBa0x6SWkK1BAb + s8w3BXtvyk90z9Oyme69wPD4zAYfFp+kN2nDmTDBMtNCyMu9oatdI5SukMNK4Lcm8eAE6VNs + 04j7BKvGk9+17M8WP9Pw8nIisOwScS9gUlJlLUpnBaJ+sxoOvGQ4mzZxYMKzJh0E58aEX3bS + AyzQfsae8bZLNOTcgotyzzIDJFF9npzu3wmKjeOt/706p4LiDqKUbQK6cI+QcJ/y80ZUK8pB + M043ttSHWLmTBFX2drp6zQGae9+02fX89ZD+5c+MPlubJMYCCKkvQT4OssHfC+dVDQ66rwUy + OObrzsVgikdpIxQVitL3J+Dms56xAkdFfoo+qdxxdv9S/eakc5mfavc/4WVvmFDaJiqJnJRR + Ryw1zApRtuweEEdVn8niy1mahoKpWaw1pTI4AazjWI6xJH1JyQARAQABtB9MYXVuY2hwYWQg + UFBBIGZvciBUZWxlZ3JhZiBEZXZziQI4BBMBAgAiBQJXFUriAhsDBgsJCAcDAgYVCAIJCgsE + FgIDAQIeAQIXgAAKCRDxDL4ByUQG9UgbEACa4IzdeYxH/S5I6MrZfvWNo/JTZ/MZWDD+QlMW + 60ThAemCUSE+NJvZZ1q7ovGFpYnHJT9GQXOwJAX1quDUqyM1uXNmLlOyIVNnmjUTINoLhw2V + iC8E7dMWC9w4Na2fKezmNHH00kNl43ncstIjjZ3pLnDGYm1y0ItiCUcTRgHhx2cUZ/vStz1S + Pdqj4P3i8vuspoYJ2T3VPlM/0G+u9Yjuy3Uzu9RugOyO3UJPoi3+4O2VTNosSBy5MILVCp49 + eigyFVGpq5sT/c86qd1zqmsNWEubrlzDfETS4LMj9epr46ZKPXGQkeryt1m2Oe0HkIdNZ+IQ + 5p+i9fnEy7/1uKTXWQYsg2UWsLA2PvTvwY8JxxMhUFgv12q2w7STntqJyi9PLItYNtbtKoS3 + XZCCMqQLCWMXHY+2ol6rRSfs06H/wzlR8LjDaEXkDVuDmqMtcbgTboZYblsGxst7I/Y4Wgfi + J52uiIyobQ69uJbG0XeRTLZ3WyrBkopEsTX/+sQjVqbADXYU4hBVDgnCf2uN/5dcwSEvDj8/ + +WsToAfEJkscRBsQjTLVzf+eFqHLrbqz/yoYIqBc//IJMBSbxIf5mrOHHLdbOuMCB6PVwpTI + vLFOSDNPuVDX+S1goA8KJTnXpm8jWDynn3XaXx3AlYw4iZ0ETSgQLQLRd6JuPOEGXsGdBA== + =ufaX + -----END PGP PUBLIC KEY BLOCK----- + +relations: + + # grafana + - [ "grafana:juju-info", "filebeat:beats-host" ] + - [ "grafana:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "grafana:juju-info", "landscape-client:container" ] + + # graylog + - [ "graylog:elasticsearch", "elasticsearch:client" ] + - [ "graylog:mongodb", "graylog-mongodb:database" ] + - [ "graylog:beats", "filebeat:logstash" ] + - [ "graylog:nrpe-external-master", "nrpe-host:nrpe-external-master" ] + - [ "graylog:juju-info", "telegraf:juju-info" ] + - [ "graylog:juju-info", "landscape-client:container" ] + + # nagios + - [ "nagios:juju-info", "filebeat:beats-host" ] + - [ "nagios:monitors", "nrpe-container:monitors" ] + - [ "nagios:monitors", "nrpe-host:monitors" ] + - [ "nagios:juju-info", "landscape-client-bionic:container" ] + + # openstack-service-checks + - [ "openstack-service-checks:identity-credentials", "keystone:identity-credentials" ] + - [ "openstack-service-checks:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "openstack-service-checks:juju-info", "filebeat:beats-host" ] + - [ "openstack-service-checks:juju-info", "landscape-client:container" ] + + # graylog-mongodb + - [ "graylog-mongodb:juju-info", "filebeat:beats-host" ] + - [ "graylog-mongodb:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "graylog-mongodb:juju-info", "landscape-client:container" ] + + # elasticsearch + - [ "elasticsearch:juju-info", "filebeat:beats-host" ] + - [ "elasticsearch:juju-info", "telegraf:juju-info" ] + - [ "elasticsearch:nrpe-external-master", "nrpe-host:nrpe-external-master" ] + - [ "elasticsearch:juju-info", "landscape-client:container" ] + + # prometheus + - [ "prometheus:juju-info", "filebeat:beats-host" ] + - [ "prometheus:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "prometheus:juju-info", "telegraf-prometheus:juju-info" ] + - [ "prometheus:grafana-source", "grafana:grafana-source" ] + - [ "prometheus:target", "telegraf:prometheus-client" ] + - [ "prometheus:juju-info", "landscape-client:container" ] + + # prometheus-openstack-exporter + - [ "prometheus-openstack-exporter:identity-credentials", "keystone:identity-credentials" ] + - [ "prometheus-openstack-exporter:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "prometheus-openstack-exporter:prometheus-openstack-exporter-service", "prometheus:target" ] + - [ "prometheus-openstack-exporter:juju-info", "filebeat:beats-host" ] + - [ "prometheus-openstack-exporter:juju-info", "landscape-client:container" ] + + # grafana dashboards + - [ "grafana:dashboards", "telegraf:dashboards" ] + - [ "grafana:dashboards", "telegraf-prometheus:dashboards" ] + + # vault lma/monitoring + - [ "filebeat:beats-host", "vault:juju-info" ] + - [ "nrpe-container:nrpe-external-master", "vault:nrpe-external-master" ] + + - [ "filebeat:beats-host", "etcd:juju-info" ] + - [ "nrpe-container:nrpe-external-master", "etcd:nrpe-external-master" ] + + - [ "filebeat:beats-host", "easyrsa:juju-info" ] + - [ "nrpe-container:general-info", "easyrsa:juju-info" ] + + + - [ "nova-compute:juju-info", "filebeat:beats-host" ] +# - [ "nova-compute:juju-info", "telegraf:juju-info" ] + - [ "nova-compute:nrpe-external-master", "nrpe-host:nrpe-external-master" ] + + - [ "ceph-osd:juju-info", "telegraf:juju-info" ] + + - [ "neutron-gateway:juju-info", "filebeat:beats-host" ] + - [ "neutron-gateway:juju-info", "telegraf:juju-info" ] + - [ "neutron-gateway:nrpe-external-master", "nrpe-host:nrpe-external-master" ] + + - [ "keystone:juju-info", "filebeat:beats-host" ] + - [ "keystone:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + + - [ "glance:juju-info", "filebeat:beats-host" ] + - [ "glance:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + + - [ "cinder:juju-info", "filebeat:beats-host" ] + - [ "cinder:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + +# - [ "cinder2:juju-info", "filebeat:beats-host" ] +# - [ "cinder2:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + + - [ "heat:juju-info", "filebeat:beats-host" ] + - [ "heat:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + + - [ "mysql-innodb-cluster:juju-info", "filebeat:beats-host" ] + - [ "mysql-innodb-cluster:juju-info", "nrpe-container:general-info" ] + + - [ "ceph-mon:prometheus", "prometheus:target" ] + - [ "ceph-mon:juju-info", "filebeat:beats-host" ] + - [ "ceph-mon:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + + - [ "neutron-api:juju-info", "filebeat:beats-host" ] + - [ "neutron-api:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + + - [ "rabbitmq-server:juju-info", "filebeat:beats-host" ] + - [ "rabbitmq-server:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + + - [ "openstack-dashboard:juju-info", "filebeat:beats-host" ] + - [ "openstack-dashboard:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + + - [ "nova-cloud-controller:juju-info", "filebeat:beats-host" ] + - [ "nova-cloud-controller:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + + - [ "gnocchi:juju-info", "filebeat:beats-host" ] + - [ "gnocchi:juju-info", "nrpe-container:general-info" ] + + - [ "ceilometer:juju-info", "filebeat:beats-host" ] + - [ "ceilometer:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + + - [ "aodh:juju-info", "filebeat:beats-host" ] + - [ "aodh:juju-info", "nrpe-container:general-info" ] + + - [ "placement:juju-info", "filebeat:beats-host" ] + - [ "placement:juju-info", "nrpe-container:general-info" ] + + - [ "juniper-server:juju-info", "filebeat:beats-host" ] + - [ "juniper-server:juju-info", "telegraf:juju-info" ] + - [ "juniper-server:juju-info", "nrpe-host:general-info" ] + + - [ "hacluster-aodh:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "hacluster-cinder:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "hacluster-glance:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "hacluster-gnocchi:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "hacluster-heat:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "hacluster-horizon:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "hacluster-keystone:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "hacluster-neutron:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "hacluster-nova:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "hacluster-placement:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + + - [ "landscape-server:juju-info", "filebeat:beats-host" ] + - [ "landscape-server:juju-info", "nrpe-host:general-info" ] + - [ "landscape-server:juju-info", "telegraf:juju-info" ] + + - [ "landscape-rabbitmq-server:juju-info", "filebeat:beats-host" ] + - [ "landscape-rabbitmq-server:nrpe-external-master", "nrpe-host:nrpe-external-master" ] + + - [ "landscape-postgresql:juju-info", "filebeat:beats-host" ] + - [ "landscape-postgresql:local-monitors", "nrpe-host:local-monitors" ] + - [ "landscape-postgresql:juju-info", "nrpe-host:general-info" ] + + - [ "landscape-haproxy:juju-info", "filebeat:beats-host" ] + - [ "landscape-haproxy:juju-info", "nrpe-host:general-info" ] + - [ "landscape-haproxy:local-monitors", "nrpe-host:local-monitors" ] + diff --git a/config/overlays/lma_offers.yaml b/config/overlays/lma_offers.yaml index 618b8ba..6a38851 100644 --- a/config/overlays/lma_offers.yaml +++ b/config/overlays/lma_offers.yaml @@ -1,9 +1,6 @@ applications: graylog: offers: - graylog-info: - endpoints: - - juju-info graylog-beats: endpoints: - beats diff --git a/config/overlays/openstack_versioned_overlay_focal.yaml b/config/overlays/openstack_versioned_overlay_focal.yaml index e5940f6..7d39e0d 100644 --- a/config/overlays/openstack_versioned_overlay_focal.yaml +++ b/config/overlays/openstack_versioned_overlay_focal.yaml @@ -29,14 +29,17 @@ applications: charm: cs:cinder-ceph-262 # upgrade to support availability-zone specification controller-server: charm: cs:ubuntu-18 + lma-server: + charm: cs:ubuntu-18 + series: bionic easyrsa: charm: cs:~containers/easyrsa-408 elasticsearch: charm: cs:elasticsearch-52 etcd: charm: cs:etcd-583 -# external-advanced-routing: -# charm: cs:advanced-routing-5 + external-advanced-routing: + charm: cs:advanced-routing-5 filebeat: charm: cs:filebeat-33 glance: @@ -95,10 +98,12 @@ applications: charm: cs:haproxy-61 landscape-postgresql: charm: cs:postgresql-233 + series: bionic landscape-rabbitmq-server: charm: cs:~openstack-charmers-next/rabbitmq-server-438 # attempted fix for LP#1939702 landscape-server: charm: cs:landscape-server-39 + series: bionic ldap-domain1: charm: cs:~openstack-charmers/ldap-test-fixture-4 ldap-domain2: @@ -110,31 +115,43 @@ applications: memcached: charm: cs:memcached-32 mysql-innodb-cluster: - charm: cs:mysql-innodb-cluster-11 + charm: cs:mysql-innodb-cluster-15 aodh-mysql-router: - charm: cs:mysql-router-11 + charm: mysql-router + channel: 8.0/stable keystone-mysql-router: - charm: cs:mysql-router-11 + charm: mysql-router + channel: 8.0/stable cinder-mysql-router: - charm: cs:mysql-router-11 + charm: mysql-router + channel: 8.0/stable glance-mysql-router: - charm: cs:mysql-router-11 + charm: mysql-router + channel: 8.0/stable gnocchi-mysql-router: - charm: cs:mysql-router-11 + charm: mysql-router + channel: 8.0/stable heat-mysql-router: - charm: cs:mysql-router-11 + charm: mysql-router + channel: 8.0/stable nova-cloud-controller-mysql-router: - charm: cs:mysql-router-11 + charm: mysql-router + channel: 8.0/stable neutron-api-mysql-router: - charm: cs:mysql-router-11 + charm: mysql-router + channel: 8.0/stable openstack-dashboard-mysql-router: - charm: cs:mysql-router-11 + charm: mysql-router + channel: 8.0/stable placement-mysql-router: - charm: cs:mysql-router-11 + charm: mysql-router + channel: 8.0/stable vault-mysql-router: - charm: cs:mysql-router-11 + charm: mysql-router + channel: 8.0/stable nagios: charm: cs:nagios-44 + series: bionic neutron-gateway: charm: cs:neutron-gateway-291 neutron-openvswitch: @@ -148,8 +165,6 @@ applications: nova-compute: charm: nova-compute channel: "ussuri/edge" - revision: 550 - architecture: *charm-arch series: *charm-series nrpe-container: charm: cs:nrpe-73 diff --git a/config/overlays/resources.yaml b/config/overlays/resources.yaml index 05af36f..c9266f1 100644 --- a/config/overlays/resources.yaml +++ b/config/overlays/resources.yaml @@ -6,6 +6,12 @@ applications: resources: policyd-override: ../resources/keystone.zip + nova-cloud-controller: + options: + use-policyd-override: true + resources: + policyd-override: ../resources/nova.zip + prometheus: resources: core: ../resources/core_13308.snap diff --git a/resources/keystone.yaml b/resources/keystone.yaml index 0d20653..460a6a2 100644 --- a/resources/keystone.yaml +++ b/resources/keystone.yaml @@ -1,2024 +1,4 @@ -# -#"admin_required": "role:admin or is_admin:1" - -# -#"service_role": "role:service" - -# -#"service_or_admin": "rule:admin_required or rule:service_role" - -# -#"owner": "user_id:%(user_id)s" - -# -#"admin_or_owner": "rule:admin_required or rule:owner" - -# -#"token_subject": "user_id:%(target.token.user_id)s" - -# -#"admin_or_token_subject": "rule:admin_required or rule:token_subject" - -# -#"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject" - -# Show access rule details. -# GET /v3/users/{user_id}/access_rules/{access_rule_id} -# HEAD /v3/users/{user_id}/access_rules/{access_rule_id} -# Intended scope(s): system, project -#"identity:get_access_rule": "(role:reader and system_scope:all) or user_id:%(target.user.id)s" - -# List access rules for a user. -# GET /v3/users/{user_id}/access_rules -# HEAD /v3/users/{user_id}/access_rules -# Intended scope(s): system, project -#"identity:list_access_rules": "(role:reader