Add policy for project tags
This change adds policy rules for project tags. The default rules for both project updating and project tags will share the same admin_required rule since tags are an attribute of project. Depends-On: Ibcf158f1b8082fbffeb48fa48c6592c87e056d01 Change-Id: Ieb68bd2c9c216b25ad74d320a1c9a297d2b251e7 Partially-Implements: bp project-tags
This commit is contained in:
parent
5329071174
commit
bd452fb9d9
|
@ -38,6 +38,15 @@ identity:create_project POST /v3/projects
|
|||
identity:update_project PATCH /v3/projects/{project_id}
|
||||
identity:delete_project DELETE /v3/projects/{project_id}
|
||||
|
||||
identity:get_project_tag GET /v3/projects/{project_id}/tags/{tag_name}
|
||||
HEAD /v3/projects/{project_id}/tags/{tag_name}
|
||||
identity:list_project_tags GET /v3/projects/{project_id}/tags
|
||||
HEAD /v3/projects/{project_id}/tags
|
||||
identity:create_project_tag PUT /v3/projects/{project_id}/tags/{tag_name}
|
||||
identity:update_project_tags PUT /v3/projects/{project_id}/tags
|
||||
identity:delete_project_tag DELETE /v3/projects/{project_id}/tags/{tag_name}
|
||||
identity:delete_project_tags DELETE /v3/projects/{project_id}/tags
|
||||
|
||||
identity:get_user GET /v3/users/{user_id}
|
||||
identity:list_users GET /v3/users
|
||||
identity:create_user POST /v3/users
|
||||
|
|
|
@ -42,6 +42,12 @@
|
|||
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
|
||||
"identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
|
||||
"identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
|
||||
"identity:create_project_tag": "rule:admin_required",
|
||||
"identity:delete_project_tag": "rule:admin_required",
|
||||
"identity:get_project_tag": "rule:admin_required",
|
||||
"identity:list_project_tags": "rule:admin_required",
|
||||
"identity:delete_project_tags": "rule:admin_required",
|
||||
"identity:update_project_tags": "rule:admin_required",
|
||||
|
||||
"admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
|
||||
"admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
|
||||
|
|
|
@ -50,6 +50,46 @@ project_policies = [
|
|||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
description='Delete project.',
|
||||
operations=[{'path': '/v3/projects/{project_id}',
|
||||
'method': 'DELETE'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_project_tags',
|
||||
check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
|
||||
description='List tags for a project.',
|
||||
operations=[{'path': '/v3/projects/{project_id}/tags',
|
||||
'method': 'GET'},
|
||||
{'path': '/v3/projects/{project_id}/tags',
|
||||
'method': 'HEAD'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'get_project_tag',
|
||||
check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
|
||||
description='Check if project contains a tag.',
|
||||
operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
|
||||
'method': 'GET'},
|
||||
{'path': '/v3/projects/{project_id}/tags/{value}',
|
||||
'method': 'HEAD'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'update_project_tags',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
description='Replace all tags on a project with the new set of tags.',
|
||||
operations=[{'path': '/v3/projects/{project_id}/tags',
|
||||
'method': 'PUT'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_project_tag',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
description='Add a single tag to a project.',
|
||||
operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
|
||||
'method': 'PUT'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'delete_project_tags',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
description='Remove all tags from a project.',
|
||||
operations=[{'path': '/v3/projects/{project_id}/tags',
|
||||
'method': 'DELETE'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'delete_project_tag',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
description='Delete a specified tag from project.',
|
||||
operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
|
||||
'method': 'DELETE'}])
|
||||
]
|
||||
|
||||
|
|
Loading…
Reference in New Issue