diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst index 68920ed52d..a00669eb6e 100644 --- a/doc/source/getting-started/policy_mapping.rst +++ b/doc/source/getting-started/policy_mapping.rst @@ -104,6 +104,11 @@ identity:check_system_grant_for_user GET /v3/system/users/ identity:create_system_grant_for_user PUT /v3/system/users/{user_id}/roles/{role_id} identity:revoke_system_grant_for_user DELETE /v3/system/users/{user_id}/roles/{role_id} +identity:list_system_grants_for_group GET /v3/system/groups/{group_id}/roles +identity:check_system_grant_for_group GET /v3/system/groups/{group_id}/roles/{role_id} +identity:create_system_grant_for_group PUT /v3/system/groups/{group_id}/roles/{role_id} +identity:revoke_system_grant_for_group DELETE /v3/system/groups/{group_id}/roles/{role_id} + identity:list_role_assignments GET /v3/role_assignments identity:list_role_assignments_for_tree GET /v3/role_assignments?include_subtree diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 9044c16ba1..db2a09d37f 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -114,6 +114,11 @@ "identity:create_system_grant_for_user": "rule:admin_required", "identity:revoke_system_grant_for_user": "rule:admin_required", + "identity:list_system_grants_for_group": "rule:admin_required", + "identity:check_system_grant_for_group": "rule:admin_required", + "identity:create_system_grant_for_group": "rule:admin_required", + "identity:revoke_system_grant_for_group": "rule:admin_required", + "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants", "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", diff --git a/keystone/common/policies/grant.py b/keystone/common/policies/grant.py index d64f273395..35bbd5676a 100644 --- a/keystone/common/policies/grant.py +++ b/keystone/common/policies/grant.py @@ -145,6 +145,54 @@ grant_policies = [ 'method': ['DELETE'] } ] + ), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'list_system_grants_for_group', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='List all grants a specific group has on the system.', + operations=[ + { + 'path': '/v3/system/groups/{group_id}/roles', + 'method': ['HEAD', 'GET'] + } + ] + ), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'check_system_grant_for_group', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='Check if a group has a role on the system.', + operations=[ + { + 'path': '/v3/system/groups/{group_id}/roles/{role_id}', + 'method': ['HEAD', 'GET'] + } + ] + ), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'create_system_grant_for_group', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='Grant a group a role on the system.', + operations=[ + { + 'path': '/v3/system/groups/{group_id}/roles/{role_id}', + 'method': ['PUT'] + } + ] + ), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'revoke_system_grant_for_group', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='Remove a role from a group on the system.', + operations=[ + { + 'path': '/v3/system/groups/{group_id}/roles/{role_id}', + 'method': ['DELETE'] + } + ] ) ]