and system_scope:all) or user_id:%(target.user.id)s" - -# Delete an access_rule. -# DELETE /v3/users/{user_id}/access_rules/{access_rule_id} -# Intended scope(s): system, project -#"identity:delete_access_rule": "(role:admin and system_scope:all) or user_id:%(target.user.id)s" - -# Authorize OAUTH1 request token. -# PUT /v3/OS-OAUTH1/authorize/{request_token_id} -# Intended scope(s): project -#"identity:authorize_request_token": "rule:admin_required" - -# Get OAUTH1 access token for user by access token ID. -# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} -# Intended scope(s): project -#"identity:get_access_token": "rule:admin_required" - -# Get role for user OAUTH1 access token. -# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id} -# Intended scope(s): project -#"identity:get_access_token_role": "rule:admin_required" - -# List OAUTH1 access tokens for user. -# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens -# Intended scope(s): project -#"identity:list_access_tokens": "rule:admin_required" - -# List OAUTH1 access token roles. -# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles -# Intended scope(s): project -#"identity:list_access_token_roles": "rule:admin_required" - -# Delete OAUTH1 access token. -# DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} -# Intended scope(s): project -#"identity:delete_access_token": "rule:admin_required" - -# Show application credential details. -# GET /v3/users/{user_id}/application_credentials/{application_credential_id} -# HEAD /v3/users/{user_id}/application_credentials/{application_credential_id} -# Intended scope(s): system, project -#"identity:get_application_credential": "(role:reader and system_scope:all) or rule:owner" - -# DEPRECATED -# "identity:get_application_credentials":"rule:admin_or_owner" has -# been deprecated since T in favor of -# "identity:get_application_credential":"(role:reader and -# system_scope:all) or rule:owner". The application credential API is -# now aware of system scope and default roles. -"identity:get_application_credentials": "rule:identity:get_application_credential" -# List application credentials for a user. -# GET /v3/users/{user_id}/application_credentials -# HEAD /v3/users/{user_id}/application_credentials -# Intended scope(s): system, project -#"identity:list_application_credentials": "(role:reader and system_scope:all) or rule:owner" - -# DEPRECATED -# "identity:list_application_credentials":"rule:admin_or_owner" has -# been deprecated since T in favor of -# "identity:list_application_credentials":"(role:reader and -# system_scope:all) or rule:owner". The application credential API is -# now aware of system scope and default roles. -# Create an application credential. -# POST /v3/users/{user_id}/application_credentials -# Intended scope(s): project -#"identity:create_application_credential": "user_id:%(user_id)s" - -# Delete an application credential. -# DELETE /v3/users/{user_id}/application_credentials/{application_credential_id} -# Intended scope(s): system, project -#"identity:delete_application_credential": "(role:admin and system_scope:all) or rule:owner" - -# DEPRECATED -# "identity:delete_application_credentials":"rule:admin_or_owner" has -# been deprecated since T in favor of -# "identity:delete_application_credential":"(role:admin and -# system_scope:all) or rule:owner". The application credential API is -# now aware of system scope and default roles. -"identity:delete_application_credentials": "rule:identity:delete_application_credential" -# Get service catalog. -# GET /v3/auth/catalog -# HEAD /v3/auth/catalog -#"identity:get_auth_catalog": "" - -# List all projects a user has access to via role assignments. -# GET /v3/auth/projects -# HEAD /v3/auth/projects -#"identity:get_auth_projects": "" - -# List all domains a user has access to via role assignments. -# GET /v3/auth/domains -# HEAD /v3/auth/domains -#"identity:get_auth_domains": "" - -# List systems a user has access to via role assignments. -# GET /v3/auth/system -# HEAD /v3/auth/system -#"identity:get_auth_system": "" - -# Show OAUTH1 consumer details. -# GET /v3/OS-OAUTH1/consumers/{consumer_id} -# Intended scope(s): system -#"identity:get_consumer": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_consumer":"rule:admin_required" has been -# deprecated since T in favor of "identity:get_consumer":"role:reader -# and system_scope:all". The OAUTH1 consumer API is now aware of -# system scope and default roles. -# List OAUTH1 consumers. -# GET /v3/OS-OAUTH1/consumers -# Intended scope(s): system -#"identity:list_consumers": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_consumers":"rule:admin_required" has been -# deprecated since T in favor of -# "identity:list_consumers":"role:reader and system_scope:all". The -# OAUTH1 consumer API is now aware of system scope and default roles. -# Create OAUTH1 consumer. -# POST /v3/OS-OAUTH1/consumers -# Intended scope(s): system -#"identity:create_consumer": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_consumer":"rule:admin_required" has been -# deprecated since T in favor of -# "identity:create_consumer":"role:admin and system_scope:all". The -# OAUTH1 consumer API is now aware of system scope and default roles. -# Update OAUTH1 consumer. -# PATCH /v3/OS-OAUTH1/consumers/{consumer_id} -# Intended scope(s): system -#"identity:update_consumer": "role:admin and system_scope:all" - -# DEPRECATED "identity:update_consumer":"rule:admin_required" has been -# deprecated since T in favor of -# "identity:update_consumer":"role:admin and system_scope:all". The -# OAUTH1 consumer API is now aware of system scope and default roles. -# Delete OAUTH1 consumer. -# DELETE /v3/OS-OAUTH1/consumers/{consumer_id} -# Intended scope(s): system -#"identity:delete_consumer": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_consumer":"rule:admin_required" has been -# deprecated since T in favor of -# "identity:delete_consumer":"role:admin and system_scope:all". The -# OAUTH1 consumer API is now aware of system scope and default roles. -# Show credentials details. -# GET /v3/credentials/{credential_id} -# Intended scope(s): system, project -#"identity:get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" - -# DEPRECATED "identity:get_credential":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:get_credential":"(role:reader and system_scope:all) or -# user_id:%(target.credential.user_id)s". The credential API is now -# aware of system scope and default roles. -# List credentials. -# GET /v3/credentials -# Intended scope(s): system, project -#"identity:list_credentials": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" - -# DEPRECATED "identity:list_credentials":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:list_credentials":"(role:reader and system_scope:all) or -# user_id:%(target.credential.user_id)s". The credential API is now -# aware of system scope and default roles. -# Create credential. -# POST /v3/credentials -# Intended scope(s): system, project -#"identity:create_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" - -# DEPRECATED "identity:create_credential":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:create_credential":"(role:admin and system_scope:all) or -# user_id:%(target.credential.user_id)s". The credential API is now -# aware of system scope and default roles. -# Update credential. -# PATCH /v3/credentials/{credential_id} -# Intended scope(s): system, project -#"identity:update_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" - -# DEPRECATED "identity:update_credential":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:update_credential":"(role:admin and system_scope:all) or -# user_id:%(target.credential.user_id)s". The credential API is now -# aware of system scope and default roles. -# Delete credential. -# DELETE /v3/credentials/{credential_id} -# Intended scope(s): system, project -#"identity:delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" - -# DEPRECATED "identity:delete_credential":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:delete_credential":"(role:admin and system_scope:all) or -# user_id:%(target.credential.user_id)s". The credential API is now -# aware of system scope and default roles. -# Show domain details. -# GET /v3/domains/{domain_id} -# Intended scope(s): system, domain, project -#"identity:get_domain": "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s" - -# DEPRECATED "identity:get_domain":"rule:admin_required or -# token.project.domain.id:%(target.domain.id)s" has been deprecated -# since S in favor of "identity:get_domain":"(role:reader and -# system_scope:all) or token.domain.id:%(target.domain.id)s or -# token.project.domain.id:%(target.domain.id)s". The domain API is now -# aware of system scope and default roles. -# List domains. -# GET /v3/domains -# Intended scope(s): system -#"identity:list_domains": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_domains":"rule:admin_required" has been -# deprecated since S in favor of "identity:list_domains":"role:reader -# and system_scope:all". The domain API is now aware of system scope -# and default roles. -# Create domain. -# POST /v3/domains -# Intended scope(s): system -#"identity:create_domain": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_domain":"rule:admin_required" has been -# deprecated since S in favor of "identity:create_domain":"role:admin -# and system_scope:all". The domain API is now aware of system scope -# and default roles. -# Update domain. -# PATCH /v3/domains/{domain_id} -# Intended scope(s): system -#"identity:update_domain": "role:admin and system_scope:all" - -# DEPRECATED "identity:update_domain":"rule:admin_required" has been -# deprecated since S in favor of "identity:update_domain":"role:admin -# and system_scope:all". The domain API is now aware of system scope -# and default roles. -# Delete domain. -# DELETE /v3/domains/{domain_id} -# Intended scope(s): system -#"identity:delete_domain": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_domain":"rule:admin_required" has been -# deprecated since S in favor of "identity:delete_domain":"role:admin -# and system_scope:all". The domain API is now aware of system scope -# and default roles. -# Create domain configuration. -# PUT /v3/domains/{domain_id}/config -# Intended scope(s): system -#"identity:create_domain_config": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_domain_config":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:create_domain_config":"role:admin and system_scope:all". -# The domain config API is now aware of system scope and default -# roles. -# Get the entire domain configuration for a domain, an option group -# within a domain, or a specific configuration option within a group -# for a domain. -# GET /v3/domains/{domain_id}/config -# HEAD /v3/domains/{domain_id}/config -# GET /v3/domains/{domain_id}/config/{group} -# HEAD /v3/domains/{domain_id}/config/{group} -# GET /v3/domains/{domain_id}/config/{group}/{option} -# HEAD /v3/domains/{domain_id}/config/{group}/{option} -# Intended scope(s): system -#"identity:get_domain_config": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_domain_config":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:get_domain_config":"role:reader and system_scope:all". The -# domain config API is now aware of system scope and default roles. -# Get security compliance domain configuration for either a domain or -# a specific option in a domain. -# GET /v3/domains/{domain_id}/config/security_compliance -# HEAD /v3/domains/{domain_id}/config/security_compliance -# GET v3/domains/{domain_id}/config/security_compliance/{option} -# HEAD v3/domains/{domain_id}/config/security_compliance/{option} -# Intended scope(s): system, domain, project -#"identity:get_security_compliance_domain_config": "" - -# Update domain configuration for either a domain, specific group or a -# specific option in a group. -# PATCH /v3/domains/{domain_id}/config -# PATCH /v3/domains/{domain_id}/config/{group} -# PATCH /v3/domains/{domain_id}/config/{group}/{option} -# Intended scope(s): system -#"identity:update_domain_config": "role:admin and system_scope:all" - -# DEPRECATED "identity:update_domain_config":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:update_domain_config":"role:admin and system_scope:all". -# The domain config API is now aware of system scope and default -# roles. -# Delete domain configuration for either a domain, specific group or a -# specific option in a group. -# DELETE /v3/domains/{domain_id}/config -# DELETE /v3/domains/{domain_id}/config/{group} -# DELETE /v3/domains/{domain_id}/config/{group}/{option} -# Intended scope(s): system -#"identity:delete_domain_config": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_domain_config":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:delete_domain_config":"role:admin