diff --git a/keystone/common/policies/application_credential.py b/keystone/common/policies/application_credential.py index cebb85b026..f944a69063 100644 --- a/keystone/common/policies/application_credential.py +++ b/keystone/common/policies/application_credential.py @@ -18,24 +18,31 @@ from keystone.common.policies import base collection_path = '/v3/users/{user_id}/application_credentials' resource_path = collection_path + '/{application_credential_id}' -deprecated_list_application_credentials_for_user = policy.DeprecatedRule( - name=base.IDENTITY % 'list_application_credentials', - check_str=base.RULE_ADMIN_OR_OWNER -) -deprecated_get_application_credentials_for_user = policy.DeprecatedRule( - name=base.IDENTITY % 'get_application_credentials', - check_str=base.RULE_ADMIN_OR_OWNER -) -deprecated_delete_application_credentials_for_user = policy.DeprecatedRule( - name=base.IDENTITY % 'delete_application_credentials', - check_str=base.RULE_ADMIN_OR_OWNER -) - DEPRECATED_REASON = ( "The application credential API is now aware of system scope and default " "roles." ) +deprecated_list_application_credentials_for_user = policy.DeprecatedRule( + name=base.IDENTITY % 'list_application_credentials', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_get_application_credentials_for_user = policy.DeprecatedRule( + name=base.IDENTITY % 'get_application_credentials', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_delete_application_credentials_for_user = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_application_credentials', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) + + application_credential_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_application_credential', @@ -46,9 +53,7 @@ application_credential_policies = [ 'method': 'GET'}, {'path': resource_path, 'method': 'HEAD'}], - deprecated_rule=deprecated_get_application_credentials_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_application_credentials_for_user), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_application_credentials', check_str=base.RULE_SYSTEM_READER_OR_OWNER, @@ -58,9 +63,7 @@ application_credential_policies = [ 'method': 'GET'}, {'path': collection_path, 'method': 'HEAD'}], - deprecated_rule=deprecated_list_application_credentials_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_application_credentials_for_user), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_application_credential', check_str=base.RULE_OWNER, @@ -75,9 +78,7 @@ application_credential_policies = [ description='Delete an application credential.', operations=[{'path': resource_path, 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_application_credentials_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_delete_application_credentials_for_user) ] diff --git a/keystone/common/policies/consumer.py b/keystone/common/policies/consumer.py index bf9a6bdd7a..7931bf05b2 100644 --- a/keystone/common/policies/consumer.py +++ b/keystone/common/policies/consumer.py @@ -15,31 +15,42 @@ from oslo_policy import policy from keystone.common.policies import base -deprecated_get_consumer = policy.DeprecatedRule( - name=base.IDENTITY % 'get_consumer', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_list_consumers = policy.DeprecatedRule( - name=base.IDENTITY % 'list_consumers', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_create_consumer = policy.DeprecatedRule( - name=base.IDENTITY % 'create_consumer', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_update_consumer = policy.DeprecatedRule( - name=base.IDENTITY % 'update_consumer', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_delete_consumer = policy.DeprecatedRule( - name=base.IDENTITY % 'delete_consumer', - check_str=base.RULE_ADMIN_REQUIRED -) - DEPRECATED_REASON = ( "The OAUTH1 consumer API is now aware of system scope and default roles." ) +deprecated_get_consumer = policy.DeprecatedRule( + name=base.IDENTITY % 'get_consumer', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_list_consumers = policy.DeprecatedRule( + name=base.IDENTITY % 'list_consumers', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_create_consumer = policy.DeprecatedRule( + name=base.IDENTITY % 'create_consumer', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_update_consumer = policy.DeprecatedRule( + name=base.IDENTITY % 'update_consumer', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_delete_consumer = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_consumer', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) + + consumer_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_consumer', @@ -48,9 +59,7 @@ consumer_policies = [ description='Show OAUTH1 consumer details.', operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_consumer, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_consumer), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_consumers', check_str=base.SYSTEM_READER, @@ -58,9 +67,7 @@ consumer_policies = [ description='List OAUTH1 consumers.', operations=[{'path': '/v3/OS-OAUTH1/consumers', 'method': 'GET'}], - deprecated_rule=deprecated_list_consumers, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_consumers), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_consumer', check_str=base.SYSTEM_ADMIN, @@ -68,9 +75,7 @@ consumer_policies = [ description='Create OAUTH1 consumer.', operations=[{'path': '/v3/OS-OAUTH1/consumers', 'method': 'POST'}], - deprecated_rule=deprecated_create_consumer, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_consumer), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_consumer', check_str=base.SYSTEM_ADMIN, @@ -78,9 +83,7 @@ consumer_policies = [ description='Update OAUTH1 consumer.', operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_consumer, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_update_consumer), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_consumer', check_str=base.SYSTEM_ADMIN, @@ -88,9 +91,7 @@ consumer_policies = [ description='Delete