Policy in code (part 4)

This commit does the following: - Moves default access_token policies into code - Moves default consumer policies into code - Moves default endpoint_group policies into code - Moves default identity_provider policies into code - Moves default project_endpoint policies into code - Moves default trust policies into code Partially-Implements: bp policy-in-code Change-Id: I9e93d171b3580614a94cc32ce020e3111e5041c8
2017-02-19 09:12:17 +00:00 · 2017-02-19 09:12:17 +00:00 · 2edcfb9fe7
parent f45218a1db
commit 2edcfb9fe7
9 changed files with 257 additions and 42 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -1,46 +1,4 @@
 {
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",

    "identity:create_protocol": "rule:admin_required",
    "identity:update_protocol": "rule:admin_required",
--- a/keystone/common/policies/init.py
+++ b/keystone/common/policies/init.py
@ -12,40 +12,52 @@

 import itertools

+from keystone.common.policies import access_token
 from keystone.common.policies import base
+from keystone.common.policies import consumer
 from keystone.common.policies import credential
 from keystone.common.policies import domain
 from keystone.common.policies import ec2_credential
 from keystone.common.policies import endpoint
+from keystone.common.policies import endpoint_group
 from keystone.common.policies import grant
 from keystone.common.policies import group
+from keystone.common.policies import identity_provider
 from keystone.common.policies import implied_role
 from keystone.common.policies import policy
 from keystone.common.policies import project
+from keystone.common.policies import project_endpoint
 from keystone.common.policies import region
 from keystone.common.policies import role
 from keystone.common.policies import role_assignment
 from keystone.common.policies import service
 from keystone.common.policies import token_revocation
+from keystone.common.policies import trust
 from keystone.common.policies import user


 def list_rules():
    return itertools.chain(
        base.list_rules(),
+        access_token.list_rules(),
+        consumer.list_rules(),
        credential.list_rules(),
        domain.list_rules(),
        ec2_credential.list_rules(),
        endpoint.list_rules(),
+        endpoint_group.list_rules(),
        grant.list_rules(),
        group.list_rules(),
+        identity_provider.list_rules(),
        implied_role.list_rules(),
        policy.list_rules(),
        project.list_rules(),
+        project_endpoint.list_rules(),
        region.list_rules(),
        role.list_rules(),
        role_assignment.list_rules(),
        service.list_rules(),
        token_revocation.list_rules(),
+        trust.list_rules(),
        user.list_rules(),
    )
--- a/keystone/common/policies/access_token.py
+++ b/keystone/common/policies/access_token.py
@ -0,0 +1,40 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+access_token_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'authorize_request_token',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_access_token',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_access_token_role',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_access_tokens',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_access_token_roles',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_access_token',
+        check_str=base.RULE_ADMIN_REQUIRED)
+]
+
+
+def list_rules():
+    return access_token_policies
--- a/keystone/common/policies/base.py
+++ b/keystone/common/policies/base.py
@ -25,6 +25,7 @@ RULE_ADMIN_OR_TARGET_PROJECT = ('rule:admin_required or '
 RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
 RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
 RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
+RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'


 rules = [
--- a/keystone/common/policies/consumer.py
+++ b/keystone/common/policies/consumer.py
@ -0,0 +1,37 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+consumer_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_consumer',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_consumers',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_consumer',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'update_consumer',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_consumer',
+        check_str=base.RULE_ADMIN_REQUIRED)
+]
+
+
+def list_rules():
+    return consumer_policies
--- a/keystone/common/policies/endpoint_group.py
+++ b/keystone/common/policies/endpoint_group.py
@ -0,0 +1,55 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+group_endpoint_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_endpoint_group',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_endpoint_groups',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_endpoint_group',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'update_endpoint_group',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_endpoint_group',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_endpoint_group_in_project',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_endpoint_groups_for_project',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'add_endpoint_group_to_project',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'remove_endpoint_group_from_project',
+        check_str=base.RULE_ADMIN_REQUIRED)
+]
+
+
+def list_rules():
+    return group_endpoint_policies
--- a/keystone/common/policies/identity_provider.py
+++ b/keystone/common/policies/identity_provider.py
@ -0,0 +1,37 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+identity_provider_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_identity_provider',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_identity_providers',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_identity_providers',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'update_identity_provider',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_identity_provider',
+        check_str=base.RULE_ADMIN_REQUIRED)
+]
+
+
+def list_rules():
+    return identity_provider_policies
--- a/keystone/common/policies/project_endpoint.py
+++ b/keystone/common/policies/project_endpoint.py
@ -0,0 +1,38 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+project_endpoint_policies = [
+
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_projects_for_endpoint',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'add_endpoint_to_project',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'check_endpoint_in_project',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_endpoints_for_project',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'remove_endpoint_from_project',
+        check_str=base.RULE_ADMIN_REQUIRED)
+]
+
+
+def list_rules():
+    return project_endpoint_policies
--- a/keystone/common/policies/trust.py
+++ b/keystone/common/policies/trust.py
@ -0,0 +1,37 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+trust_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_trust',
+        check_str=base.RULE_TRUST_OWNER),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_trusts',
+        check_str=''),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_roles_for_trust',
+        check_str=''),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_role_for_trust',
+        check_str=''),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_trust',
+        check_str=''),
+]
+
+
+def list_rules():
+    return trust_policies