diff --git a/keystone/common/policies/implied_role.py b/keystone/common/policies/implied_role.py index bb230aafe5..c4d9058ddc 100644 --- a/keystone/common/policies/implied_role.py +++ b/keystone/common/policies/implied_role.py @@ -15,24 +15,69 @@ from oslo_policy import policy from keystone.common.policies import base implied_role_policies = [ - policy.RuleDefault( + policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_implied_role', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Get information about an association between two roles. ' + 'When a relationship exists between a prior role and an ' + 'implied role and the prior role is assigned to a user, ' + 'the user also assumes the implied role.', + operations=[ + {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', + 'method': 'GET'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_implied_roles', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='List associations between two roles. When a relationship ' + 'exists between a prior role and an implied role and the ' + 'prior role is assigned to a user, the user also assumes ' + 'the implied role. This will return all the implied roles ' + 'that would be assumed by the user who gets the specified ' + 'prior role.', + operations=[ + {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'GET'}, + {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_implied_role', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Create an association between two roles. When a ' + 'relationship exists between a prior role and an implied ' + 'role and the prior role is assigned to a user, the user ' + 'also assumes the implied role.', + operations=[ + {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', + 'method': 'PUT'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_implied_role', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='Delete the association between two roles. When a ' + 'relationship exists between a prior role and an implied ' + 'role and the prior role is assigned to a user, the user ' + 'also assumes the implied role. Removing the association ' + 'will cause that effect to be eliminated.', + operations=[ + {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', + 'method': 'DELETE'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_role_inference_rules', - check_str=base.RULE_ADMIN_REQUIRED), - policy.RuleDefault( + check_str=base.RULE_ADMIN_REQUIRED, + description='List all associations between two roles in the system. ' + 'When a relationship exists between a prior role and an ' + 'implied role and the prior role is assigned to a user, ' + 'the user also assumes the implied role.', + operations=[ + {'path': '/v3/role_inferences', 'method': 'GET'}, + {'path': '/v3/role_inferences', 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_implied_role', - check_str=base.RULE_ADMIN_REQUIRED), + check_str=base.RULE_ADMIN_REQUIRED, + description='Check an association between two roles. When a ' + 'relationship exists between a prior role and an implied ' + 'role and the prior role is assigned to a user, the user ' + 'also assumes the implied role.', + operations=[ + {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', + 'method': 'HEAD'}]) ]