Move trust to DocumentedRuleDefault

A new policy class was introduced that requires additional parameters when defining policy objects. This patch switches our trust policy object to the policy.DocumentedRuleDefault and fills the required policy parameters as needed. Implements: bp policy-docs Change-Id: I7d4bab14ff257ede59a1b49088e16842e5b59a64
2017-03-23 18:48:58 +00:00 · 2017-03-23 18:48:58 +00:00 · 8f09c9cf0b
parent 9b3d99ea24
commit 8f09c9cf0b
3 changed files with 41 additions and 10 deletions
--- a/doc/source/getting-started/policy_mapping.rst
+++ b/doc/source/getting-started/policy_mapping.rst
@ -112,6 +112,7 @@ identity:list_trusts                                       GET /v3/OS-TRUST/trus
 identity:list_roles_for_trust                              GET /v3/OS-TRUST/trusts/{trust_id}/roles
 identity:get_role_for_trust                                GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
 identity:delete_trust                                      DELETE /v3/OS-TRUST/trusts/{trust_id}
+identity:get_trust                                         GET /v3/OS-TRUST/trusts/{trust_id}

 identity:create_consumer                                   POST /v3/OS-OAUTH1/consumers
 identity:get_consumer                                      GET /v3/OS-OAUTH1/consumers/{consumer_id}
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -140,6 +140,7 @@
    "identity:list_roles_for_trust": "",
    "identity:get_role_for_trust": "",
    "identity:delete_trust": "",
+    "identity:get_trust": "",

    "identity:create_consumer": "rule:admin_required",
    "identity:get_consumer": "rule:admin_required",
--- a/keystone/common/policies/trust.py
+++ b/keystone/common/policies/trust.py
@ -15,21 +15,50 @@ from oslo_policy import policy
 from keystone.common.policies import base

 trust_policies = [
-    policy.RuleDefault(
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_trust',
-        check_str=base.RULE_TRUST_OWNER),
-    policy.RuleDefault(
+        check_str=base.RULE_TRUST_OWNER,
+        description='Create trust.',
+        operations=[{'path': '/v3/OS-TRUST/trusts',
+                     'method': 'POST'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_trusts',
-        check_str=''),
-    policy.RuleDefault(
+        check_str='',
+        description='List trusts.',
+        operations=[{'path': '/v3/OS-TRUST/trusts',
+                     'method': 'GET'},
+                    {'path': '/v3/OS-TRUST/trusts',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_roles_for_trust',
-        check_str=''),
-    policy.RuleDefault(
+        check_str='',
+        description='List roles delegated by a trust.',
+        operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles',
+                     'method': 'GET'},
+                    {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_role_for_trust',
-        check_str=''),
-    policy.RuleDefault(
+        check_str='',
+        description='Check if trust delegates a particular role.',
+        operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',
+                     'method': 'GET'},
+                    {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_trust',
-        check_str=''),
+        check_str='',
+        description='Revoke trust.',
+        operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
+                     'method': 'DELETE'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'get_trust',
+        check_str='',
+        description='Get trust.',
+        operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
+                     'method': 'GET'},
+                    {'path': '/v3/OS-TRUST/trusts/{trust_id}',
+                     'method': 'HEAD'}])
 ]