From a2b93017489f1a5a32c80c0edddc53c22933f85f Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 6 Dec 2017 19:30:55 +0000 Subject: [PATCH] Add scope_types to domain config policies Let's keep the domain configuration API as a system administrator API until we evolve the policy checks in code to handle project and domain administrators. Change-Id: I674355b45ea846ea42a4d7f1f48f7e1a68ba61e1 --- keystone/common/policies/domain_config.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/keystone/common/policies/domain_config.py b/keystone/common/policies/domain_config.py index c72f65f1c2..41b7147f20 100644 --- a/keystone/common/policies/domain_config.py +++ b/keystone/common/policies/domain_config.py @@ -19,6 +19,15 @@ domain_config_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_domain_config', check_str=base.RULE_ADMIN_REQUIRED, + # FIXME(lbragstad): The domain configuration API has traditionally + # required system or cloud administrators. If, or when, keystone + # implements the ability for project administrator to use these APIs, + # then 'project' should be added to scope_types. Adding support for + # project or domain administrator to manage their own domain + # configuration would be useful and alleviate work for system + # administrators, but until we have checks in code that enforce those + # checks, let's keep this as a system-level operation. + scope_types=['system'], description='Create domain configuration.', operations=[ { @@ -30,6 +39,7 @@ domain_config_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_domain_config', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], description=('Get the entire domain configuration for a domain, an ' 'option group within a domain, or a specific ' 'configuration option within a group for a domain.'), @@ -63,6 +73,9 @@ domain_config_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_security_compliance_domain_config', check_str='', + # This should be accessible to anyone with a valid token, regardless of + # system-scope or project-scope. + scope_types=['system', 'project'], description=('Get security compliance domain configuration for ' 'either a domain or a specific option in a domain.'), operations=[ @@ -89,6 +102,7 @@ domain_config_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_domain_config', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], description=('Update domain configuration for either a domain, ' 'specific group or a specific option in a group.'), operations=[ @@ -109,6 +123,7 @@ domain_config_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_domain_config', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], description=('Delete domain configuration for either a domain, ' 'specific group or a specific option in a group.'), operations=[ @@ -129,6 +144,7 @@ domain_config_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_domain_config_default', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], description=('Get domain configuration default for either a domain, ' 'specific group or a specific option in a group.'), operations=[