From b342cbd957636a8d9e9d8b7bcc99b96d4ab04c62 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Wed, 6 Dec 2017 19:52:01 +0000
Subject: [PATCH] Add scope_types to project endpoint policies

This commit gives all project endpoint policies a scope type of
`system` since endpoints are system-level resources.

From now on, a warning will be logged when a project-scoped token is
used to manage project endpoint associations. Operators will have the
option to require system-scoped tokens for these policies by enabling
oslo.policy's `enforce_scope` configuration option, which will result
in an HTTP Forbidden exception when mismatching scope is detected.

Change-Id: I23b12f9a4cfbb124a6ea2cc55b5c0ccb2d463ae8
---
 keystone/common/policies/project_endpoint.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/keystone/common/policies/project_endpoint.py b/keystone/common/policies/project_endpoint.py
index a98489f8d3..bc7bb77bba 100644
--- a/keystone/common/policies/project_endpoint.py
+++ b/keystone/common/policies/project_endpoint.py
@@ -19,6 +19,11 @@ project_endpoint_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_projects_for_endpoint',
         check_str=base.RULE_ADMIN_REQUIRED,
+        # NOTE(lbragstad): While projects can be considered project-level APIs
+        # with hierarchical multi-tenancy, endpoints are a system-level
+        # resource. Managing associations between projects and endpoints should
+        # default to system-level.
+        scope_types=['system'],
         description='List projects allowed to access an endpoint.',
         operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/'
                               'projects'),
@@ -26,6 +31,7 @@ project_endpoint_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'add_endpoint_to_project',
         check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
         description='Allow project to access an endpoint.',
         operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
                               'endpoints/{endpoint_id}'),
@@ -33,6 +39,7 @@ project_endpoint_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'check_endpoint_in_project',
         check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
         description='Check if a project is allowed to access an endpoint.',
         operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
                               'endpoints/{endpoint_id}'),
@@ -43,6 +50,7 @@ project_endpoint_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_endpoints_for_project',
         check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
         description='List the endpoints a project is allowed to access.',
         operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
                               'endpoints'),
@@ -50,6 +58,7 @@ project_endpoint_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'remove_endpoint_from_project',
         check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
         description=('Remove access to an endpoint from a project that has '
                      'previously been given explicit access.'),
         operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'