Policy in code (part 4)
This commit does the following: - Moves default access_token policies into code - Moves default consumer policies into code - Moves default endpoint_group policies into code - Moves default identity_provider policies into code - Moves default project_endpoint policies into code - Moves default trust policies into code Partially-Implements: bp policy-in-code Change-Id: I9e93d171b3580614a94cc32ce020e3111e5041c8
This commit is contained in:
parent
f45218a1db
commit
2edcfb9fe7
|
@ -1,46 +1,4 @@
|
||||||
{
|
{
|
||||||
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
|
||||||
"identity:list_trusts": "",
|
|
||||||
"identity:list_roles_for_trust": "",
|
|
||||||
"identity:get_role_for_trust": "",
|
|
||||||
"identity:delete_trust": "",
|
|
||||||
|
|
||||||
"identity:create_consumer": "rule:admin_required",
|
|
||||||
"identity:get_consumer": "rule:admin_required",
|
|
||||||
"identity:list_consumers": "rule:admin_required",
|
|
||||||
"identity:delete_consumer": "rule:admin_required",
|
|
||||||
"identity:update_consumer": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:authorize_request_token": "rule:admin_required",
|
|
||||||
"identity:list_access_token_roles": "rule:admin_required",
|
|
||||||
"identity:get_access_token_role": "rule:admin_required",
|
|
||||||
"identity:list_access_tokens": "rule:admin_required",
|
|
||||||
"identity:get_access_token": "rule:admin_required",
|
|
||||||
"identity:delete_access_token": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:list_projects_for_endpoint": "rule:admin_required",
|
|
||||||
"identity:add_endpoint_to_project": "rule:admin_required",
|
|
||||||
"identity:check_endpoint_in_project": "rule:admin_required",
|
|
||||||
"identity:list_endpoints_for_project": "rule:admin_required",
|
|
||||||
"identity:remove_endpoint_from_project": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:create_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:list_endpoint_groups": "rule:admin_required",
|
|
||||||
"identity:get_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:update_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:delete_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:get_endpoint_group_in_project": "rule:admin_required",
|
|
||||||
"identity:list_endpoint_groups_for_project": "rule:admin_required",
|
|
||||||
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
|
||||||
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:create_identity_provider": "rule:admin_required",
|
|
||||||
"identity:list_identity_providers": "rule:admin_required",
|
|
||||||
"identity:get_identity_providers": "rule:admin_required",
|
|
||||||
"identity:update_identity_provider": "rule:admin_required",
|
|
||||||
"identity:delete_identity_provider": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:create_protocol": "rule:admin_required",
|
"identity:create_protocol": "rule:admin_required",
|
||||||
"identity:update_protocol": "rule:admin_required",
|
"identity:update_protocol": "rule:admin_required",
|
||||||
|
|
|
@ -12,40 +12,52 @@
|
||||||
|
|
||||||
import itertools
|
import itertools
|
||||||
|
|
||||||
|
from keystone.common.policies import access_token
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
from keystone.common.policies import consumer
|
||||||
from keystone.common.policies import credential
|
from keystone.common.policies import credential
|
||||||
from keystone.common.policies import domain
|
from keystone.common.policies import domain
|
||||||
from keystone.common.policies import ec2_credential
|
from keystone.common.policies import ec2_credential
|
||||||
from keystone.common.policies import endpoint
|
from keystone.common.policies import endpoint
|
||||||
|
from keystone.common.policies import endpoint_group
|
||||||
from keystone.common.policies import grant
|
from keystone.common.policies import grant
|
||||||
from keystone.common.policies import group
|
from keystone.common.policies import group
|
||||||
|
from keystone.common.policies import identity_provider
|
||||||
from keystone.common.policies import implied_role
|
from keystone.common.policies import implied_role
|
||||||
from keystone.common.policies import policy
|
from keystone.common.policies import policy
|
||||||
from keystone.common.policies import project
|
from keystone.common.policies import project
|
||||||
|
from keystone.common.policies import project_endpoint
|
||||||
from keystone.common.policies import region
|
from keystone.common.policies import region
|
||||||
from keystone.common.policies import role
|
from keystone.common.policies import role
|
||||||
from keystone.common.policies import role_assignment
|
from keystone.common.policies import role_assignment
|
||||||
from keystone.common.policies import service
|
from keystone.common.policies import service
|
||||||
from keystone.common.policies import token_revocation
|
from keystone.common.policies import token_revocation
|
||||||
|
from keystone.common.policies import trust
|
||||||
from keystone.common.policies import user
|
from keystone.common.policies import user
|
||||||
|
|
||||||
|
|
||||||
def list_rules():
|
def list_rules():
|
||||||
return itertools.chain(
|
return itertools.chain(
|
||||||
base.list_rules(),
|
base.list_rules(),
|
||||||
|
access_token.list_rules(),
|
||||||
|
consumer.list_rules(),
