Merge "Add group system grant policies"

2018-01-03 01:11:01 +00:00 · 2018-01-03 01:11:01 +00:00 · 48e592637c
commit 48e592637c
parent 1f1ec829d7 cd9064d2b9
3 changed files with 58 additions and 0 deletions
--- a/doc/source/getting-started/policy_mapping.rst
+++ b/doc/source/getting-started/policy_mapping.rst
@ -104,6 +104,11 @@ identity:check_system_grant_for_user                       GET /v3/system/users/
 identity:create_system_grant_for_user                      PUT /v3/system/users/{user_id}/roles/{role_id}
 identity:revoke_system_grant_for_user                      DELETE /v3/system/users/{user_id}/roles/{role_id}

+identity:list_system_grants_for_group                      GET /v3/system/groups/{group_id}/roles
+identity:check_system_grant_for_group                      GET /v3/system/groups/{group_id}/roles/{role_id}
+identity:create_system_grant_for_group                     PUT /v3/system/groups/{group_id}/roles/{role_id}
+identity:revoke_system_grant_for_group                     DELETE /v3/system/groups/{group_id}/roles/{role_id}
+
 identity:list_role_assignments                             GET /v3/role_assignments
 identity:list_role_assignments_for_tree                    GET /v3/role_assignments?include_subtree

--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -114,6 +114,11 @@
    "identity:create_system_grant_for_user": "rule:admin_required",
    "identity:revoke_system_grant_for_user": "rule:admin_required",

+    "identity:list_system_grants_for_group": "rule:admin_required",
+    "identity:check_system_grant_for_group": "rule:admin_required",
+    "identity:create_system_grant_for_group": "rule:admin_required",
+    "identity:revoke_system_grant_for_group": "rule:admin_required",
+
    "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
    "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
    "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
--- a/keystone/common/policies/grant.py
+++ b/keystone/common/policies/grant.py
@ -145,6 +145,54 @@ grant_policies = [
                'method': ['DELETE']
            }
        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'list_system_grants_for_group',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
+        description='List all grants a specific group has on the system.',
+        operations=[
+            {
+                'path': '/v3/system/groups/{group_id}/roles',
+                'method': ['HEAD', 'GET']
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'check_system_grant_for_group',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
+        description='Check if a group has a role on the system.',
+        operations=[
+            {
+                'path': '/v3/system/groups/{group_id}/roles/{role_id}',
+                'method': ['HEAD', 'GET']
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'create_system_grant_for_group',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
+        description='Grant a group a role on the system.',
+        operations=[
+            {
+                'path': '/v3/system/groups/{group_id}/roles/{role_id}',
+                'method': ['PUT']
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'revoke_system_grant_for_group',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
+        description='Remove a role from a group on the system.',
+        operations=[
+            {
+                'path': '/v3/system/groups/{group_id}/roles/{role_id}',
+                'method': ['DELETE']
+            }
+        ]
    )
 ]