Implement policies for limits

This commit lays down the policies needed to protect the unified limit
API. A subsequent patch will expose the implementation.

bp unified-limits

Change-Id: I952fe6213adce86a92d7d607c9b639076b279f6c

doc/source/getting-started/policy_mapping.rst

@@ -25,6 +25,18 @@ identity:create_endpoint                                   POST /v3/endpoints
 identity:update_endpoint                                   PATCH /v3/endpoints/{endpoint_id}
 identity:delete_endpoint                                   DELETE /v3/endpoints/{endpoint_id}
 
+identity:get_registered_limit                              GET /v3/registered_limits/{registered_limit_id}
+identity:list_registered_limits                            GET /v3/registered_limits
+identity:create_registered_limits                          POST /v3/registered_limits
+identity:update_registered_limits                          PUT /v3/registered_limits
+identity:delete_registered_limit                           DELETE /v3/registered_limits/{registered_limit_id}
+
+identity:get_limit                                         GET /v3/limits/{limit_id}
+identity:list_limits                                       GET /v3/limits
+identity:create_limits                                     POST /v3/limits
+identity:update_limits                                     PUT /v3/limits
+identity:delete_limit                                      DELETE /v3/limits/{limit_id}
+
 identity:get_domain                                        GET /v3/domains/{domain_id}
 identity:list_domains                                      GET /v3/domains
 identity:create_domain                                     POST /v3/domains

etc/policy.v3cloudsample.json

@@ -28,6 +28,18 @@
     "identity:update_endpoint": "rule:cloud_admin",
     "identity:delete_endpoint": "rule:cloud_admin",
 
+    "identity:get_registered_limit": "",
+    "identity:list_registered_limits": "",
+    "identity:create_registered_limits": "rule:admin_required",
+    "identity:update_registered_limits": "rule:admin_required",
+    "identity:delete_registered_limit": "rule:admin_required",
+
+    "identity:get_limit": "",
+    "identity:list_limits": "",
+    "identity:create_limits": "rule:admin_required",
+    "identity:update_limits": "rule:admin_required",
+    "identity:delete_limit": "rule:admin_required",
+
     "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
     "identity:list_domains": "rule:cloud_admin",
     "identity:create_domain": "rule:cloud_admin",

keystone/common/policies/__init__.py

@@ -26,6 +26,7 @@ from keystone.common.policies import grant
 from keystone.common.policies import group
 from keystone.common.policies import identity_provider
 from keystone.common.policies import implied_role
+from keystone.common.policies import limit
 from keystone.common.policies import mapping
 from keystone.common.policies import policy
 from keystone.common.policies import policy_association
@@ -33,6 +34,7 @@ from keystone.common.policies import project
 from keystone.common.policies import project_endpoint
 from keystone.common.policies import protocol
 from keystone.common.policies import region
+from keystone.common.policies import registered_limit
 from keystone.common.policies import revoke_event
 from keystone.common.policies import role
 from keystone.common.policies import role_assignment
@@ -60,6 +62,7 @@ def list_rules():
         group.list_rules(),
         identity_provider.list_rules(),
         implied_role.list_rules(),
+        limit.list_rules(),
         mapping.list_rules(),
         policy.list_rules(),
         policy_association.list_rules(),
@@ -67,6 +70,7 @@ def list_rules():
         project_endpoint.list_rules(),
         protocol.list_rules(),
         region.list_rules(),
+        registered_limit.list_rules(),
         revoke_event.list_rules(),
         role.list_rules(),
         role_assignment.list_rules(),

keystone/common/policies/limit.py

@@ -0,0 +1,67 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+limit_policies = [
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'get_limit',
+        check_str='',
+        # Getting a single limit or listing all limits should be information
+        # accessible to everyone. By setting scope_types=['system', 'project']
+        # we're making it so that anyone with a role on the system or a project
+        # can obtain this information.  Making changes to a limit should be
+        # considered a protected system-level API, as noted below with
+        # scope_types=['system'].
+        scope_types=['system', 'project'],
+        description='Show limit details.',
+        operations=[{'path': '/v3/limits/{limit_id}',
+                     'method': 'GET'},
+                    {'path': '/v3/limits/{limit_id}',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'list_limits',
+        check_str='',
+        scope_types=['system', 'project'],
+        description='List limits.',
+        operations=[{'path': '/v3/limits',
+                     'method': 'GET'},
+                    {'path': '/v3/limits',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'create_limits',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
+        description='Create limits.',
+        operations=[{'path': '/v3/limits',
+                     'method': 'POST'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'update_limits',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
+        description='Update limits.',
+        operations=[{'path': '/v3/limits/{limit_id}',
+                     'method': 'PUT'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'delete_limit',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
+        description='Delete limit.',
+        operations=[{'path': '/v3/limits/{limit_id}',
+                     'method': 'DELETE'}])
+]
+
+
+def list_rules():
+    return limit_policies

keystone/common/policies/registered_limit.py

@@ -0,0 +1,67 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+registered_limit_policies = [
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'get_registered_limit',
+        check_str='',
+        # Getting a single registered limit or listing all registered limits
+        # should be information accessible to everyone. By setting
+        # scope_types=['system', 'project'] we're making it so that anyone with
+        # a role on the system or a project can obtain this information.
+        # Making changes to a registered limit should be considered a protected
+        # system-level API, as noted below with scope_types=['system'].
+        scope_types=['system', 'project'],
+        description='Show registered limit details.',
+        operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
+                     'method': 'GET'},
+                    {'path': '/v3/registered_limits/{registered_limit_id}',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'list_registered_limits',
+        check_str='',
+        scope_types=['system', 'project'],
+        description='List registered limits.',
+        operations=[{'path': '/v3/registered_limits',
+                     'method': 'GET'},
+                    {'path': '/v3/registered_limits',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'create_registered_limits',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
+        description='Create registered limits.',
+        operations=[{'path': '/v3/registered_limits',
+                     'method': 'POST'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'update_registered_limits',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
+        description='Update registered limits.',
+        operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
+                     'method': 'PUT'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'delete_registered_limit',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
+        description='Delete registered limit.',
+        operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
+                     'method': 'DELETE'}])
+]
+
+
+def list_rules():
+    return registered_limit_policies