Implement policies for limits
This commit lays down the policies needed to protect the unified limit API. A subsequent patch will expose the implementation. bp unified-limits Change-Id: I952fe6213adce86a92d7d607c9b639076b279f6c
This commit is contained in:
parent
0b241dcea5
commit
9ba24b91a4
@ -25,6 +25,18 @@ identity:create_endpoint POST /v3/endpoints
|
||||
identity:update_endpoint PATCH /v3/endpoints/{endpoint_id}
|
||||
identity:delete_endpoint DELETE /v3/endpoints/{endpoint_id}
|
||||
|
||||
identity:get_registered_limit GET /v3/registered_limits/{registered_limit_id}
|
||||
identity:list_registered_limits GET /v3/registered_limits
|
||||
identity:create_registered_limits POST /v3/registered_limits
|
||||
identity:update_registered_limits PUT /v3/registered_limits
|
||||
identity:delete_registered_limit DELETE /v3/registered_limits/{registered_limit_id}
|
||||
|
||||
identity:get_limit GET /v3/limits/{limit_id}
|
||||
identity:list_limits GET /v3/limits
|
||||
identity:create_limits POST /v3/limits
|
||||
identity:update_limits PUT /v3/limits
|
||||
identity:delete_limit DELETE /v3/limits/{limit_id}
|
||||
|
||||
identity:get_domain GET /v3/domains/{domain_id}
|
||||
identity:list_domains GET /v3/domains
|
||||
identity:create_domain POST /v3/domains
|
||||
|
@ -28,6 +28,18 @@
|
||||
"identity:update_endpoint": "rule:cloud_admin",
|
||||
"identity:delete_endpoint": "rule:cloud_admin",
|
||||
|
||||
"identity:get_registered_limit": "",
|
||||
"identity:list_registered_limits": "",
|
||||
"identity:create_registered_limits": "rule:admin_required",
|
||||
"identity:update_registered_limits": "rule:admin_required",
|
||||
"identity:delete_registered_limit": "rule:admin_required",
|
||||
|
||||
"identity:get_limit": "",
|
||||
"identity:list_limits": "",
|
||||
"identity:create_limits": "rule:admin_required",
|
||||
"identity:update_limits": "rule:admin_required",
|
||||
"identity:delete_limit": "rule:admin_required",
|
||||
|
||||
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
|
||||
"identity:list_domains": "rule:cloud_admin",
|
||||
"identity:create_domain": "rule:cloud_admin",
|
||||
|
@ -26,6 +26,7 @@ from keystone.common.policies import grant
|
||||
from keystone.common.policies import group
|
||||
from keystone.common.policies import identity_provider
|
||||
from keystone.common.policies import implied_role
|
||||
from keystone.common.policies import limit
|
||||
from keystone.common.policies import mapping
|
||||
from keystone.common.policies import policy
|
||||
from keystone.common.policies import policy_association
|
||||
@ -33,6 +34,7 @@ from keystone.common.policies import project
|
||||
from keystone.common.policies import project_endpoint
|
||||
from keystone.common.policies import protocol
|
||||
from keystone.common.policies import region
|
||||
from keystone.common.policies import registered_limit
|
||||
from keystone.common.policies import revoke_event
|
||||
from keystone.common.policies import role
|
||||
from keystone.common.policies import role_assignment
|
||||
@ -60,6 +62,7 @@ def list_rules():
|
||||
group.list_rules(),
|
||||
identity_provider.list_rules(),
|
||||
implied_role.list_rules(),
|
||||
limit.list_rules(),
|
||||
mapping.list_rules(),
|
||||
policy.list_rules(),
|
||||
policy_association.list_rules(),
|
||||
@ -67,6 +70,7 @@ def list_rules():
|
||||
project_endpoint.list_rules(),
|
||||
protocol.list_rules(),
|
||||
region.list_rules(),
|
||||
registered_limit.list_rules(),
|
||||
revoke_event.list_rules(),
|
||||
role.list_rules(),
|
||||
role_assignment.list_rules(),
|
||||
|
67
keystone/common/policies/limit.py
Normal file
67
keystone/common/policies/limit.py
Normal file
@ -0,0 +1,67 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from keystone.common.policies import base
|
||||
|
||||
limit_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'get_limit',
|
||||
check_str='',
|
||||
# Getting a single limit or listing all limits should be information
|
||||
# accessible to everyone. By setting scope_types=['system', 'project']
|
||||
# we're making it so that anyone with a role on the system or a project
|
||||
# can obtain this information. Making changes to a limit should be
|
||||
# considered a protected system-level API, as noted below with
|
||||
# scope_types=['system'].
|
||||
scope_types=['system', 'project'],
|
||||
description='Show limit details.',
|
||||
operations=[{'path': '/v3/limits/{limit_id}',
|
||||
'method': 'GET'},
|
||||
{'path': '/v3/limits/{limit_id}',
|
||||
'method': 'HEAD'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_limits',
|
||||
check_str='',
|
||||
scope_types=['system', 'project'],
|
||||
description='List limits.',
|
||||
operations=[{'path': '/v3/limits',
|
||||
'method': 'GET'},
|
||||
{'path': '/v3/limits',
|
||||
'method': 'HEAD'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_limits',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Create limits.',
|
||||
operations=[{'path': '/v3/limits',
|
||||
'method': 'POST'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'update_limits',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Update limits.',
|
||||
operations=[{'path': '/v3/limits/{limit_id}',
|
||||
'method': 'PUT'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'delete_limit',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Delete limit.',
|
||||
operations=[{'path': '/v3/limits/{limit_id}',
|
||||
'method': 'DELETE'}])
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return limit_policies
|
67
keystone/common/policies/registered_limit.py
Normal file
67
keystone/common/policies/registered_limit.py
Normal file
@ -0,0 +1,67 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from keystone.common.policies import base
|
||||
|
||||
registered_limit_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'get_registered_limit',
|
||||
check_str='',
|
||||
# Getting a single registered limit or listing all registered limits
|
||||
# should be information accessible to everyone. By setting
|
||||
# scope_types=['system', 'project'] we're making it so that anyone with
|
||||
# a role on the system or a project can obtain this information.
|
||||
# Making changes to a registered limit should be considered a protected
|
||||
# system-level API, as noted below with scope_types=['system'].
|
||||
scope_types=['system', 'project'],
|
||||
description='Show registered limit details.',
|
||||
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
|
||||
'method': 'GET'},
|
||||
{'path': '/v3/registered_limits/{registered_limit_id}',
|
||||
'method': 'HEAD'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_registered_limits',
|
||||
check_str='',
|
||||
scope_types=['system', 'project'],
|
||||
description='List registered limits.',
|
||||
operations=[{'path': '/v3/registered_limits',
|
||||
'method': 'GET'},
|
||||
{'path': '/v3/registered_limits',
|
||||
'method': 'HEAD'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_registered_limits',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Create registered limits.',
|
||||
operations=[{'path': '/v3/registered_limits',
|
||||
'method': 'POST'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'update_registered_limits',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Update registered limits.',
|
||||
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
|
||||
'method': 'PUT'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'delete_registered_limit',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Delete registered limit.',
|
||||
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
|
||||
'method': 'DELETE'}])
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return registered_limit_policies
|
Loading…
Reference in New Issue
Block a user