From 2edcfb9fe7b74340ff0220e46e8099a4c0732115 Mon Sep 17 00:00:00 2001 From: Richard Avelar Date: Sun, 19 Feb 2017 09:12:17 +0000 Subject: [PATCH] Policy in code (part 4) This commit does the following: - Moves default access_token policies into code - Moves default consumer policies into code - Moves default endpoint_group policies into code - Moves default identity_provider policies into code - Moves default project_endpoint policies into code - Moves default trust policies into code Partially-Implements: bp policy-in-code Change-Id: I9e93d171b3580614a94cc32ce020e3111e5041c8 --- etc/policy.json | 42 -------------- keystone/common/policies/__init__.py | 12 ++++ keystone/common/policies/access_token.py | 40 ++++++++++++++ keystone/common/policies/base.py | 1 + keystone/common/policies/consumer.py | 37 +++++++++++++ keystone/common/policies/endpoint_group.py | 55 +++++++++++++++++++ keystone/common/policies/identity_provider.py | 37 +++++++++++++ keystone/common/policies/project_endpoint.py | 38 +++++++++++++ keystone/common/policies/trust.py | 37 +++++++++++++ 9 files changed, 257 insertions(+), 42 deletions(-) create mode 100644 keystone/common/policies/access_token.py create mode 100644 keystone/common/policies/consumer.py create mode 100644 keystone/common/policies/endpoint_group.py create mode 100644 keystone/common/policies/identity_provider.py create mode 100644 keystone/common/policies/project_endpoint.py create mode 100644 keystone/common/policies/trust.py diff --git a/etc/policy.json b/etc/policy.json index 5b3e615b41..eaeebd747e 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -1,46 +1,4 @@ { - "identity:create_trust": "user_id:%(trust.trustor_user_id)s", - "identity:list_trusts": "", - "identity:list_roles_for_trust": "", - "identity:get_role_for_trust": "", - "identity:delete_trust": "", - - "identity:create_consumer": "rule:admin_required", - "identity:get_consumer": "rule:admin_required", - "identity:list_consumers": "rule:admin_required", - "identity:delete_consumer": "rule:admin_required", - "identity:update_consumer": "rule:admin_required", - - "identity:authorize_request_token": "rule:admin_required", - "identity:list_access_token_roles": "rule:admin_required", - "identity:get_access_token_role": "rule:admin_required", - "identity:list_access_tokens": "rule:admin_required", - "identity:get_access_token": "rule:admin_required", - "identity:delete_access_token": "rule:admin_required", - - "identity:list_projects_for_endpoint": "rule:admin_required", - "identity:add_endpoint_to_project": "rule:admin_required", - "identity:check_endpoint_in_project": "rule:admin_required", - "identity:list_endpoints_for_project": "rule:admin_required", - "identity:remove_endpoint_from_project": "rule:admin_required", - - "identity:create_endpoint_group": "rule:admin_required", - "identity:list_endpoint_groups": "rule:admin_required", - "identity:get_endpoint_group": "rule:admin_required", - "identity:update_endpoint_group": "rule:admin_required", - "identity:delete_endpoint_group": "rule:admin_required", - "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", - "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", - "identity:get_endpoint_group_in_project": "rule:admin_required", - "identity:list_endpoint_groups_for_project": "rule:admin_required", - "identity:add_endpoint_group_to_project": "rule:admin_required", - "identity:remove_endpoint_group_from_project": "rule:admin_required", - - "identity:create_identity_provider": "rule:admin_required", - "identity:list_identity_providers": "rule:admin_required", - "identity:get_identity_providers": "rule:admin_required", - "identity:update_identity_provider": "rule:admin_required", - "identity:delete_identity_provider": "rule:admin_required", "identity:create_protocol": "rule:admin_required", "identity:update_protocol": "rule:admin_required", diff --git a/keystone/common/policies/__init__.py b/keystone/common/policies/__init__.py index cf217994bf..13a9ca730e 100644 --- a/keystone/common/policies/__init__.py +++ b/keystone/common/policies/__init__.py @@ -12,40 +12,52 @@ import itertools +from keystone.common.policies import access_token from keystone.common.policies import base +from keystone.common.policies import consumer from keystone.common.policies import credential from keystone.common.policies import domain from keystone.common.policies import ec2_credential from keystone.common.policies import endpoint +from keystone.common.policies import endpoint_group from keystone.common.policies import grant from keystone.common.policies import group +from keystone.common.policies import identity_provider from keystone.common.policies import implied_role from keystone.common.policies import policy from keystone.common.policies import project +from keystone.common.policies import project_endpoint from keystone.common.policies import region from keystone.common.policies import role from keystone.common.policies import role_assignment from keystone.common.policies import service from keystone.common.policies import token_revocation +from keystone.common.policies import trust from keystone.common.policies import user def list_rules(): return itertools.chain( base.list_rules(), + access_token.list_rules(), + consumer.list_rules(), credential.list_rules(), domain.list_rules(), ec2_credential.list_rules(), endpoint.list_rules(), + endpoint_group.list_rules(), grant.list_rules(), group.list_rules(), + identity_provider.list_rules(), implied_role.list_rules(), policy.list_rules(), project.list_rules(), + project_endpoint.list_rules(), region.list_rules(), role.list_rules(), role_assignment.list_rules(), service.list_rules(), token_revocation.list_rules(), + trust.list_rules(), user.list_rules(), ) diff --git a/keystone/common/policies/access_token.py