From a0244005469497225b3cad5293e5e7cff6b66abc Mon Sep 17 00:00:00 2001 From: Anthony Washington Date: Thu, 23 Mar 2017 18:40:19 +0000 Subject: [PATCH] Move endpoint group to DocumentedRuleDefault A new policy class was introduce that requires additional parameters when defining policy objects. This patch switches our endpoint group policy object to the policy.DocumentedRuleDefault and fills the required policy parameters as needed. Change-Id: I40006254c927b4f02e56ea38817c4c4ad53ecea9 Partially-Implements: bp policy-docs --- keystone/common/policies/endpoint_group.py | 94 +++++++++++++++++----- 1 file changed, 72 insertions(+), 22 deletions(-) diff --git a/keystone/common/policies/endpoint_group.py b/keystone/common/policies/endpoint_group.py index 0d3facb517..6eff8d6b0e 100644 --- a/keystone/common/policies/endpoint_group.py +++ b/keystone/common/policies/endpoint_group.py @@ -15,39 +15,89 @@ from oslo_policy import policy from keystone.common.policies import base group_endpoint_policies = [ - policy.RuleDefault( + policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_endpoint_group', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Create endpoint group.', + operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups', + 'method': 'POST'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoint_groups', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='List endpoint groups.', + operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups', + 'method': 'GET'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_endpoint_group', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Get endpoint group.', + operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' + '{endpoint_group_id}'), + 'method': 'GET'}, + {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' + '{endpoint_group_id}'), + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_endpoint_group', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Update endpoint group.', + operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' + '{endpoint_group_id}'), + 'method': 'PATCH'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_endpoint_group', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Delete endpoint group.', + operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' + '{endpoint_group_id}'), + 'method': 'DELETE'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description=('List all projects associated with a specific endpoint ' + 'group.'), + operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' + '{endpoint_group_id}/projects'), + 'method': 'GET'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='List all endpoints associated with an endpoint group.', + operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' + '{endpoint_group_id}/endpoints'), + 'method': 'GET'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_endpoint_group_in_project', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description=('Check if an endpoint group is associated with a ' + 'project.'), + operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' + '{endpoint_group_id}/projects/{project_id}'), + 'method': 'GET'}, + {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' + '{endpoint_group_id}/projects/{project_id}'), + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoint_groups_for_project', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='List endpoint groups associated with a specific project.', + operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' + 'endpoint_groups'), + 'method': 'GET'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'add_endpoint_group_to_project', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Allow a project to access an endpoint group.', + operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' + '{endpoint_group_id}/projects/{project_id}'), + 'method': 'PUT'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'remove_endpoint_group_from_project', - check_str=base.RULE_ADMIN_REQUIRED) + check_str=base.RULE_ADMIN_REQUIRED, + description='Remove endpoint group from project.', + operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' + '{endpoint_group_id}/projects/{project_id}'), + 'method': 'DELETE'}]) ]