|
||||||
credential.list_rules(),
|
credential.list_rules(),
|
||||||
domain.list_rules(),
|
domain.list_rules(),
|
||||||
ec2_credential.list_rules(),
|
ec2_credential.list_rules(),
|
||||||
endpoint.list_rules(),
|
endpoint.list_rules(),
|
||||||
|
endpoint_group.list_rules(),
|
||||||
grant.list_rules(),
|
grant.list_rules(),
|
||||||
group.list_rules(),
|
group.list_rules(),
|
||||||
|
identity_provider.list_rules(),
|
||||||
implied_role.list_rules(),
|
implied_role.list_rules(),
|
||||||
policy.list_rules(),
|
policy.list_rules(),
|
||||||
project.list_rules(),
|
project.list_rules(),
|
||||||
|
project_endpoint.list_rules(),
|
||||||
region.list_rules(),
|
region.list_rules(),
|
||||||
role.list_rules(),
|
role.list_rules(),
|
||||||
role_assignment.list_rules(),
|
role_assignment.list_rules(),
|
||||||
service.list_rules(),
|
service.list_rules(),
|
||||||
token_revocation.list_rules(),
|
token_revocation.list_rules(),
|
||||||
|
trust.list_rules(),
|
||||||
user.list_rules(),
|
user.list_rules(),
|
||||||
)
|
)
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
access_token_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'authorize_request_token',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_access_token',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_access_token_role',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_access_tokens',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_access_token_roles',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'delete_access_token',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return access_token_policies
|
|
@ -25,6 +25,7 @@ RULE_ADMIN_OR_TARGET_PROJECT = ('rule:admin_required or '
|
||||||
RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
|
RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
|
||||||
RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
|
RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
|
||||||
RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
|
RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
|
||||||
|
RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'
|
||||||
|
|
||||||
|
|
||||||
rules = [
|
rules = [
|
||||||
|
|
|
@ -0,0 +1,37 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
consumer_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_consumer',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_consumers',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'create_consumer',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'update_consumer',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'delete_consumer',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return consumer_policies
|
|
@ -0,0 +1,55 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
group_endpoint_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'create_endpoint_group',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_endpoint_groups',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_endpoint_group',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'update_endpoint_group',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'delete_endpoint_group',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_endpoint_group_in_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_endpoint_groups_for_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'add_endpoint_group_to_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'remove_endpoint_group_from_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return group_endpoint_policies
|
|
@ -0,0 +1,37 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
identity_provider_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'create_identity_provider',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_identity_providers',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_identity_providers',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'update_identity_provider',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'delete_identity_provider',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return identity_provider_policies
|
|
@ -0,0 +1,38 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
project_endpoint_policies = [
|
||||||
|
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_projects_for_endpoint',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'add_endpoint_to_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'check_endpoint_in_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_endpoints_for_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'remove_endpoint_from_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return project_endpoint_policies
|
|
@ -0,0 +1,37 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
trust_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'create_trust',
|
||||||
|
check_str=base.RULE_TRUST_OWNER),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_trusts',
|
||||||
|
check_str=''),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_roles_for_trust',
|
||||||
|
check_str=''),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_role_for_trust',
|
||||||
|
check_str=''),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'delete_trust',
|
||||||
|
check_str=''),
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return trust_policies
|
Loading…
Reference in New Issue