Add policy for project tags

This change adds policy rules for project tags. The default
rules for both project updating and project tags will share
the same admin_required rule since tags are an attribute
of project.

Depends-On: Ibcf158f1b8082fbffeb48fa48c6592c87e056d01
Change-Id: Ieb68bd2c9c216b25ad74d320a1c9a297d2b251e7
Partially-Implements: bp project-tags
This commit is contained in:
Gage Hugo 2017-07-24 16:21:55 -05:00
parent 5329071174
commit bd452fb9d9
3 changed files with 55 additions and 0 deletions

View File

@ -38,6 +38,15 @@ identity:create_project POST /v3/projects
identity:update_project PATCH /v3/projects/{project_id}
identity:delete_project DELETE /v3/projects/{project_id}
identity:get_project_tag GET /v3/projects/{project_id}/tags/{tag_name}
HEAD /v3/projects/{project_id}/tags/{tag_name}
identity:list_project_tags GET /v3/projects/{project_id}/tags
HEAD /v3/projects/{project_id}/tags
identity:create_project_tag PUT /v3/projects/{project_id}/tags/{tag_name}
identity:update_project_tags PUT /v3/projects/{project_id}/tags
identity:delete_project_tag DELETE /v3/projects/{project_id}/tags/{tag_name}
identity:delete_project_tags DELETE /v3/projects/{project_id}/tags
identity:get_user GET /v3/users/{user_id}
identity:list_users GET /v3/users
identity:create_user POST /v3/users

View File

@ -42,6 +42,12 @@
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
"identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
"identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
"identity:create_project_tag": "rule:admin_required",
"identity:delete_project_tag": "rule:admin_required",
"identity:get_project_tag": "rule:admin_required",
"identity:list_project_tags": "rule:admin_required",
"identity:delete_project_tags": "rule:admin_required",
"identity:update_project_tags": "rule:admin_required",
"admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
"admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",

View File

@ -50,6 +50,46 @@ project_policies = [
check_str=base.RULE_ADMIN_REQUIRED,
description='Delete project.',
operations=[{'path': '/v3/projects/{project_id}',
'method': 'DELETE'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_project_tags',
check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
description='List tags for a project.',
operations=[{'path': '/v3/projects/{project_id}/tags',
'method': 'GET'},
{'path': '/v3/projects/{project_id}/tags',
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_project_tag',
check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
description='Check if project contains a tag.',
operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
'method': 'GET'},
{'path': '/v3/projects/{project_id}/tags/{value}',
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_project_tags',
check_str=base.RULE_ADMIN_REQUIRED,
description='Replace all tags on a project with the new set of tags.',
operations=[{'path': '/v3/projects/{project_id}/tags',
'method': 'PUT'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_project_tag',
check_str=base.RULE_ADMIN_REQUIRED,
description='Add a single tag to a project.',
operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
'method': 'PUT'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_project_tags',
check_str=base.RULE_ADMIN_REQUIRED,
description='Remove all tags from a project.',
operations=[{'path': '/v3/projects/{project_id}/tags',
'method': 'DELETE'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_project_tag',
check_str=base.RULE_ADMIN_REQUIRED,
description='Delete a specified tag from project.',
operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
'method': 'DELETE'}])
]