Move group policies to DocumentedRuleDefault

A new policy class was introduce that requires additional parameters when defining policy objects. This patch switches our group policy object to the policy.DocumentedRuleDefault and fills the required policy parameters as needed. Change-Id: Ia20c966f0828b4fbc5335a4811893c025d7aab2e Partially-Implements: bp policy-docs
2017-03-23 17:30:44 +00:00 · 2017-03-23 17:30:44 +00:00 · 086dfc3ba6
parent 39c6b0ff53
commit 086dfc3ba6
1 changed files with 60 additions and 20 deletions
--- a/keystone/common/policies/group.py
+++ b/keystone/common/policies/group.py
@ -15,36 +15,76 @@ from oslo_policy import policy
 from keystone.common.policies import base

 group_policies = [
-    policy.RuleDefault(
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_group',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Show group details.',
+        operations=[{'path': '/v3/groups/{group_id}',
+                     'method': 'GET'},
+                    {'path': '/v3/groups/{group_id}',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_groups',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List groups.',
+        operations=[{'path': '/v3/groups',
+                     'method': 'GET'},
+                    {'path': '/v3/groups',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_groups_for_user',
-        check_str=base.RULE_ADMIN_OR_OWNER),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='List groups to which a user belongs.',
+        operations=[{'path': '/v3/users/{user_id}/groups',
+                     'method': 'GET'},
+                    {'path': '/v3/users/{user_id}/groups',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_group',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Create group.',
+        operations=[{'path': '/v3/groups',
+                     'method': 'POST'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'update_group',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Update group.',
+        operations=[{'path': '/v3/groups/{group_id}',
+                     'method': 'PATCH'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_group',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Delete group.',
+        operations=[{'path': '/v3/groups/{group_id}',
+                     'method': 'DELETE'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_users_in_group',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List members of a specific group.',
+        operations=[{'path': '/v3/groups/{group_id}/users',
+                     'method': 'GET'},
+                    {'path': '/v3/groups/{group_id}/users',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'remove_user_from_group',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Remove user from group.',
+        operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
+                     'method': 'DELETE'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'check_user_in_group',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Check whether a user is a member of a group.',
+        operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
+                     'method': 'HEAD'},
+                    {'path': '/v3/groups/{group_id}/users/{user_id}',
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'add_user_to_group',
-        check_str=base.RULE_ADMIN_REQUIRED)
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Add user to group.',
+        operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
+                     'method': 'PUT'}])
 ]