diff --git a/keystone/common/policies/group.py b/keystone/common/policies/group.py index 321d7725a2..235665a274 100644 --- a/keystone/common/policies/group.py +++ b/keystone/common/policies/group.py @@ -15,36 +15,76 @@ from oslo_policy import policy from keystone.common.policies import base group_policies = [ - policy.RuleDefault( + policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_group', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Show group details.', + operations=[{'path': '/v3/groups/{group_id}', + 'method': 'GET'}, + {'path': '/v3/groups/{group_id}', + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_groups', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='List groups.', + operations=[{'path': '/v3/groups', + 'method': 'GET'}, + {'path': '/v3/groups', + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_groups_for_user', - check_str=base.RULE_ADMIN_OR_OWNER), - policy.RuleDefault( + check_str=base.RULE_ADMIN_OR_OWNER, + description='List groups to which a user belongs.', + operations=[{'path': '/v3/users/{user_id}/groups', + 'method': 'GET'}, + {'path': '/v3/users/{user_id}/groups', + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_group', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Create group.', + operations=[{'path': '/v3/groups', + 'method': 'POST'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_group', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Update group.', + operations=[{'path': '/v3/groups/{group_id}', + 'method': 'PATCH'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_group', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Delete group.', + operations=[{'path': '/v3/groups/{group_id}', + 'method': 'DELETE'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_users_in_group', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='List members of a specific group.', + operations=[{'path': '/v3/groups/{group_id}/users', + 'method': 'GET'}, + {'path': '/v3/groups/{group_id}/users', + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'remove_user_from_group', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Remove user from group.', + operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', + 'method': 'DELETE'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_user_in_group', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Check whether a user is a member of a group.', + operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', + 'method': 'HEAD'}, + {'path': '/v3/groups/{group_id}/users/{user_id}', + 'method': 'GET'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'add_user_to_group', - check_str=base.RULE_ADMIN_REQUIRED) + check_str=base.RULE_ADMIN_REQUIRED, + description='Add user to group.', + operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', + 'method': 'PUT'}]) ]