Move project endpoint to DocumentedRuleDefault

A new policy class was introduce that requires additional parameters when defining policy objects This patch switches our project endpoint policy object to the policy.DocumentedRuleDefault and fills the required policy parameters as needed. Change-Id: Ifc43008837b82e4b99ada844daa85472481fa904 Partially-Implements: bp policy-docs
2017-03-23 18:45:17 +00:00 · 2017-03-23 18:45:17 +00:00 · 273e8417d4
parent 9034755743
commit 273e8417d4
1 changed files with 34 additions and 10 deletions
--- a/keystone/common/policies/project_endpoint.py
+++ b/keystone/common/policies/project_endpoint.py
@ -16,21 +16,45 @@ from keystone.common.policies import base

 project_endpoint_policies = [

-    policy.RuleDefault(
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_projects_for_endpoint',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List projects allowed to access an endpoint.',
+        operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/'
+                              'projects'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'add_endpoint_to_project',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Allow project to access an endpoint.',
+        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints/{endpoint_id}'),
+                     'method': 'PUT'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'check_endpoint_in_project',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Check if a project is allowed to access an endpoint.',
+        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints/{endpoint_id}'),
+                     'method': 'GET'},
+                    {'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints/{endpoint_id}'),
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_endpoints_for_project',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List the endpoints a project is allowed to access.',
+        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'remove_endpoint_from_project',
-        check_str=base.RULE_ADMIN_REQUIRED)
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description=('Remove access to an endpoint from a project that has '
+                     'previously been given explicit access.'),
+        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints/{endpoint_id}'),
+                     'method': 'DELETE'}])
 ]