and system_scope:all". -# The domain config API is now aware of system scope and default -# roles. -# Get domain configuration default for either a domain, specific group -# or a specific option in a group. -# GET /v3/domains/config/default -# HEAD /v3/domains/config/default -# GET /v3/domains/config/{group}/default -# HEAD /v3/domains/config/{group}/default -# GET /v3/domains/config/{group}/{option}/default -# HEAD /v3/domains/config/{group}/{option}/default -# Intended scope(s): system -#"identity:get_domain_config_default": "role:reader and system_scope:all" - -# DEPRECATED -# "identity:get_domain_config_default":"rule:admin_required" has been -# deprecated since T in favor of -# "identity:get_domain_config_default":"role:reader and -# system_scope:all". The domain config API is now aware of system -# scope and default roles. -# Show ec2 credential details. -# GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id} -# Intended scope(s): system, project -#"identity:ec2_get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" - -# DEPRECATED "identity:ec2_get_credential":"rule:admin_required or -# (rule:owner and user_id:%(target.credential.user_id)s)" has been -# deprecated since T in favor of -# "identity:ec2_get_credential":"(role:reader and system_scope:all) or -# user_id:%(target.credential.user_id)s". The EC2 credential API is -# now aware of system scope and default roles. -# List ec2 credentials. -# GET /v3/users/{user_id}/credentials/OS-EC2 -# Intended scope(s): system, project -#"identity:ec2_list_credentials": "(role:reader and system_scope:all) or rule:owner" - -# DEPRECATED "identity:ec2_list_credentials":"rule:admin_or_owner" has -# been deprecated since T in favor of -# "identity:ec2_list_credentials":"(role:reader and system_scope:all) -# or rule:owner". The EC2 credential API is now aware of system scope -# and default roles. -# Create ec2 credential. -# POST /v3/users/{user_id}/credentials/OS-EC2 -# Intended scope(s): system, project -#"identity:ec2_create_credential": "(role:admin and system_scope:all) or rule:owner" - -# DEPRECATED "identity:ec2_create_credentials":"rule:admin_or_owner" -# has been deprecated since T in favor of -# "identity:ec2_create_credential":"(role:admin and system_scope:all) -# or rule:owner". The EC2 credential API is now aware of system scope -# and default roles. -"identity:ec2_create_credentials": "rule:identity:ec2_create_credential" -# Delete ec2 credential. -# DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id} -# Intended scope(s): system, project -#"identity:ec2_delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" - -# DEPRECATED "identity:ec2_delete_credentials":"rule:admin_required or -# (rule:owner and user_id:%(target.credential.user_id)s)" has been -# deprecated since T in favor of -# "identity:ec2_delete_credential":"(role:admin and system_scope:all) -# or user_id:%(target.credential.user_id)s". The EC2 credential API is -# now aware of system scope and default roles. -"identity:ec2_delete_credentials": "rule:identity:ec2_delete_credential" -# Show endpoint details. -# GET /v3/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:get_endpoint": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_endpoint":"rule:admin_required" has been -# deprecated since S in favor of "identity:get_endpoint":"role:reader -# and system_scope:all". The endpoint API is now aware of system scope -# and default roles. -# List endpoints. -# GET /v3/endpoints -# Intended scope(s): system -#"identity:list_endpoints": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_endpoints":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:list_endpoints":"role:reader and system_scope:all". The -# endpoint API is now aware of system scope and default roles. -# Create endpoint. -# POST /v3/endpoints -# Intended scope(s): system -#"identity:create_endpoint": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_endpoint":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:create_endpoint":"role:admin and system_scope:all". The -# endpoint API is now aware of system scope and default roles. -# Update endpoint. -# PATCH /v3/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:update_endpoint": "role:admin and system_scope:all" - -# DEPRECATED "identity:update_endpoint":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:update_endpoint":"role:admin and system_scope:all". The -# endpoint API is now aware of system scope and default roles. -# Delete endpoint. -# DELETE /v3/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:delete_endpoint": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_endpoint":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:delete_endpoint":"role:admin and system_scope:all". The -# endpoint API is now aware of system scope and default roles. -# Create endpoint group. -# POST /v3/OS-EP-FILTER/endpoint_groups -# Intended scope(s): system -#"identity:create_endpoint_group": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_endpoint_group":"rule:admin_required" -# has been deprecated since T in favor of -# "identity:create_endpoint_group":"role:admin and system_scope:all". -# The endpoint groups API is now aware of system scope and default -# roles. -# List endpoint groups. -# GET /v3/OS-EP-FILTER/endpoint_groups -# Intended scope(s): system -#"identity:list_endpoint_groups": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_endpoint_groups":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:list_endpoint_groups":"role:reader and system_scope:all". -# The endpoint groups API is now aware of system scope and default -# roles. -# Get endpoint group. -# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} -# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} -# Intended scope(s): system -#"identity:get_endpoint_group": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_endpoint_group":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:get_endpoint_group":"role:reader and system_scope:all". -# The endpoint groups API is now aware of system scope and default -# roles. -# Update endpoint group. -# PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} -# Intended scope(s): system -#"identity:update_endpoint_group": "role:admin and system_scope:all" - -# DEPRECATED "identity:update_endpoint_group":"rule:admin_required" -# has been deprecated since T in favor of -# "identity:update_endpoint_group":"role:admin and system_scope:all". -# The endpoint groups API is now aware of system scope and default -# roles. -# Delete endpoint group. -# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} -# Intended scope(s): system -#"identity:delete_endpoint_group": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_endpoint_group":"rule:admin_required" -# has been deprecated since T in favor of -# "identity:delete_endpoint_group":"role:admin and system_scope:all". -# The endpoint groups API is now aware of system scope and default -# roles. -# List all projects associated with a specific endpoint group. -# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects -# Intended scope(s): system -#"identity:list_projects_associated_with_endpoint_group": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_projects_associated_with_endpoint_group":" -# rule:admin_required" has been deprecated since T in favor of -# "identity:list_projects_associated_with_endpoint_group":"role:reader -# and system_scope:all". The endpoint groups API is now aware of -# system scope and default roles. -# List all endpoints associated with an endpoint group. -# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints -# Intended scope(s): system -#"identity:list_endpoints_associated_with_endpoint_group": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_endpoints_associated_with_endpoint_group": -# "rule:admin_required" has been deprecated since T in favor of "ident -# ity:list_endpoints_associated_with_endpoint_group":"role:reader and -# system_scope:all". The endpoint groups API is now aware of system -# scope and default roles. -# Check if an endpoint group is associated with a project. -# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} -# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} -# Intended scope(s): system -#"identity:get_endpoint_group_in_project": "role:reader and system_scope:all" - -# DEPRECATED -# "identity:get_endpoint_group_in_project":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:get_endpoint_group_in_project":"role:reader and -# system_scope:all". The endpoint groups API is now aware of system -# scope and default roles. -# List endpoint groups associated with a specific project. -# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups -# Intended scope(s): system -#"identity:list_endpoint_groups_for_project": "role:reader and system_scope:all" - -# DEPRECATED -# "identity:list_endpoint_groups_for_project":"rule:admin_required" -# has been deprecated since T in favor of -# "identity:list_endpoint_groups_for_project":"role:reader and -# system_scope:all". The endpoint groups API is now aware of system -# scope and default roles. -# Allow a project to access an endpoint group. -# PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} -# Intended scope(s): system -#"identity:add_endpoint_group_to_project": "role:admin and system_scope:all" - -# DEPRECATED -# "identity:add_endpoint_group_to_project":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:add_endpoint_group_to_project":"role:admin and -# system_scope:all". The endpoint groups API is now aware of system -# scope and default roles. -# Remove endpoint group from project. -# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} -# Intended scope(s): system -#"identity:remove_endpoint_group_from_project": "role:admin and system_scope:all" - -# DEPRECATED -# "identity:remove_endpoint_group_from_project":"rule:admin_required" -# has been deprecated since T in favor of -# "identity:remove_endpoint_group_from_project":"role:admin and -# system_scope:all". The endpoint groups API is now aware of system -# scope and default roles. -# Check a role grant between a target and an actor. A target can be -# either a domain or a project. An actor can be either a user or a -# group. These terms also apply to the OS-INHERIT APIs, where grants -# on the target are inherited to all projects in the subtree, if -# applicable. -# HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id} -# GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id} -# HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} -# GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} -# HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} -# GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} -# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} -# GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} -# HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# Intended scope(s): system, domain -#"identity:check_grant": "(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" - -# DEPRECATED "identity:check_grant":"rule:admin_required" has been -# deprecated since S in favor of "identity:check_grant":"(role:reader -# and system_scope:all) or ((role:reader and -# domain_id:%(target.user.domain_id)s and -# domain_id:%(target.project.domain_id)s) or (role:reader and -# domain_id:%(target.user.domain_id)s and -# domain_id:%(target.domain.id)s) or (role:reader and -# domain_id:%(target.group.domain_id)s and -# domain_id:%(target.project.domain_id)s) or (role:reader and -# domain_id:%(target.group.domain_id)s and -# domain_id:%(target.domain.id)s)) and -# (domain_id:%(target.role.domain_id)s or -# None:%(target.role.domain_id)s)". The assignment API is now aware of -# system scope and default roles. -# List roles granted to an actor on a target. A target can be either a -# domain or a project. An actor can be either a user or a group. For -# the OS-INHERIT APIs, it is possible to list inherited role grants -# for actors on domains, where grants are inherited to all projects in -# the specified domain. -# GET /v3/projects/{project_id}/users/{user_id}/roles -# HEAD /v3/projects/{project_id}/users/{user_id}/roles -# GET /v3/projects/{project_id}/groups/{group_id}/roles -# HEAD /v3/projects/{project_id}/groups/{group_id}/roles -# GET /v3/domains/{domain_id}/users/{user_id}/roles -# HEAD /v3/domains/{domain_id}/users/{user_id}/roles -# GET /v3/domains/{domain_id}/groups/{group_id}/roles -# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles -# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects -# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects -# Intended scope(s): system, domain -#"identity:list_grants": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)" - -# DEPRECATED "identity:list_grants":"rule:admin_required" has been -# deprecated since S in favor of "identity:list_grants":"(role:reader -# and system_scope:all) or (role:reader and -# domain_id:%(target.user.domain_id)s and -# domain_id:%(target.project.domain_id)s) or (role:reader and -# domain_id:%(target.user.domain_id)s and -# domain_id:%(target.domain.id)s) or (role:reader and -# domain_id:%(target.group.domain_id)s and -# domain_id:%(target.project.domain_id)s) or (role:reader and -# domain_id:%(target.group.domain_id)s and -# domain_id:%(target.domain.id)s)". The assignment API is now aware of -# system scope and default roles. -# Create a role grant between a target and an actor. A target can be -# either a domain or a project. An actor can be either a user or a -# group. These terms also apply to the OS-INHERIT APIs, where grants -# on the target are inherited to all projects in the subtree, if -# applicable. -# PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id} -# PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} -# PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} -# PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} -# PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# Intended scope(s): system, domain -#"identity:create_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" - -# DEPRECATED "identity:create_grant":"rule:admin_required" has been -# deprecated since S in favor of "identity:create_grant":"(role:admin -# and system_scope:all) or ((role:admin and -# domain_id:%(target.user.domain_id)s and -# domain_id:%(target.project.domain_id)s) or (role:admin and -# domain_id:%(target.user.domain_id)s and -# domain_id:%(target.domain.id)s) or (role:admin and -# domain_id:%(target.group.domain_id)s and -# domain_id:%(target.project.domain_id)s) or (role:admin and -# domain_id:%(target.group.domain_id)s and -# domain_id:%(target.domain.id)s)) and -# (domain_id:%(target.role.domain_id)s or -# None:%(target.role.domain_id)s)". The assignment API is now aware of -# system scope and default roles. -# Revoke a role grant between a target and an actor. A target can be -# either a domain or a project. An actor can be either a user or a -# group. These terms also apply to the OS-INHERIT APIs, where grants -# on the target are inherited to all projects in the subtree, if -# applicable. In that case, revoking the role grant in the target -# would remove the logical effect of inheriting it to the target's -# projects subtree. -# DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id} -# DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} -# DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} -# DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} -# DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# Intended scope(s): system, domain -#"identity:revoke_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" - -# DEPRECATED "identity:revoke_grant":"rule:admin_required" has been -# deprecated since S in favor of "identity:revoke_grant":"(role:admin -# and system_scope:all) or ((role:admin and -# domain_id:%(target.user.domain_id)s and -# domain_id:%(target.project.domain_id)s) or (role:admin and -# domain_id:%(target.user.domain_id)s and -# domain_id:%(target.domain.id)s) or (role:admin and -# domain_id:%(target.group.domain_id)s and -# domain_id:%(target.project.domain_id)s) or (role:admin and -# domain_id:%(target.group.domain_id)s and -# domain_id:%(target.domain.id)s)) and -# (domain_id:%(target.role.domain_id)s or -# None:%(target.role.domain_id)s)". The assignment API is now aware of -# system scope and default roles. -# List all grants a specific user has on the system. -# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles -# Intended scope(s): system -#"identity:list_system_grants_for_user": "role:reader and system_scope:all" - -# DEPRECATED -# "identity:list_system_grants_for_user":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:list_system_grants_for_user":"role:reader and -# system_scope:all". The assignment API is now aware of system scope -# and default roles. -# Check if a user has a role on the system. -# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles/{role_id} -# Intended scope(s): system -#"identity:check_system_grant_for_user": "role:reader and system_scope:all" - -# DEPRECATED -# "identity:check_system_grant_for_user":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:check_system_grant_for_user":"role:reader and -# system_scope:all". The assignment API is now aware of system scope -# and default roles. -# Grant a user a role on the system. -# ['PUT'] /v3/system/users/{user_id}/roles/{role_id} -# Intended scope(s): system -#"identity:create_system_grant_for_user": "role:admin and system_scope:all" - -# DEPRECATED -# "identity:create_system_grant_for_user":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:create_system_grant_for_user":"role:admin and -# system_scope:all". The assignment API is now aware of system scope -# and default roles. -# Remove a role from a user on the system. -# ['DELETE'] /v3/system/users/{user_id}/roles/{role_id} -# Intended scope(s): system -#"identity:revoke_system_grant_for_user": "role:admin and system_scope:all" - -# DEPRECATED -# "identity:revoke_system_grant_for_user":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:revoke_system_grant_for_user":"role:admin and -# system_scope:all". The assignment API is now aware of system scope -# and default roles. -# List all grants a specific group has on the system. -# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles -# Intended scope(s): system -#"identity:list_system_grants_for_group": "role:reader and system_scope:all" - -# DEPRECATED -# "identity:list_system_grants_for_group":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:list_system_grants_for_group":"role:reader and -# system_scope:all". The assignment API is now aware of system scope -# and default roles. -# Check if a group has a role on the system. -# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles/{role_id} -# Intended scope(s): system -#"identity:check_system_grant_for_group": "role:reader and system_scope:all" - -# DEPRECATED -# "identity:check_system_grant_for_group":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:check_system_grant_for_group":"role:reader and -# system_scope:all". The assignment API is now aware of system scope -# and default roles. -# Grant a group a role on the system. -# ['PUT'] /v3/system/groups/{group_id}/roles/{role_id} -# Intended scope(s): system -#"identity:create_system_grant_for_group": "role:admin and system_scope:all" - -# DEPRECATED -# "identity:create_system_grant_for_group":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:create_system_grant_for_group":"role:admin and -# system_scope:all". The assignment API is now aware of system scope -# and default roles. -# Remove a role from a group on the system. -# ['DELETE'] /v3/system/groups/{group_id}/roles/{role_id} -# Intended scope(s): system -#"identity:revoke_system_grant_for_group": "role:admin and system_scope:all" - -# DEPRECATED -# "identity:revoke_system_grant_for_group":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:revoke_system_grant_for_group":"role:admin and -# system_scope:all". The assignment API is now aware of system scope -# and default roles. -# Show group details. -# GET /v3/groups/{group_id} -# HEAD /v3/groups/{group_id} -# Intended scope(s): system, domain -#"identity:get_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" - -# DEPRECATED "identity:get_group":"rule:admin_required" has been -# deprecated since S in favor of "identity:get_group":"(role:reader -# and system_scope:all) or (role:reader and -# domain_id:%(target.group.domain_id)s)". The group API is now aware -# of system scope and default roles. -# List groups. -# GET /v3/groups -# HEAD /v3/groups -# Intended scope(s): system, domain -#"identity:list_groups": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" - -# DEPRECATED "identity:list_groups":"rule:admin_required" has been -# deprecated since S in favor of "identity:list_groups":"(role:reader -# and system_scope:all) or (role:reader and -# domain_id:%(target.group.domain_id)s)". The group API is now aware -# of system scope and default roles. -# List groups to which a user belongs. -# GET /v3/users/{user_id}/groups -# HEAD /v3/users/{user_id}/groups -# Intended scope(s): system, domain, project -#"identity:list_groups_for_user": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s" - -# DEPRECATED "identity:list_groups_for_user":"rule:admin_or_owner" has -# been deprecated since S in favor of -# "identity:list_groups_for_user":"(role:reader and system_scope:all) -# or (role:reader and domain_id:%(target.user.domain_id)s) or -# user_id:%(user_id)s". The group API is now aware of system scope and -# default roles. -# Create group. -# POST /v3/groups -# Intended scope(s): system, domain -#"identity:create_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" - -# DEPRECATED "identity:create_group":"rule:admin_required" has been -# deprecated since S in favor of "identity:create_group":"(role:admin -# and system_scope:all) or (role:admin and -# domain_id:%(target.group.domain_id)s)". The group API is now aware -# of system scope and default roles. -# Update group. -# PATCH /v3/groups/{group_id} -# Intended scope(s): system, domain -#"identity:update_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" - -# DEPRECATED "identity:update_group":"rule:admin_required" has been -# deprecated since S in favor of "identity:update_group":"(role:admin -# and system_scope:all) or (role:admin and -# domain_id:%(target.group.domain_id)s)". The group API is now aware -# of system scope and default roles. -# Delete group. -# DELETE /v3/groups/{group_id} -# Intended scope(s): system, domain -#"identity:delete_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" - -# DEPRECATED "identity:delete_group":"rule:admin_required" has been -# deprecated since S in favor of "identity:delete_group":"(role:admin -# and system_scope:all) or (role:admin and -# domain_id:%(target.group.domain_id)s)". The group API is now aware -# of system scope and default roles. -# List members of a specific group. -# GET /v3/groups/{group_id}/users -# HEAD /v3/groups/{group_id}/users -# Intended scope(s): system, domain -#"identity:list_users_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" - -# DEPRECATED "identity:list_users_in_group":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:list_users_in_group":"(role:reader and system_scope:all) -# or (role:reader and domain_id:%(target.group.domain_id)s)". The -# group API is now aware of system scope and default roles. -# Remove user from group. -# DELETE /v3/groups/{group_id}/users/{user_id} -# Intended scope(s): system, domain -#"identity:remove_user_from_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" - -# DEPRECATED "identity:remove_user_from_group":"rule:admin_required" -# has been deprecated since S in favor of -# "identity:remove_user_from_group":"(role:admin and system_scope:all) -# or (role:admin and domain_id:%(target.group.domain_id)s and -# domain_id:%(target.user.domain_id)s)". The group API is now aware of -# system scope and default roles. -# Check whether a user is a member of a group. -# HEAD /v3/groups/{group_id}/users/{user_id} -# GET /v3/groups/{group_id}/users/{user_id} -# Intended scope(s): system, domain -#"identity:check_user_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" - -# DEPRECATED "identity:check_user_in_group":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:check_user_in_group":"(role:reader and system_scope:all) -# or (role:reader and domain_id:%(target.group.domain_id)s and -# domain_id:%(target.user.domain_id)s)". The group API is now aware of -# system scope and default roles. -# Add user to group. -# PUT /v3/groups/{group_id}/users/{user_id} -# Intended scope(s): system, domain -#"identity:add_user_to_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" - -# DEPRECATED "identity:add_user_to_group":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:add_user_to_group":"(role:admin and system_scope:all) or -# (role:admin and domain_id:%(target.group.domain_id)s and -# domain_id:%(target.user.domain_id)s)". The group API is now aware of -# system scope and default roles. -# Create identity provider. -# PUT /v3/OS-FEDERATION/identity_providers/{idp_id} -# Intended scope(s): system -#"identity:create_identity_provider": "role:admin and system_scope:all" - -# DEPRECATED -# "identity:create_identity_providers":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:create_identity_provider":"role:admin and -# system_scope:all". The identity provider API is now aware of system -# scope and default roles. -"identity:create_identity_providers": "rule:identity:create_identity_provider" -# List identity providers. -# GET /v3/OS-FEDERATION/identity_providers -# HEAD /v3/OS-FEDERATION/identity_providers -# Intended scope(s): system -#"identity:list_identity_providers": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_identity_providers":"rule:admin_required" -# has been deprecated since S in favor of -# "identity:list_identity_providers":"role:reader and -# system_scope:all". The identity provider API is now aware of system -# scope and default roles. -# Get identity provider. -# GET /v3/OS-FEDERATION/identity_providers/{idp_id} -# HEAD /v3/OS-FEDERATION/identity_providers/{idp_id} -# Intended scope(s): system -#"identity:get_identity_provider": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_identity_providers":"rule:admin_required" -# has been deprecated since S in favor of -# "identity:get_identity_provider":"role:reader and system_scope:all". -# The identity provider API is now aware of system scope and default -# roles. -"identity:get_identity_providers": "rule:identity:get_identity_provider" -# Update identity provider. -# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id} -# Intended scope(s): system -#"identity:update_identity_provider": "role:admin and system_scope:all" - -# DEPRECATED -# "identity:update_identity_providers":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:update_identity_provider":"role:admin and -# system_scope:all". The identity provider API is now aware of system -# scope and default roles. -"identity:update_identity_providers": "rule:identity:update_identity_provider" -# Delete identity provider. -# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id} -# Intended scope(s): system -#"identity:delete_identity_provider": "role:admin and system_scope:all" - -# DEPRECATED -# "identity:delete_identity_providers":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:delete_identity_provider":"role:admin and -# system_scope:all". The identity provider API is now aware of system -# scope and default roles. -"identity:delete_identity_providers": "rule:identity:delete_identity_provider" -# Get information about an association between two roles. When a -# relationship exists between a prior role and an implied role and the -# prior role is assigned to a user, the user also assumes the implied -# role. -# GET /v3/roles/{prior_role_id}/implies/{implied_role_id} -# Intended scope(s): system -#"identity:get_implied_role": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_implied_role":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:get_implied_role":"role:reader and system_scope:all". The -# implied role API is now aware of system scope and default roles. -# List associations between two roles. When a relationship exists -# between a prior role and an implied role and the prior role is -# assigned to a user, the user also assumes the implied role. This -# will return all the implied roles that would be assumed by the user -# who gets the specified prior role. -# GET /v3/roles/{prior_role_id}/implies -# HEAD /v3/roles/{prior_role_id}/implies -# Intended scope(s): system -#"identity:list_implied_roles": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_implied_roles":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:list_implied_roles":"role:reader and system_scope:all". -# The implied role API is now aware of system scope and default roles. -# Create an association between two roles. When a relationship exists -# between a prior role and an implied role and the prior role is -# assigned to a user, the user also assumes the implied role. -# PUT /v3/roles/{prior_role_id}/implies/{implied_role_id} -# Intended scope(s): system -#"identity:create_implied_role": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_implied_role":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:create_implied_role":"role:admin and system_scope:all". -# The implied role API is now aware of system scope and default roles. -# Delete the association between two roles. When a relationship exists -# between a prior role and an implied role and the prior role is -# assigned to a user, the user also assumes the implied role. Removing -# the association will cause that effect to be eliminated. -# DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id} -# Intended scope(s): system -#"identity:delete_implied_role": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_implied_role":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:delete_implied_role":"role:admin and system_scope:all". -# The implied role API is now aware of system scope and default roles. -# List all associations between two roles in the system. When a -# relationship exists between a prior role and an implied role and the -# prior role is assigned to a user, the user also assumes the implied -# role. -# GET /v3/role_inferences -# HEAD /v3/role_inferences -# Intended scope(s): system -#"identity:list_role_inference_rules": "role:reader and system_scope:all" - -# DEPRECATED -# "identity:list_role_inference_rules":"rule:admin_required" has been -# deprecated since T in favor of -# "identity:list_role_inference_rules":"role:reader and -# system_scope:all". The implied role API is now aware of system scope -# and default roles. -# Check an association between two roles. When a relationship exists -# between a prior role and an implied role and the prior role is -# assigned to a user, the user also assumes the implied role. -# HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id} -# Intended scope(s): system -#"identity:check_implied_role": "role:reader and system_scope:all" - -# DEPRECATED "identity:check_implied_role":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:check_implied_role":"role:reader and system_scope:all". -# The implied role API is now aware of system scope and default roles. -# Get limit enforcement model. -# GET /v3/limits/model -# HEAD /v3/limits/model -# Intended scope(s): system, domain, project -#"identity:get_limit_model": "" - -# Show limit details. -# GET /v3/limits/{limit_id} -# HEAD /v3/limits/{limit_id} -# Intended scope(s): system, domain, project -#"identity:get_limit": "(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)" - -# List limits. -# GET /v3/limits -# HEAD /v3/limits -# Intended scope(s): system, domain, project -#"identity:list_limits": "" - -# Create limits. -# POST /v3/limits -# Intended scope(s): system -#"identity:create_limits": "role:admin and system_scope:all" - -# Update limit. -# PATCH /v3/limits/{limit_id} -# Intended scope(s): system -#"identity:update_limit": "role:admin and system_scope:all" - -# Delete limit. -# DELETE /v3/limits/{limit_id} -# Intended scope(s): system -#"identity:delete_limit": "role:admin and system_scope:all" - -# Create a new federated mapping containing one or more sets of rules. -# PUT /v3/OS-FEDERATION/mappings/{mapping_id} -# Intended scope(s): system -#"identity:create_mapping": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_mapping":"rule:admin_required" has been -# deprecated since S in favor of "identity:create_mapping":"role:admin -# and system_scope:all". The federated mapping API is now aware of -# system scope and default roles. -# Get a federated mapping. -# GET /v3/OS-FEDERATION/mappings/{mapping_id} -# HEAD /v3/OS-FEDERATION/mappings/{mapping_id} -# Intended scope(s): system -#"identity:get_mapping": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_mapping":"rule:admin_required" has been -# deprecated since S in favor of "identity:get_mapping":"role:reader -# and system_scope:all". The federated mapping API is now aware of -# system scope and default roles. -# List federated mappings. -# GET /v3/OS-FEDERATION/mappings -# HEAD /v3/OS-FEDERATION/mappings -# Intended scope(s): system -#"identity:list_mappings": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_mappings":"rule:admin_required" has been -# deprecated since S in favor of "identity:list_mappings":"role:reader -# and system_scope:all". The federated mapping API is now aware of -# system scope and default roles. -# Delete a federated mapping. -# DELETE /v3/OS-FEDERATION/mappings/{mapping_id} -# Intended scope(s): system -#"identity:delete_mapping": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_mapping":"rule:admin_required" has been -# deprecated since S in favor of "identity:delete_mapping":"role:admin -# and system_scope:all". The federated mapping API is now aware of -# system scope and default roles. -# Update a federated mapping. -# PATCH /v3/OS-FEDERATION/mappings/{mapping_id} -# Intended scope(s): system -#"identity:update_mapping": "role:admin and system_scope:all" - -# DEPRECATED "identity:update_mapping":"rule:admin_required" has been -# deprecated since S in favor of "identity:update_mapping":"role:admin -# and system_scope:all". The federated mapping API is now aware of -# system scope and default roles. -# Show policy details. -# GET /v3/policies/{policy_id} -# Intended scope(s): system -#"identity:get_policy": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_policy":"rule:admin_required" has been -# deprecated since T in favor of "identity:get_policy":"role:reader -# and system_scope:all". The policy API is now aware of system scope -# and default roles. -# List policies. -# GET /v3/policies -# Intended scope(s): system -#"identity:list_policies": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_policies":"rule:admin_required" has been -# deprecated since T in favor of "identity:list_policies":"role:reader -# and system_scope:all". The policy API is now aware of system scope -# and default roles. -# Create policy. -# POST /v3/policies -# Intended scope(s): system -#"identity:create_policy": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_policy":"rule:admin_required" has been -# deprecated since T in favor of "identity:create_policy":"role:admin -# and system_scope:all". The policy API is now aware of system scope -# and default roles. -# Update policy. -# PATCH /v3/policies/{policy_id} -# Intended scope(s): system -#"identity:update_policy": "role:admin and system_scope:all" - -# DEPRECATED "identity:update_policy":"rule:admin_required" has been -# deprecated since T in favor of "identity:update_policy":"role:admin -# and system_scope:all". The policy API is now aware of system scope -# and default roles. -# Delete policy. -# DELETE /v3/policies/{policy_id} -# Intended scope(s): system -#"identity:delete_policy": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_policy":"rule:admin_required" has been -# deprecated since T in favor of "identity:delete_policy":"role:admin -# and system_scope:all". The policy API is now aware of system scope -# and default roles. -# Associate a policy to a specific endpoint. -# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:create_policy_association_for_endpoint": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_policy_association_for_endpoint":"rule:a -# dmin_required" has been deprecated since T in favor of -# "identity:create_policy_association_for_endpoint":"role:admin and -# system_scope:all". The policy association API is now aware of system -# scope and default roles. -# Check policy association for endpoint. -# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} -# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:check_policy_association_for_endpoint": "role:reader and system_scope:all" - -# DEPRECATED "identity:check_policy_association_for_endpoint":"rule:ad -# min_required" has been deprecated since T in favor of -# "identity:check_policy_association_for_endpoint":"role:reader and -# system_scope:all". The policy association API is now aware of system -# scope and default roles. -# Delete policy association for endpoint. -# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:delete_policy_association_for_endpoint": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_policy_association_for_endpoint":"rule:a -# dmin_required" has been deprecated since T in favor of -# "identity:delete_policy_association_for_endpoint":"role:admin and -# system_scope:all". The policy association API is now aware of system -# scope and default roles. -# Associate a policy to a specific service. -# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} -# Intended scope(s): system -#"identity:create_policy_association_for_service": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_policy_association_for_service":"rule:ad -# min_required" has been deprecated since T in favor of -# "identity:create_policy_association_for_service":"role:admin and -# system_scope:all". The policy association API is now aware of system -# scope and default roles. -# Check policy association for service. -# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} -# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} -# Intended scope(s): system -#"identity:check_policy_association_for_service": "role:reader and system_scope:all" - -# DEPRECATED "identity:check_policy_association_for_service":"rule:adm -# in_required" has been deprecated since T in favor of -# "identity:check_policy_association_for_service":"role:reader and -# system_scope:all". The policy association API is now aware of system -# scope and default roles. -# Delete policy association for service. -# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} -# Intended scope(s): system -#"identity:delete_policy_association_for_service": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_policy_association_for_service":"rule:ad -# min_required" has been deprecated since T in favor of -# "identity:delete_policy_association_for_service":"role:admin and -# system_scope:all". The policy association API is now aware of system -# scope and default roles. -# Associate a policy to a specific region and service combination. -# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} -# Intended scope(s): system -#"identity:create_policy_association_for_region_and_service": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_policy_association_for_region_and_servic -# e":"rule:admin_required" has been deprecated since T in favor of "id -# entity:create_policy_association_for_region_and_service":"role:admin -# and system_scope:all". The policy association API is now aware of -# system scope and default roles. -# Check policy association for region and service. -# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} -# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} -# Intended scope(s): system -#"identity:check_policy_association_for_region_and_service": "role:reader and system_scope:all" - -# DEPRECATED "identity:check_policy_association_for_region_and_service -# ":"rule:admin_required" has been deprecated since T in favor of "ide -# ntity:check_policy_association_for_region_and_service":"role:reader -# and system_scope:all". The policy association API is now aware of -# system scope and default roles. -# Delete policy association for region and service. -# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} -# Intended scope(s): system -#"identity:delete_policy_association_for_region_and_service": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_policy_association_for_region_and_servic -# e":"rule:admin_required" has been deprecated since T in favor of "id -# entity:delete_policy_association_for_region_and_service":"role:admin -# and system_scope:all". The policy association API is now aware of -# system scope and default roles. -# Get policy for endpoint. -# GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy -# HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy -# Intended scope(s): system -#"identity:get_policy_for_endpoint": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_policy_for_endpoint":"rule:admin_required" -# has been deprecated since T in favor of -# "identity:get_policy_for_endpoint":"role:reader and -# system_scope:all". The policy association API is now aware of system -# scope and default roles. -# List endpoints for policy. -# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints -# Intended scope(s): system -#"identity:list_endpoints_for_policy": "role:reader and system_scope:all" - -# DEPRECATED -# "identity:list_endpoints_for_policy":"rule:admin_required" has been -# deprecated since T in favor of -# "identity:list_endpoints_for_policy":"role:reader and -# system_scope:all". The policy association API is now aware of system -# scope and default roles. -# Show project details. -# GET /v3/projects/{project_id} -# Intended scope(s): system, domain, project -#"identity:get_project": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" - -# DEPRECATED "identity:get_project":"rule:admin_required or -# project_id:%(target.project.id)s" has been deprecated since S in -# favor of "identity:get_project":"(role:reader and system_scope:all) -# or (role:reader and domain_id:%(target.project.domain_id)s) or -# project_id:%(target.project.id)s". The project API is now aware of -# system scope and default roles. -# List projects. -# GET /v3/projects -# Intended scope(s): system, domain -#"identity:list_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" - -# DEPRECATED "identity:list_projects":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:list_projects":"(role:reader and system_scope:all) or -# (role:reader and domain_id:%(target.domain_id)s)". The project API -# is now aware of system scope and default roles. -# List projects for user. -# GET /v3/users/{user_id}/projects -# Intended scope(s): system, domain, project -#"identity:list_user_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" - -# DEPRECATED "identity:list_user_projects":"rule:admin_or_owner" has -# been deprecated since S in favor of -# "identity:list_user_projects":"(role:reader and system_scope:all) or -# (role:reader and domain_id:%(target.user.domain_id)s) or -# user_id:%(target.user.id)s". The project API is now aware of system -# scope and default roles. -# Create project. -# POST /v3/projects -# Intended scope(s): system, domain -#"identity:create_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" - -# DEPRECATED "identity:create_project":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:create_project":"(role:admin and system_scope:all) or -# (role:admin and domain_id:%(target.project.domain_id)s)". The -# project API is now aware of system scope and default roles. -# Update project. -# PATCH /v3/projects/{project_id} -# Intended scope(s): system, domain -#"identity:update_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" - -# DEPRECATED "identity:update_project":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:update_project":"(role:admin and system_scope:all) or -# (role:admin and domain_id:%(target.project.domain_id)s)". The -# project API is now aware of system scope and default roles. -# Delete project. -# DELETE /v3/projects/{project_id} -# Intended scope(s): system, domain -#"identity:delete_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" - -# DEPRECATED "identity:delete_project":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:delete_project":"(role:admin and system_scope:all) or -# (role:admin and domain_id:%(target.project.domain_id)s)". The -# project API is now aware of system scope and default roles. -# List tags for a project. -# GET /v3/projects/{project_id}/tags -# HEAD /v3/projects/{project_id}/tags -# Intended scope(s): system, domain, project -#"identity:list_project_tags": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" - -# DEPRECATED "identity:list_project_tags":"rule:admin_required or -# project_id:%(target.project.id)s" has been deprecated since T in -# favor of "identity:list_project_tags":"(role:reader and -# system_scope:all) or (role:reader and -# domain_id:%(target.project.domain_id)s) or -# project_id:%(target.project.id)s". -# -# As of the Train release, the project tags API understands how to -# handle system-scoped tokens in addition to project and domain -# tokens, making the API more accessible to users without compromising -# security or manageability for administrators. The new default -# policies for this API account for these changes automatically. -# Check if project contains a tag. -# GET /v3/projects/{project_id}/tags/{value} -# HEAD /v3/projects/{project_id}/tags/{value} -# Intended scope(s): system, domain, project -#"identity:get_project_tag": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" - -# DEPRECATED "identity:get_project_tag":"rule:admin_required or -# project_id:%(target.project.id)s" has been deprecated since T in -# favor of "identity:get_project_tag":"(role:reader and -# system_scope:all) or (role:reader and -# domain_id:%(target.project.domain_id)s) or -# project_id:%(target.project.id)s". -# -# As of the Train release, the project tags API understands how to -# handle system-scoped tokens in addition to project and domain -# tokens, making the API more accessible to users without compromising -# security or manageability for administrators. The new default -# policies for this API account for these changes automatically. -# Replace all tags on a project with the new set of tags. -# PUT /v3/projects/{project_id}/tags -# Intended scope(s): system, domain, project -#"identity:update_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" - -# DEPRECATED "identity:update_project_tags":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:update_project_tags":"(role:admin and system_scope:all) or -# (role:admin and domain_id:%(target.project.domain_id)s) or -# (role:admin and project_id:%(target.project.id)s)". -# -# As of the Train release, the project tags API understands how to -# handle system-scoped tokens in addition to project and domain -# tokens, making the API more accessible to users without compromising -# security or manageability for administrators. The new default -# policies for this API account for these changes automatically. -# Add a single tag to a project. -# PUT /v3/projects/{project_id}/tags/{value} -# Intended scope(s): system, domain, project -#"identity:create_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" - -# DEPRECATED "identity:create_project_tag":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:create_project_tag":"(role:admin and system_scope:all) or -# (role:admin and domain_id:%(target.project.domain_id)s) or -# (role:admin and project_id:%(target.project.id)s)". -# -# As of the Train release, the project tags API understands how to -# handle system-scoped tokens in addition to project and domain -# tokens, making the API more accessible to users without compromising -# security or manageability for administrators. The new default -# policies for this API account for these changes automatically. -# Remove all tags from a project. -# DELETE /v3/projects/{project_id}/tags -# Intended scope(s): system, domain, project -#"identity:delete_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" - -# DEPRECATED "identity:delete_project_tags":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:delete_project_tags":"(role:admin and system_scope:all) or -# (role:admin and domain_id:%(target.project.domain_id)s) or -# (role:admin and project_id:%(target.project.id)s)". -# -# As of the Train release, the project tags API understands how to -# handle system-scoped tokens in addition to project and domain -# tokens, making the API more accessible to users without compromising -# security or manageability for administrators. The new default -# policies for this API account for these changes automatically. -# Delete a specified tag from project. -# DELETE /v3/projects/{project_id}/tags/{value} -# Intended scope(s): system, domain, project -#"identity:delete_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" - -# DEPRECATED "identity:delete_project_tag":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:delete_project_tag":"(role:admin and system_scope:all) or -# (role:admin and domain_id:%(target.project.domain_id)s) or -# (role:admin and project_id:%(target.project.id)s)". -# -# As of the Train release, the project tags API understands how to -# handle system-scoped tokens in addition to project and domain -# tokens, making the API more accessible to users without compromising -# security or manageability for administrators. The new default -# policies for this API account for these changes automatically. -# List projects allowed to access an endpoint. -# GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects -# Intended scope(s): system -#"identity:list_projects_for_endpoint": "role:reader and system_scope:all" - -# DEPRECATED -# "identity:list_projects_for_endpoint":"rule:admin_required" has been -# deprecated since T in favor of -# "identity:list_projects_for_endpoint":"role:reader and -# system_scope:all". -# -# As of the Train release, the project endpoint API now understands -# default roles and system-scoped tokens, making the API more granular -# by default without compromising security. The new policy defaults -# account for these changes automatically. Be sure to take these new -# defaults into consideration if you are relying on overrides in your -# deployment for the project endpoint API. -# Allow project to access an endpoint. -# PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:add_endpoint_to_project": "role:admin and system_scope:all" - -# DEPRECATED "identity:add_endpoint_to_project":"rule:admin_required" -# has been deprecated since T in favor of -# "identity:add_endpoint_to_project":"role:admin and -# system_scope:all". -# -# As of the Train release, the project endpoint API now understands -# default roles and system-scoped tokens, making the API more granular -# by default without compromising security. The new policy defaults -# account for these changes automatically. Be sure to take these new -# defaults into consideration if you are relying on overrides in your -# deployment