Merge "Implement policies for limits"
This commit is contained in:
commit
d8a0c5e3d0
@ -25,6 +25,18 @@ identity:create_endpoint POST /v3/endpoints
|
|||||||
identity:update_endpoint PATCH /v3/endpoints/{endpoint_id}
|
identity:update_endpoint PATCH /v3/endpoints/{endpoint_id}
|
||||||
identity:delete_endpoint DELETE /v3/endpoints/{endpoint_id}
|
identity:delete_endpoint DELETE /v3/endpoints/{endpoint_id}
|
||||||
|
|
||||||
|
identity:get_registered_limit GET /v3/registered_limits/{registered_limit_id}
|
||||||
|
identity:list_registered_limits GET /v3/registered_limits
|
||||||
|
identity:create_registered_limits POST /v3/registered_limits
|
||||||
|
identity:update_registered_limits PUT /v3/registered_limits
|
||||||
|
identity:delete_registered_limit DELETE /v3/registered_limits/{registered_limit_id}
|
||||||
|
|
||||||
|
identity:get_limit GET /v3/limits/{limit_id}
|
||||||
|
identity:list_limits GET /v3/limits
|
||||||
|
identity:create_limits POST /v3/limits
|
||||||
|
identity:update_limits PUT /v3/limits
|
||||||
|
identity:delete_limit DELETE /v3/limits/{limit_id}
|
||||||
|
|
||||||
identity:get_domain GET /v3/domains/{domain_id}
|
identity:get_domain GET /v3/domains/{domain_id}
|
||||||
identity:list_domains GET /v3/domains
|
identity:list_domains GET /v3/domains
|
||||||
identity:create_domain POST /v3/domains
|
identity:create_domain POST /v3/domains
|
||||||
|
@ -28,6 +28,18 @@
|
|||||||
"identity:update_endpoint": "rule:cloud_admin",
|
"identity:update_endpoint": "rule:cloud_admin",
|
||||||
"identity:delete_endpoint": "rule:cloud_admin",
|
"identity:delete_endpoint": "rule:cloud_admin",
|
||||||
|
|
||||||
|
"identity:get_registered_limit": "",
|
||||||
|
"identity:list_registered_limits": "",
|
||||||
|
"identity:create_registered_limits": "rule:admin_required",
|
||||||
|
"identity:update_registered_limits": "rule:admin_required",
|
||||||
|
"identity:delete_registered_limit": "rule:admin_required",
|
||||||
|
|
||||||
|
"identity:get_limit": "",
|
||||||
|
"identity:list_limits": "",
|
||||||
|
"identity:create_limits": "rule:admin_required",
|
||||||
|
"identity:update_limits": "rule:admin_required",
|
||||||
|
"identity:delete_limit": "rule:admin_required",
|
||||||
|
|
||||||
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
|
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
|
||||||
"identity:list_domains": "rule:cloud_admin",
|
"identity:list_domains": "rule:cloud_admin",
|
||||||
"identity:create_domain": "rule:cloud_admin",
|
"identity:create_domain": "rule:cloud_admin",
|
||||||
|
@ -26,6 +26,7 @@ from keystone.common.policies import grant
|
|||||||
from keystone.common.policies import group
|
from keystone.common.policies import group
|
||||||
from keystone.common.policies import identity_provider
|
from keystone.common.policies import identity_provider
|
||||||
from keystone.common.policies import implied_role
|
from keystone.common.policies import implied_role
|
||||||
|
from keystone.common.policies import limit
|
||||||
from keystone.common.policies import mapping
|
from keystone.common.policies import mapping
|
||||||
from keystone.common.policies import policy
|
from keystone.common.policies import policy
|
||||||
from keystone.common.policies import policy_association
|
from keystone.common.policies import policy_association
|
||||||
@ -33,6 +34,7 @@ from keystone.common.policies import project
|
|||||||
from keystone.common.policies import project_endpoint
|
from keystone.common.policies import project_endpoint
|
||||||
from keystone.common.policies import protocol
|
from keystone.common.policies import protocol
|
||||||
from keystone.common.policies import region
|
from keystone.common.policies import region
|
||||||
|
from keystone.common.policies import registered_limit
|
||||||
from keystone.common.policies import revoke_event
|
from keystone.common.policies import revoke_event
|
||||||
from keystone.common.policies import role
|
from keystone.common.policies import role
|
||||||
from keystone.common.policies import role_assignment
|
from keystone.common.policies import role_assignment
|
||||||
@ -60,6 +62,7 @@ def list_rules():
|
|||||||
group.list_rules(),
|
group.list_rules(),
|
||||||
identity_provider.list_rules(),
|
identity_provider.list_rules(),
|
||||||
implied_role.list_rules(),
|
implied_role.list_rules(),
|
||||||
|
limit.list_rules(),
|
||||||
mapping.list_rules(),
|
mapping.list_rules(),
|
||||||
policy.list_rules(),
|
policy.list_rules(),
|
||||||
policy_association.list_rules(),
|
policy_association.list_rules(),
|
||||||
@ -67,6 +70,7 @@ def list_rules():
