Merge "Policy in code (part 3)"

etc/policy.json

@@ -1,43 +1,4 @@
 {
-
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-    "identity:get_domain_role": "rule:admin_required",
-    "identity:list_domain_roles": "rule:admin_required",
-    "identity:create_domain_role": "rule:admin_required",
-    "identity:update_domain_role": "rule:admin_required",
-    "identity:delete_domain_role": "rule:admin_required",
-
-    "identity:get_implied_role": "rule:admin_required ",
-    "identity:list_implied_roles": "rule:admin_required",
-    "identity:create_implied_role": "rule:admin_required",
-    "identity:delete_implied_role": "rule:admin_required",
-    "identity:list_role_inference_rules": "rule:admin_required",
-    "identity:check_implied_role": "rule:admin_required",
-
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-
-    "identity:list_role_assignments": "rule:admin_required",
-    "identity:list_role_assignments_for_tree": "rule:admin_required",
-
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-
-    "identity:check_token": "rule:admin_or_token_subject",
-    "identity:validate_token": "rule:service_admin_or_token_subject",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_token_subject",
-
     "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
     "identity:list_trusts": "",
     "identity:list_roles_for_trust": "",

keystone/common/policies/__init__.py

@@ -17,10 +17,16 @@ from keystone.common.policies import credential
 from keystone.common.policies import domain
 from keystone.common.policies import ec2_credential
 from keystone.common.policies import endpoint
+from keystone.common.policies import grant
 from keystone.common.policies import group
+from keystone.common.policies import implied_role
+from keystone.common.policies import policy
 from keystone.common.policies import project
 from keystone.common.policies import region
+from keystone.common.policies import role
+from keystone.common.policies import role_assignment
 from keystone.common.policies import service
+from keystone.common.policies import token_revocation
 from keystone.common.policies import user
 
 
@@ -31,9 +37,15 @@ def list_rules():
         domain.list_rules(),
         ec2_credential.list_rules(),
         endpoint.list_rules(),
+        grant.list_rules(),
         group.list_rules(),
+        implied_role.list_rules(),
+        policy.list_rules(),
         project.list_rules(),
         region.list_rules(),
+        role.list_rules(),
+        role_assignment.list_rules(),
         service.list_rules(),
+        token_revocation.list_rules(),
         user.list_rules(),
     )

keystone/common/policies/base.py

@@ -22,6 +22,9 @@ RULE_ADMIN_OR_TARGET_DOMAIN = ('rule:admin_required or '
                                'token.project.domain.id:%(target.domain.id)s')
 RULE_ADMIN_OR_TARGET_PROJECT = ('rule:admin_required or '
                                 'project_id:%(target.project.id)s')
+RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
+RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
+RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
 
 
 rules = [

keystone/common/policies/grant.py

@@ -0,0 +1,34 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+grant_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'check_grant',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_grants',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_grant',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'revoke_grant',
+        check_str=base.RULE_ADMIN_REQUIRED),
+]
+
+
+def list_rules():
+    return grant_policies

keystone/common/policies/implied_role.py

@@ -0,0 +1,40 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+implied_role_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_implied_role',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_implied_roles',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_implied_role',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_implied_role',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_role_inference_rules',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'check_implied_role',
+        check_str=base.RULE_ADMIN_REQUIRED),
+]
+
+
+def list_rules():
+    return implied_role_policies

keystone/common/policies/policy.py

@@ -0,0 +1,37 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+policy_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_policy',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_policies',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_policy',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'update_policy',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_policy',
+        check_str=base.RULE_ADMIN_REQUIRED)
+]
+
+
+def list_rules():
+    return policy_policies

keystone/common/policies/role.py

@@ -0,0 +1,52 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+role_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_role',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_roles',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_role',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'update_role',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_role',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_domain_role',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_domain_roles',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_domain_role',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'update_domain_role',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_domain_role',
+        check_str=base.RULE_ADMIN_REQUIRED)
+]
+
+
+def list_rules():
+    return role_policies

keystone/common/policies/role_assignment.py

@@ -0,0 +1,28 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+role_assignment_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_role_assignments',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_role_assignments_for_tree',
+        check_str=base.RULE_ADMIN_REQUIRED),
+]
+
+
+def list_rules():
+    return role_assignment_policies

keystone/common/policies/token_revocation.py

@@ -0,0 +1,37 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+token_revocation_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'check_token',
+        check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'validate_token',
+        check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'validate_token_head',
+        check_str=base.RULE_SERVICE_OR_ADMIN),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'revocation_list',
+        check_str=base.RULE_SERVICE_OR_ADMIN),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'revoke_token',
+        check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT),
+]
+
+
+def list_rules():
+    return token_revocation_policies