b/keystone/common/policies/access_token.py new file mode 100644 index 0000000000..937a0c3afb --- /dev/null +++ b/keystone/common/policies/access_token.py @@ -0,0 +1,40 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from keystone.common.policies import base + +access_token_policies = [ + policy.RuleDefault( + name=base.IDENTITY % 'authorize_request_token', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'get_access_token', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'get_access_token_role', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'list_access_tokens', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'list_access_token_roles', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'delete_access_token', + check_str=base.RULE_ADMIN_REQUIRED) +] + + +def list_rules(): + return access_token_policies diff --git a/keystone/common/policies/base.py b/keystone/common/policies/base.py index af070637aa..9720e28a9c 100644 --- a/keystone/common/policies/base.py +++ b/keystone/common/policies/base.py @@ -25,6 +25,7 @@ RULE_ADMIN_OR_TARGET_PROJECT = ('rule:admin_required or ' RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject' RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject' RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin' +RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s' rules = [ diff --git a/keystone/common/policies/consumer.py b/keystone/common/policies/consumer.py new file mode 100644 index 0000000000..ef3106e7ef --- /dev/null +++ b/keystone/common/policies/consumer.py @@ -0,0 +1,37 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from keystone.common.policies import base + +consumer_policies = [ + policy.RuleDefault( + name=base.IDENTITY % 'get_consumer', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'list_consumers', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'create_consumer', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'update_consumer', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'delete_consumer', + check_str=base.RULE_ADMIN_REQUIRED) +] + + +def list_rules(): + return consumer_policies diff --git a/keystone/common/policies/endpoint_group.py b/keystone/common/policies/endpoint_group.py new file mode 100644 index 0000000000..0d3facb517 --- /dev/null +++ b/keystone/common/policies/endpoint_group.py @@ -0,0 +1,55 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from keystone.common.policies import base + +group_endpoint_policies = [ + policy.RuleDefault( + name=base.IDENTITY % 'create_endpoint_group', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'list_endpoint_groups', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'get_endpoint_group', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'update_endpoint_group', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'delete_endpoint_group', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'get_endpoint_group_in_project', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'list_endpoint_groups_for_project', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'add_endpoint_group_to_project', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'remove_endpoint_group_from_project', + check_str=base.RULE_ADMIN_REQUIRED) +] + + +def list_rules(): + return group_endpoint_policies diff --git a/keystone/common/policies/identity_provider.py b/keystone/common/policies/identity_provider.py new file mode 100644 index 0000000000..d5b8b9f84c --- /dev/null +++ b/keystone/common/policies/identity_provider.py @@ -0,0 +1,37 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from keystone.common.policies import base + +identity_provider_policies = [ + policy.RuleDefault( + name=base.IDENTITY % 'create_identity_provider', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'list_identity_providers', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'get_identity_providers', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'update_identity_provider', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'delete_identity_provider', + check_str=base.RULE_ADMIN_REQUIRED) +] + + +def list_rules(): + return identity_provider_policies diff --git a/keystone/common/policies/project_endpoint.py b/keystone/common/policies/project_endpoint.py new file mode 100644 index 0000000000..be84474981 --- /dev/null +++ b/keystone/common/policies/project_endpoint.py @@ -0,0 +1,38 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from keystone.common.policies import base + +project_endpoint_policies = [ + + policy.RuleDefault( + name=base.IDENTITY % 'list_projects_for_endpoint', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'add_endpoint_to_project', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'check_endpoint_in_project', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'list_endpoints_for_project', + check_str=base.RULE_ADMIN_REQUIRED), + policy.RuleDefault( + name=base.IDENTITY % 'remove_endpoint_from_project', + check_str=base.RULE_ADMIN_REQUIRED) +] + + +def list_rules(): + return project_endpoint_policies diff --git a/keystone/common/policies/trust.py b/keystone/common/policies/trust.py new file mode 100644 index 0000000000..ff047e3324 --- /dev/null +++ b/keystone/common/policies/trust.py @@ -0,0 +1,37 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from keystone.common.policies import base + +trust_policies = [ + policy.RuleDefault( + name=base.IDENTITY % 'create_trust', + check_str=base.RULE_TRUST_OWNER), + policy.RuleDefault( + name=base.IDENTITY % 'list_trusts', + check_str=''), + policy.RuleDefault( + name=base.IDENTITY % 'list_roles_for_trust', + check_str=''), + policy.RuleDefault( + name=base.IDENTITY % 'get_role_for_trust', + check_str=''), + policy.RuleDefault( + name=base.IDENTITY % 'delete_trust', + check_str=''), +] + + +def list_rules(): + return trust_policies