Add scope_types to project endpoint policies
This commit gives all project endpoint policies a scope type of `system` since endpoints are system-level resources. From now on, a warning will be logged when a project-scoped token is used to manage project endpoint associations. Operators will have the option to require system-scoped tokens for these policies by enabling oslo.policy's `enforce_scope` configuration option, which will result in an HTTP Forbidden exception when mismatching scope is detected. Change-Id: I23b12f9a4cfbb124a6ea2cc55b5c0ccb2d463ae8
This commit is contained in:
parent
2178447a6d
commit
b342cbd957
@ -19,6 +19,11 @@ project_endpoint_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_projects_for_endpoint',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
# NOTE(lbragstad): While projects can be considered project-level APIs
|
||||
# with hierarchical multi-tenancy, endpoints are a system-level
|
||||
# resource. Managing associations between projects and endpoints should
|
||||
# default to system-level.
|
||||
scope_types=['system'],
|
||||
description='List projects allowed to access an endpoint.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/'
|
||||
'projects'),
|
||||
@ -26,6 +31,7 @@ project_endpoint_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'add_endpoint_to_project',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Allow project to access an endpoint.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
||||
'endpoints/{endpoint_id}'),
|
||||
@ -33,6 +39,7 @@ project_endpoint_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'check_endpoint_in_project',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Check if a project is allowed to access an endpoint.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
||||
'endpoints/{endpoint_id}'),
|
||||
@ -43,6 +50,7 @@ project_endpoint_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_endpoints_for_project',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='List the endpoints a project is allowed to access.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
||||
'endpoints'),
|
||||
@ -50,6 +58,7 @@ project_endpoint_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'remove_endpoint_from_project',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description=('Remove access to an endpoint from a project that has '
|
||||
'previously been given explicit access.'),
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
||||
|
Loading…
Reference in New Issue
Block a user