|
|||||||
project_endpoint.list_rules(),
|
project_endpoint.list_rules(),
|
||||||
protocol.list_rules(),
|
protocol.list_rules(),
|
||||||
region.list_rules(),
|
region.list_rules(),
|
||||||
|
registered_limit.list_rules(),
|
||||||
revoke_event.list_rules(),
|
revoke_event.list_rules(),
|
||||||
role.list_rules(),
|
role.list_rules(),
|
||||||
role_assignment.list_rules(),
|
role_assignment.list_rules(),
|
||||||
|
67
keystone/common/policies/limit.py
Normal file
67
keystone/common/policies/limit.py
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
limit_policies = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_limit',
|
||||||
|
check_str='',
|
||||||
|
# Getting a single limit or listing all limits should be information
|
||||||
|
# accessible to everyone. By setting scope_types=['system', 'project']
|
||||||
|
# we're making it so that anyone with a role on the system or a project
|
||||||
|
# can obtain this information. Making changes to a limit should be
|
||||||
|
# considered a protected system-level API, as noted below with
|
||||||
|
# scope_types=['system'].
|
||||||
|
scope_types=['system', 'project'],
|
||||||
|
description='Show limit details.',
|
||||||
|
operations=[{'path': '/v3/limits/{limit_id}',
|
||||||
|
'method': 'GET'},
|
||||||
|
{'path': '/v3/limits/{limit_id}',
|
||||||
|
'method': 'HEAD'}]),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_limits',
|
||||||
|
check_str='',
|
||||||
|
scope_types=['system', 'project'],
|
||||||
|
description='List limits.',
|
||||||
|
operations=[{'path': '/v3/limits',
|
||||||
|
'method': 'GET'},
|
||||||
|
{'path': '/v3/limits',
|
||||||
|
'method': 'HEAD'}]),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=base.IDENTITY % 'create_limits',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['system'],
|
||||||
|
description='Create limits.',
|
||||||
|
operations=[{'path': '/v3/limits',
|
||||||
|
'method': 'POST'}]),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=base.IDENTITY % 'update_limits',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['system'],
|
||||||
|
description='Update limits.',
|
||||||
|
operations=[{'path': '/v3/limits/{limit_id}',
|
||||||
|
'method': 'PUT'}]),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=base.IDENTITY % 'delete_limit',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['system'],
|
||||||
|
description='Delete limit.',
|
||||||
|
operations=[{'path': '/v3/limits/{limit_id}',
|
||||||
|
'method': 'DELETE'}])
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return limit_policies
|
67
keystone/common/policies/registered_limit.py
Normal file
67
keystone/common/policies/registered_limit.py
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
registered_limit_policies = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_registered_limit',
|
||||||
|
check_str='',
|
||||||
|
# Getting a single registered limit or listing all registered limits
|
||||||
|
# should be information accessible to everyone. By setting
|
||||||
|
# scope_types=['system', 'project'] we're making it so that anyone with
|
||||||
|
# a role on the system or a project can obtain this information.
|
||||||
|
# Making changes to a registered limit should be considered a protected
|
||||||
|
# system-level API, as noted below with scope_types=['system'].
|
||||||
|
scope_types=['system', 'project'],
|
||||||
|
description='Show registered limit details.',
|
||||||
|
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
|
||||||
|
'method': 'GET'},
|
||||||
|
{'path': '/v3/registered_limits/{registered_limit_id}',
|
||||||
|
'method': 'HEAD'}]),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_registered_limits',
|
||||||
|
check_str='',
|
||||||
|
scope_types=['system', 'project'],
|
||||||
|
description='List registered limits.',
|
||||||
|
operations=[{'path': '/v3/registered_limits',
|
||||||
|
'method': 'GET'},
|
||||||
|
{'path': '/v3/registered_limits',
|
||||||
|
'method': 'HEAD'}]),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=base.IDENTITY % 'create_registered_limits',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['system'],
|
||||||
|
description='Create registered limits.',
|
||||||
|
operations=[{'path': '/v3/registered_limits',
|
||||||
|
'method': 'POST'}]),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=base.IDENTITY % 'update_registered_limits',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['system'],
|
||||||
|
description='Update registered limits.',
|
||||||
|
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
|
||||||
|
'method': 'PUT'}]),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=base.IDENTITY % 'delete_registered_limit',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['system'],
|
||||||
|
description='Delete registered limit.',
|
||||||
|
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
|
||||||
|
'method': 'DELETE'}])
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return registered_limit_policies
|
Loading…
Reference in New Issue
Block a user