for the project endpoint API. -# Check if a project is allowed to access an endpoint. -# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} -# HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:check_endpoint_in_project": "role:reader and system_scope:all" - -# DEPRECATED -# "identity:check_endpoint_in_project":"rule:admin_required" has been -# deprecated since T in favor of -# "identity:check_endpoint_in_project":"role:reader and -# system_scope:all". -# -# As of the Train release, the project endpoint API now understands -# default roles and system-scoped tokens, making the API more granular -# by default without compromising security. The new policy defaults -# account for these changes automatically. Be sure to take these new -# defaults into consideration if you are relying on overrides in your -# deployment for the project endpoint API. -# List the endpoints a project is allowed to access. -# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints -# Intended scope(s): system -#"identity:list_endpoints_for_project": "role:reader and system_scope:all" - -# DEPRECATED -# "identity:list_endpoints_for_project":"rule:admin_required" has been -# deprecated since T in favor of -# "identity:list_endpoints_for_project":"role:reader and -# system_scope:all". -# -# As of the Train release, the project endpoint API now understands -# default roles and system-scoped tokens, making the API more granular -# by default without compromising security. The new policy defaults -# account for these changes automatically. Be sure to take these new -# defaults into consideration if you are relying on overrides in your -# deployment for the project endpoint API. -# Remove access to an endpoint from a project that has previously been -# given explicit access. -# DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:remove_endpoint_from_project": "role:admin and system_scope:all" - -# DEPRECATED -# "identity:remove_endpoint_from_project":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:remove_endpoint_from_project":"role:admin and -# system_scope:all". -# -# As of the Train release, the project endpoint API now understands -# default roles and system-scoped tokens, making the API more granular -# by default without compromising security. The new policy defaults -# account for these changes automatically. Be sure to take these new -# defaults into consideration if you are relying on overrides in your -# deployment for the project endpoint API. -# Create federated protocol. -# PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} -# Intended scope(s): system -#"identity:create_protocol": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_protocol":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:create_protocol":"role:admin and system_scope:all". The -# federated protocol API is now aware of system scope and default -# roles. -# Update federated protocol. -# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} -# Intended scope(s): system -#"identity:update_protocol": "role:admin and system_scope:all" - -# DEPRECATED "identity:update_protocol":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:update_protocol":"role:admin and system_scope:all". The -# federated protocol API is now aware of system scope and default -# roles. -# Get federated protocol. -# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} -# Intended scope(s): system -#"identity:get_protocol": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_protocol":"rule:admin_required" has been -# deprecated since S in favor of "identity:get_protocol":"role:reader -# and system_scope:all". The federated protocol API is now aware of -# system scope and default roles. -# List federated protocols. -# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols -# Intended scope(s): system -#"identity:list_protocols": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_protocols":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:list_protocols":"role:reader and system_scope:all". The -# federated protocol API is now aware of system scope and default -# roles. -# Delete federated protocol. -# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} -# Intended scope(s): system -#"identity:delete_protocol": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_protocol":"rule:admin_required" has been -# deprecated since S in favor of -# "identity:delete_protocol":"role:admin and system_scope:all". The -# federated protocol API is now aware of system scope and default -# roles. -# Show region details. -# GET /v3/regions/{region_id} -# HEAD /v3/regions/{region_id} -# Intended scope(s): system, domain, project -#"identity:get_region": "" - -# List regions. -# GET /v3/regions -# HEAD /v3/regions -# Intended scope(s): system, domain, project -#"identity:list_regions": "" - -# Create region. -# POST /v3/regions -# PUT /v3/regions/{region_id} -# Intended scope(s): system -#"identity:create_region": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_region":"rule:admin_required" has been -# deprecated since S in favor of "identity:create_region":"role:admin -# and system_scope:all". The region API is now aware of system scope -# and default roles. -# Update region. -# PATCH /v3/regions/{region_id} -# Intended scope(s): system -#"identity:update_region": "role:admin and system_scope:all" - -# DEPRECATED "identity:update_region":"rule:admin_required" has been -# deprecated since S in favor of "identity:update_region":"role:admin -# and system_scope:all". The region API is now aware of system scope -# and default roles. -# Delete region. -# DELETE /v3/regions/{region_id} -# Intended scope(s): system -#"identity:delete_region": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_region":"rule:admin_required" has been -# deprecated since S in favor of "identity:delete_region":"role:admin -# and system_scope:all". The region API is now aware of system scope -# and default roles. -# Show registered limit details. -# GET /v3/registered_limits/{registered_limit_id} -# HEAD /v3/registered_limits/{registered_limit_id} -# Intended scope(s): system, domain, project -#"identity:get_registered_limit": "" - -# List registered limits. -# GET /v3/registered_limits -# HEAD /v3/registered_limits -# Intended scope(s): system, domain, project -#"identity:list_registered_limits": "" - -# Create registered limits. -# POST /v3/registered_limits -# Intended scope(s): system -#"identity:create_registered_limits": "role:admin and system_scope:all" - -# Update registered limit. -# PATCH /v3/registered_limits/{registered_limit_id} -# Intended scope(s): system -#"identity:update_registered_limit": "role:admin and system_scope:all" - -# Delete registered limit. -# DELETE /v3/registered_limits/{registered_limit_id} -# Intended scope(s): system -#"identity:delete_registered_limit": "role:admin and system_scope:all" - -# List revocation events. -# GET /v3/OS-REVOKE/events -# Intended scope(s): system -#"identity:list_revoke_events": "rule:service_or_admin" - -# Show role details. -# GET /v3/roles/{role_id} -# HEAD /v3/roles/{role_id} -# Intended scope(s): system -#"identity:get_role": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_role":"rule:admin_required" has been -# deprecated since S in favor of "identity:get_role":"role:reader and -# system_scope:all". The role API is now aware of system scope and -# default roles. -# List roles. -# GET /v3/roles -# HEAD /v3/roles -# Intended scope(s): system -#"identity:list_roles": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_roles":"rule:admin_required" has been -# deprecated since S in favor of "identity:list_roles":"role:reader -# and system_scope:all". The role API is now aware of system scope and -# default roles. -# Create role. -# POST /v3/roles -# Intended scope(s): system -#"identity:create_role": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_role":"rule:admin_required" has been -# deprecated since S in favor of "identity:create_role":"role:admin -# and system_scope:all". The role API is now aware of system scope and -# default roles. -# Update role. -# PATCH /v3/roles/{role_id} -# Intended scope(s): system -#"identity:update_role": "role:admin and system_scope:all" - -# DEPRECATED "identity:update_role":"rule:admin_required" has been -# deprecated since S in favor of "identity:update_role":"role:admin -# and system_scope:all". The role API is now aware of system scope and -# default roles. -# Delete role. -# DELETE /v3/roles/{role_id} -# Intended scope(s): system -#"identity:delete_role": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_role":"rule:admin_required" has been -# deprecated since S in favor of "identity:delete_role":"role:admin -# and system_scope:all". The role API is now aware of system scope and -# default roles. -# Show domain role. -# GET /v3/roles/{role_id} -# HEAD /v3/roles/{role_id} -# Intended scope(s): system -#"identity:get_domain_role": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_domain_role":"rule:admin_required" has been -# deprecated since T in favor of -# "identity:get_domain_role":"role:reader and system_scope:all". The -# role API is now aware of system scope and default roles. -# List domain roles. -# GET /v3/roles?domain_id={domain_id} -# HEAD /v3/roles?domain_id={domain_id} -# Intended scope(s): system -#"identity:list_domain_roles": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_domain_roles":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:list_domain_roles":"role:reader and system_scope:all". The -# role API is now aware of system scope and default roles. -# Create domain role. -# POST /v3/roles -# Intended scope(s): system -#"identity:create_domain_role": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_domain_role":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:create_domain_role":"role:admin and system_scope:all". The -# role API is now aware of system scope and default roles. -# Update domain role. -# PATCH /v3/roles/{role_id} -# Intended scope(s): system -#"identity:update_domain_role": "role:admin and system_scope:all" - -# DEPRECATED "identity:update_domain_role":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:update_domain_role":"role:admin and system_scope:all". The -# role API is now aware of system scope and default roles. -# Delete domain role. -# DELETE /v3/roles/{role_id} -# Intended scope(s): system -#"identity:delete_domain_role": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_domain_role":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:delete_domain_role":"role:admin and system_scope:all". The -# role API is now aware of system scope and default roles. -# List role assignments. -# GET /v3/role_assignments -# HEAD /v3/role_assignments -# Intended scope(s): system, domain -#"identity:list_role_assignments": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" - -# DEPRECATED "identity:list_role_assignments":"rule:admin_required" -# has been deprecated since S in favor of -# "identity:list_role_assignments":"(role:reader and system_scope:all) -# or (role:reader and domain_id:%(target.domain_id)s)". The assignment -# API is now aware of system scope and default roles. -# List all role assignments for a given tree of hierarchical projects. -# GET /v3/role_assignments?include_subtree -# HEAD /v3/role_assignments?include_subtree -# Intended scope(s): system, domain, project -#"identity:list_role_assignments_for_tree": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" - -# DEPRECATED -# "identity:list_role_assignments_for_tree":"rule:admin_required" has -# been deprecated since T in favor of -# "identity:list_role_assignments_for_tree":"(role:reader and -# system_scope:all) or (role:reader and -# domain_id:%(target.project.domain_id)s) or (role:admin and -# project_id:%(target.project.id)s)". The assignment API is now aware -# of system scope and default roles. -# Show service details. -# GET /v3/services/{service_id} -# Intended scope(s): system -#"identity:get_service": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_service":"rule:admin_required" has been -# deprecated since S in favor of "identity:get_service":"role:reader -# and system_scope:all". The service API is now aware of system scope -# and default roles. -# List services. -# GET /v3/services -# Intended scope(s): system -#"identity:list_services": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_services":"rule:admin_required" has been -# deprecated since S in favor of "identity:list_services":"role:reader -# and system_scope:all". The service API is now aware of system scope -# and default roles. -# Create service. -# POST /v3/services -# Intended scope(s): system -#"identity:create_service": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_service":"rule:admin_required" has been -# deprecated since S in favor of "identity:create_service":"role:admin -# and system_scope:all". The service API is now aware of system scope -# and default roles. -# Update service. -# PATCH /v3/services/{service_id} -# Intended scope(s): system -#"identity:update_service": "role:admin and system_scope:all" - -# DEPRECATED "identity:update_service":"rule:admin_required" has been -# deprecated since S in favor of "identity:update_service":"role:admin -# and system_scope:all". The service API is now aware of system scope -# and default roles. -# Delete service. -# DELETE /v3/services/{service_id} -# Intended scope(s): system -#"identity:delete_service": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_service":"rule:admin_required" has been -# deprecated since S in favor of "identity:delete_service":"role:admin -# and system_scope:all". The service API is now aware of system scope -# and default roles. -# Create federated service provider. -# PUT /v3/OS-FEDERATION/service_providers/{service_provider_id} -# Intended scope(s): system -#"identity:create_service_provider": "role:admin and system_scope:all" - -# DEPRECATED "identity:create_service_provider":"rule:admin_required" -# has been deprecated since S in favor of -# "identity:create_service_provider":"role:admin and -# system_scope:all". The service provider API is now aware of system -# scope and default roles. -# List federated service providers. -# GET /v3/OS-FEDERATION/service_providers -# HEAD /v3/OS-FEDERATION/service_providers -# Intended scope(s): system -#"identity:list_service_providers": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_service_providers":"rule:admin_required" -# has been deprecated since S in favor of -# "identity:list_service_providers":"role:reader and -# system_scope:all". The service provider API is now aware of system -# scope and default roles. -# Get federated service provider. -# GET /v3/OS-FEDERATION/service_providers/{service_provider_id} -# HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id} -# Intended scope(s): system -#"identity:get_service_provider": "role:reader and system_scope:all" - -# DEPRECATED "identity:get_service_provider":"rule:admin_required" has -# been deprecated since S in favor of -# "identity:get_service_provider":"role:reader and system_scope:all". -# The service provider API is now aware of system scope and default -# roles. -# Update federated service provider. -# PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id} -# Intended scope(s): system -#"identity:update_service_provider": "role:admin and system_scope:all" - -# DEPRECATED "identity:update_service_provider":"rule:admin_required" -# has been deprecated since S in favor of -# "identity:update_service_provider":"role:admin and -# system_scope:all". The service provider API is now aware of system -# scope and default roles. -# Delete federated service provider. -# DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id} -# Intended scope(s): system -#"identity:delete_service_provider": "role:admin and system_scope:all" - -# DEPRECATED "identity:delete_service_provider":"rule:admin_required" -# has been deprecated since S in favor of -# "identity:delete_service_provider":"role:admin and -# system_scope:all". The service provider API is now aware of system -# scope and default roles. -# DEPRECATED -# "identity:revocation_list" has been deprecated since T. -# The identity:revocation_list policy isn't used to protect any APIs -# in keystone now that the revocation list API has been deprecated and -# only returns a 410 or 403 depending on how keystone is configured. -# This policy can be safely removed from policy files. -# List revoked PKI tokens. -# GET /v3/auth/tokens/OS-PKI/revoked -# Intended scope(s): system, project -#"identity:revocation_list": "rule:service_or_admin" - -# Check a token. -# HEAD /v3/auth/tokens -# Intended scope(s): system, domain, project -#"identity:check_token": "(role:reader and system_scope:all) or rule:token_subject" - -# DEPRECATED "identity:check_token":"rule:admin_or_token_subject" has -# been deprecated since T in favor of -# "identity:check_token":"(role:reader and system_scope:all) or -# rule:token_subject". The token API is now aware of system scope and -# default roles. -# Validate a token. -# GET /v3/auth/tokens -# Intended scope(s): system, domain, project -#"identity:validate_token": "(role:reader and system_scope:all) or rule:service_role or rule:token_subject" - -# DEPRECATED -# "identity:validate_token":"rule:service_admin_or_token_subject" has -# been deprecated since T in favor of -# "identity:validate_token":"(role:reader and system_scope:all) or -# rule:service_role or rule:token_subject". The token API is now aware -# of system scope and default roles. -# Revoke a token. -# DELETE /v3/auth/tokens -# Intended scope(s): system, domain, project -#"identity:revoke_token": "(role:admin and system_scope:all) or rule:token_subject" - -# DEPRECATED "identity:revoke_token":"rule:admin_or_token_subject" has -# been deprecated since T in favor of -# "identity:revoke_token":"(role:admin and system_scope:all) or -# rule:token_subject". The token API is now aware of system scope and -# default roles. -# Create trust. -# POST /v3/OS-TRUST/trusts -# Intended scope(s): project -#"identity:create_trust": "user_id:%(trust.trustor_user_id)s" - -# List trusts. -# GET /v3/OS-TRUST/trusts -# HEAD /v3/OS-TRUST/trusts -# Intended scope(s): system -#"identity:list_trusts": "role:reader and system_scope:all" - -# DEPRECATED "identity:list_trusts":"rule:admin_required" has been -# deprecated since T in favor of "identity:list_trusts":"role:reader -# and system_scope:all". The trust API is now aware of system scope -# and default roles. -# List trusts for trustor. -# GET /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} -# HEAD /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} -# Intended scope(s): system, project -#"identity:list_trusts_for_trustor": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s" - -# List trusts for trustee. -# GET /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} -# HEAD /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} -# Intended scope(s): system, project -#"identity:list_trusts_for_trustee": "role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s" - -# List roles delegated by a trust. -# GET /v3/OS-TRUST/trusts/{trust_id}/roles -# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles -# Intended scope(s): system, project -#"identity:list_roles_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" - -# DEPRECATED "identity:list_roles_for_trust":"user_id:%(target.trust.t -# rustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" has -# been deprecated since T in favor of -# "identity:list_roles_for_trust":"role:reader and system_scope:all or -# user_id:%(target.trust.trustor_user_id)s or -# user_id:%(target.trust.trustee_user_id)s". The trust API is now -# aware of system scope and default roles. -# Check if trust delegates a particular role. -# GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} -# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} -# Intended scope(s): system, project -#"identity:get_role_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" - -# DEPRECATED "identity:get_role_for_trust":"user_id:%(target.trust.tru -# stor_user_id)s or user_id:%(target.trust.trustee_user_id)s" has been -# deprecated since T in favor of -# "identity:get_role_for_trust":"role:reader and system_scope:all or -# user_id:%(target.trust.trustor_user_id)s or -# user_id:%(target.trust.trustee_user_id)s". The trust API is now -# aware of system scope and default roles. -# Revoke trust. -# DELETE /v3/OS-TRUST/trusts/{trust_id} -# Intended scope(s): system, project -#"identity:delete_trust": "role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s" - -# DEPRECATED -# "identity:delete_trust":"user_id:%(target.trust.trustor_user_id)s" -# has been deprecated since T in favor of -# "identity:delete_trust":"role:admin and system_scope:all or -# user_id:%(target.trust.trustor_user_id)s". The trust API is now -# aware of system scope and default roles. -# Get trust. -# GET /v3/OS-TRUST/trusts/{trust_id} -# HEAD /v3/OS-TRUST/trusts/{trust_id} -# Intended scope(s): system, project -#"identity:get_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" - -# DEPRECATED -# "identity:get_trust":"user_id:%(target.trust.trustor_user_id)s or -# user_id:%(target.trust.trustee_user_id)s" has been deprecated since -# T in favor of "identity:get_trust":"role:reader and system_scope:all -# or user_id:%(target.trust.trustor_user_id)s or -# user_id:%(target.trust.trustee_user_id)s". The trust API is now -# aware of system scope and default roles. -# Show user details. -# GET /v3/users/{user_id} -# HEAD /v3/users/{user_id} -# Intended scope(s): system, domain, project -#"identity:get_user": "(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" - -# DEPRECATED "identity:get_user":"rule:admin_or_owner" has been -# deprecated since S in favor of "identity:get_user":"(role:reader and -# system_scope:all) or (role:reader and -# token.domain.id:%(target.user.domain_id)s) or -# user_id:%(target.user.id)s". The user API is now aware of system -# scope and default roles. -# List users. -# GET /v3/users -# HEAD /v3/users -# Intended scope(s): system, domain -#"identity:list_users": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" - -# DEPRECATED "identity:list_users":"rule:admin_required" has been -# deprecated since S in favor of "identity:list_users":"(role:reader -# and system_scope:all) or (role:reader and -# domain_id:%(target.domain_id)s)". The user API is now aware of -# system scope and default roles. -# List all projects a user has access to via role assignments. -# GET /v3/auth/projects -#"identity:list_projects_for_user": "" - -# List all domains a user has access to via role assignments. -# GET /v3/auth/domains -#"identity:list_domains_for_user": "" - -# Create a user. -# POST /v3/users -# Intended scope(s): system, domain -#"identity:create_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" - -# DEPRECATED "identity:create_user":"rule:admin_required" has been -# deprecated since S in favor of "identity:create_user":"(role:admin -# and system_scope:all) or (role:admin and -# token.domain.id:%(target.user.domain_id)s)". The user API is now -# aware of system scope and default roles. -# Update a user, including administrative password resets. -# PATCH /v3/users/{user_id} -# Intended scope(s): system, domain -#"identity:update_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" - -# DEPRECATED "identity:update_user":"rule:admin_required" has been -# deprecated since S in favor of "identity:update_user":"(role:admin -# and system_scope:all) or (role:admin and -# token.domain.id:%(target.user.domain_id)s)". The user API is now -# aware of system scope and default roles. -# Delete a user. -# DELETE /v3/users/{user_id} -# Intended scope(s): system, domain -#"identity:delete_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" - -# DEPRECATED "identity:delete_user":"rule:admin_required" has been -# deprecated since S in favor of "identity:delete_user":"(role:admin -# and system_scope:all) or (role:admin and -# token.domain.id:%(target.user.domain_id)s)". The user API is now -# aware of system scope and default roles. +# default rules +# https://docs.openstack.org/keystone/ussuri/configuration/policy.html + +"identity:update_user": "rule:admin_or_owner" diff --git a/resources/nova.yaml b/resources/nova.yaml new file mode 100644 index 0000000..384d1c8 --- /dev/null +++ b/resources/nova.yaml @@ -0,0 +1,11 @@ +# default rules +# https://docs.openstack.org/nova/ussuri/configuration/policy.html + +context_is_tenantLead: role:tenantLead +os_compute_api:os-admin-actions:reset_state: rule:context_is_tenantLead or rule:system_admin_api +os_compute_api:os-aggregates:index: rule:context_is_tenantLead or rule:system_reader_api +os_compute_api:os-aggregates:show: rule:context_is_tenantLead or rule:system_reader_api +os_compute_api:os-availability-zone:detail: rule:context_is_tenantLead or rule:system_reader_api +os_compute_api:os-extended-server-attributes: rule:context_is_tenantLead or rule:system_admin_api +os_compute_api:os-hosts: rule:context_is_tenantLead or rule:admin_api +os_compute_api:os-hypervisors:servers: rule:context_is_tenantLead or rule:system_reader_api diff --git a/scripts/post-deployment/hosts b/scripts/post-deployment/hosts new file mode 100644 index 0000000..dce6441 --- /dev/null +++ b/scripts/post-deployment/hosts @@ -0,0 +1,10 @@ +10.0.1.211 aodh.example.com +10.0.1.212 cinder.example.com +10.0.1.213 dashboard.example.com +10.0.1.214 glance.example.com +10.0.1.215 heat.example.com +10.0.1.216 keystone.example.com +10.0.1.217 mysql.example.com +10.0.1.218 neutron.example.com +10.0.1.219 nova.example.com +10.0.1.220 gnocchi.example.com