Merge "Move user policies to DocumentedRuleDefault"

2017-06-07 01:28:13 +00:00 · 2017-06-07 01:28:13 +00:00 · b2cc115a48
parent 5258c340d6 48d349f3dc
commit b2cc115a48
1 changed files with 46 additions and 16 deletions
--- a/keystone/common/policies/user.py
+++ b/keystone/common/policies/user.py
@ -15,30 +15,60 @@ from oslo_policy import policy
 from keystone.common.policies import base

 user_policies = [
-    policy.RuleDefault(
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_user',
-        check_str=base.RULE_ADMIN_OR_OWNER),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Show user details.',
+        operations=[{'path': '/v3/users/{user_id}',
+                     'method': 'GET'},
+                    {'path': '/v3/users/{user_id}',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_users',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List users.',
+        operations=[{'path': '/v3/users',
+                     'method': 'GET'},
+                    {'path': '/v3/users',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_projects_for_user',
-        check_str=''),
-    policy.RuleDefault(
+        check_str='',
+        description=('List all projects a user has access to via role '
+                     'assignments.'),
+        operations=[{'path': ' /v3/auth/projects',
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_domains_for_user',
-        check_str=''),
-    policy.RuleDefault(
+        check_str='',
+        description=('List all domains a user has access to via role '
+                     'assignments.'),
+        operations=[{'path': '/v3/auth/domains',
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_user',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Create a user.',
+        operations=[{'path': '/v3/users',
+                     'method': 'POST'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'update_user',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Update a user, including administrative password resets.',
+        operations=[{'path': '/v3/users/{user_id}',
+                     'method': 'PATCH'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_user',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Delete a user.',
+        operations=[{'path': '/v3/users/{user_id}',
+                     'method': 'DELETE'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'change_password',
-        check_str=base.RULE_ADMIN_OR_OWNER),
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Self-service password change.',
+        operations=[{'path': '/v3/users/{user_id}/password',
+                     'method': 'POST'}])
 ]