OAUTH1 consumer.', operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_consumer, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_consumer), ] diff --git a/keystone/common/policies/credential.py b/keystone/common/policies/credential.py index 52a9fa808a..675e31875f 100644 --- a/keystone/common/policies/credential.py +++ b/keystone/common/policies/credential.py @@ -21,23 +21,33 @@ DEPRECATED_REASON = ( deprecated_get_credential = policy.DeprecatedRule( name=base.IDENTITY % 'get_credential', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_credentials = policy.DeprecatedRule( name=base.IDENTITY % 'list_credentials', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_credential = policy.DeprecatedRule( name=base.IDENTITY % 'create_credential', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_credential = policy.DeprecatedRule( name=base.IDENTITY % 'update_credential', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_credential = policy.DeprecatedRule( name=base.IDENTITY % 'delete_credential', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) @@ -50,8 +60,6 @@ credential_policies = [ operations=[{'path': '/v3/credentials/{credential_id}', 'method': 'GET'}], deprecated_rule=deprecated_get_credential, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_credentials', @@ -61,8 +69,6 @@ credential_policies = [ operations=[{'path': '/v3/credentials', 'method': 'GET'}], deprecated_rule=deprecated_list_credentials, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_credential', @@ -72,8 +78,6 @@ credential_policies = [ operations=[{'path': '/v3/credentials', 'method': 'POST'}], deprecated_rule=deprecated_create_credential, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_credential', @@ -83,8 +87,6 @@ credential_policies = [ operations=[{'path': '/v3/credentials/{credential_id}', 'method': 'PATCH'}], deprecated_rule=deprecated_update_credential, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_credential', @@ -94,8 +96,6 @@ credential_policies = [ operations=[{'path': '/v3/credentials/{credential_id}', 'method': 'DELETE'}], deprecated_rule=deprecated_delete_credential, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ) ] diff --git a/keystone/common/policies/domain.py b/keystone/common/policies/domain.py index 7d3e3d788e..cd743ee90a 100644 --- a/keystone/common/policies/domain.py +++ b/keystone/common/policies/domain.py @@ -21,23 +21,33 @@ DEPRECATED_REASON = ( deprecated_list_domains = policy.DeprecatedRule( name=base.IDENTITY % 'list_domains', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_get_domain = policy.DeprecatedRule( name=base.IDENTITY % 'get_domain', - check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN + check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_domain = policy.DeprecatedRule( name=base.IDENTITY % 'update_domain', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_domain = policy.DeprecatedRule( name=base.IDENTITY % 'create_domain', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_domain = policy.DeprecatedRule( name=base.IDENTITY % 'delete_domain', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER = ( '(role:reader and system_scope:all) or ' @@ -56,9 +66,7 @@ domain_policies = [ description='Show domain details.', operations=[{'path': '/v3/domains/{domain_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_domain, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_domain), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_domains', check_str=base.SYSTEM_READER, @@ -66,9 +74,7 @@ domain_policies = [ description='List domains.', operations=[{'path': '/v3/domains', 'method': 'GET'}], - deprecated_rule=deprecated_list_domains, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_domains), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_domain', check_str=base.SYSTEM_ADMIN, @@ -76,9 +82,7 @@ domain_policies = [ description='Create domain.', operations=[{'path': '/v3/domains', 'method': 'POST'}], - deprecated_rule=deprecated_create_domain, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_domain), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_domain', check_str=base.SYSTEM_ADMIN, @@ -86,9 +90,7 @@ domain_policies = [ description='Update domain.', operations=[{'path': '/v3/domains/{domain_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_domain, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_domain), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_domain', check_str=base.SYSTEM_ADMIN, @@ -96,9 +98,7 @@ domain_policies = [ description='Delete domain.', operations=[{'path': '/v3/domains/{domain_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_domain, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_domain), ] diff --git a/keystone/common/policies/domain_config.py b/keystone/common/policies/domain_config.py index f18616becc..b1c8fdab5f 100644 --- a/keystone/common/policies/domain_config.py +++ b/keystone/common/policies/domain_config.py @@ -15,36 +15,46 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The domain config API is now aware of system scope and default roles." +) + deprecated_get_domain_config = policy.DeprecatedRule( name=base.IDENTITY % 'get_domain_config', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_domain_config_default = policy.DeprecatedRule( name=base.IDENTITY % 'get_domain_config_default', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_domain_config = policy.DeprecatedRule( name=base.IDENTITY % 'create_domain_config', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_update_domain_config = policy.DeprecatedRule( name=base.IDENTITY % 'update_domain_config', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_domain_config = policy.DeprecatedRule( name=base.IDENTITY % 'delete_domain_config', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) -DEPRECATED_REASON = ( - "The domain config API is now aware of system scope and default roles." -) - domain_config_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_domain_config', @@ -65,9 +75,7 @@ domain_config_policies = [ 'method': 'PUT' } ], - deprecated_rule=deprecated_create_domain_config, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN + deprecated_rule=deprecated_create_domain_config ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_domain_config', @@ -103,8 +111,6 @@ domain_config_policies = [ } ], deprecated_rule=deprecated_get_domain_config, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_security_compliance_domain_config', @@ -156,8 +162,6 @@ domain_config_policies = [ } ], deprecated_rule=deprecated_update_domain_config, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_domain_config', @@ -180,8 +184,6 @@ domain_config_policies = [ } ], deprecated_rule=deprecated_delete_domain_config, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_domain_config_default', @@ -216,8 +218,6 @@ domain_config_policies = [ } ], deprecated_rule=deprecated_get_domain_config_default, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ) ] diff --git a/keystone/common/policies/ec2_credential.py b/keystone/common/policies/ec2_credential.py index 25e65b532b..a210ee917e 100644 --- a/keystone/common/policies/ec2_credential.py +++ b/keystone/common/policies/ec2_credential.py @@ -15,27 +15,36 @@ from oslo_policy import policy from keystone.common.policies import base -deprecated_ec2_get_credential = policy.DeprecatedRule( - name=base.IDENTITY % 'ec2_get_credential', - check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER -) -deprecated_ec2_list_credentials = policy.DeprecatedRule( - name=base.IDENTITY % 'ec2_list_credentials', - check_str=base.RULE_ADMIN_OR_OWNER -) -deprecated_ec2_create_credentials = policy.DeprecatedRule( - name=base.IDENTITY % 'ec2_create_credentials', - check_str=base.RULE_ADMIN_OR_OWNER -) -deprecated_ec2_delete_credentials = policy.DeprecatedRule( - name=base.IDENTITY % 'ec2_delete_credentials', - check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER -) - DEPRECATED_REASON = ( "The EC2 credential API is now aware of system scope and default roles." ) +deprecated_ec2_get_credential = policy.DeprecatedRule( + name=base.IDENTITY % 'ec2_get_credential', + check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_ec2_list_credentials = policy.DeprecatedRule( + name=base.IDENTITY % 'ec2_list_credentials', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_ec2_create_credentials = policy.DeprecatedRule( + name=base.IDENTITY % 'ec2_create_credentials', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_ec2_delete_credentials = policy.DeprecatedRule( + name=base.IDENTITY % 'ec2_delete_credentials', + check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) + + ec2_credential_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'ec2_get_credential', @@ -45,9 +54,7 @@ ec2_credential_policies = [ operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/' '{credential_id}'), 'method': 'GET'}], - deprecated_rule=deprecated_ec2_get_credential, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN + deprecated_rule=deprecated_ec2_get_credential ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'ec2_list_credentials', @@ -57,8 +64,6 @@ ec2_credential_policies = [ operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2', 'method': 'GET'}], deprecated_rule=deprecated_ec2_list_credentials, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'ec2_create_credential', @@ -68,8 +73,6 @@ ec2_credential_policies = [ operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2', 'method': 'POST'}], deprecated_rule=deprecated_ec2_create_credentials, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'ec2_delete_credential', @@ -80,8 +83,6 @@ ec2_credential_policies = [ '{credential_id}'), 'method': 'DELETE'}], deprecated_rule=deprecated_ec2_delete_credentials, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ) ] diff --git a/keystone/common/policies/endpoint.py b/keystone/common/policies/endpoint.py index b99a40e24c..78582496f6 100644 --- a/keystone/common/policies/endpoint.py +++ b/keystone/common/policies/endpoint.py @@ -15,24 +15,34 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The endpoint API is now aware of system scope and default roles." +) + deprecated_get_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'get_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_endpoints = policy.DeprecatedRule( name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED, -) - -DEPRECATED_REASON = ( - "The endpoint API is now aware of system scope and default roles." + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) @@ -44,9 +54,7 @@ endpoint_policies = [ description='Show endpoint details.', operations=[{'path': '/v3/endpoints/{endpoint_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoints', check_str=base.SYSTEM_READER, @@ -54,9 +62,7 @@ endpoint_policies = [ description='List endpoints.', operations=[{'path': '/v3/endpoints', 'method': 'GET'}], - deprecated_rule=deprecated_list_endpoints, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_endpoints), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_endpoint', check_str=base.SYSTEM_ADMIN, @@ -64,9 +70,7 @@ endpoint_policies = [ description='Create endpoint.', operations=[{'path': '/v3/endpoints', 'method': 'POST'}], - deprecated_rule=deprecated_create_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_endpoint', check_str=base.SYSTEM_ADMIN, @@ -74,9 +78,7 @@ endpoint_policies = [ description='Update endpoint.', operations=[{'path': '/v3/endpoints/{endpoint_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_endpoint', check_str=base.SYSTEM_ADMIN, @@ -84,9 +86,7 @@ endpoint_policies = [ description='Delete endpoint.', operations=[{'path': '/v3/endpoints/{endpoint_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_delete_endpoint) ] diff --git a/keystone/common/policies/endpoint_group.py b/keystone/common/policies/endpoint_group.py index 691a6fe282..741e0b7caf 100644 --- a/keystone/common/policies/endpoint_group.py +++ b/keystone/common/policies/endpoint_group.py @@ -15,64 +15,85 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The endpoint groups API is now aware of system scope and default roles." +) + deprecated_list_endpoint_groups = policy.DeprecatedRule( name=base.IDENTITY % 'list_endpoint_groups', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'get_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_endpoint_group_in_project = policy.DeprecatedRule( name=base.IDENTITY % 'get_endpoint_group_in_project', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule( name=base.IDENTITY % 'list_endpoint_groups_for_project', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'create_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_update_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'update_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'delete_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_add_endpoint_group_to_project = policy.DeprecatedRule( name=base.IDENTITY % 'add_endpoint_group_to_project', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule( name=base.IDENTITY % 'remove_endpoint_group_from_project', check_str=base.RULE_ADMIN_REQUIRED, -) - - -DEPRECATED_REASON = ( - "The endpoint groups API is now aware of system scope and default roles." + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) @@ -84,9 +105,7 @@ group_endpoint_policies = [ description='Create endpoint group.', operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups', 'method': 'POST'}], - deprecated_rule=deprecated_create_endpoint_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_endpoint_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoint_groups', check_str=base.SYSTEM_READER, @@ -94,9 +113,7 @@ group_endpoint_policies = [ description='List endpoint groups.', operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups', 'method': 'GET'}], - deprecated_rule=deprecated_list_endpoint_groups, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_endpoint_groups), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_endpoint_group', check_str=base.SYSTEM_READER, @@ -108,9 +125,7 @@ group_endpoint_policies = [ {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_get_endpoint_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_endpoint_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_endpoint_group', check_str=base.SYSTEM_ADMIN, @@ -119,9 +134,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}'), 'method': 'PATCH'}], - deprecated_rule=deprecated_update_endpoint_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_update_endpoint_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_endpoint_group', check_str=base.SYSTEM_ADMIN, @@ -130,9 +143,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_endpoint_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_endpoint_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', check_str=base.SYSTEM_READER, @@ -142,9 +153,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/projects'), 'method': 'GET'}], - deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', check_str=base.SYSTEM_READER, @@ -153,9 +162,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/endpoints'), 'method': 'GET'}], - deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_endpoint_group_in_project', check_str=base.SYSTEM_READER, @@ -168,9 +175,7 @@ group_endpoint_policies = [ {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/projects/{project_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_get_endpoint_group_in_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_endpoint_group_in_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoint_groups_for_project', check_str=base.SYSTEM_READER, @@ -179,9 +184,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' 'endpoint_groups'), 'method': 'GET'}], - deprecated_rule=deprecated_list_endpoint_groups_for_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_endpoint_groups_for_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'add_endpoint_group_to_project', check_str=base.SYSTEM_ADMIN, @@ -190,9 +193,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/projects/{project_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_add_endpoint_group_to_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_add_endpoint_group_to_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'remove_endpoint_group_from_project', check_str=base.SYSTEM_ADMIN, @@ -201,9 +202,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/projects/{project_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_remove_endpoint_group_from_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_remove_endpoint_group_from_project) ] diff --git a/keystone/common/policies/grant.py b/keystone/common/policies/grant.py index 09ef1c983d..0e1b92876e 100644 --- a/keystone/common/policies/grant.py +++ b/keystone/common/policies/grant.py @@ -66,55 +66,80 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = ( '(' + DOMAIN_MATCHES_ROLE + ')' ) -deprecated_check_system_grant_for_user = policy.DeprecatedRule( - name=base.IDENTITY % 'check_system_grant_for_user', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_list_system_grants_for_user = policy.DeprecatedRule( - name=base.IDENTITY % 'list_system_grants_for_user', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_create_system_grant_for_user = policy.DeprecatedRule( - name=base.IDENTITY % 'create_system_grant_for_user', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_revoke_system_grant_for_user = policy.DeprecatedRule( - name=base.IDENTITY % 'revoke_system_grant_for_user', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_check_system_grant_for_group = policy.DeprecatedRule( - name=base.IDENTITY % 'check_system_grant_for_group', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_list_system_grants_for_group = policy.DeprecatedRule( - name=base.IDENTITY % 'list_system_grants_for_group', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_create_system_grant_for_group = policy.DeprecatedRule( - name=base.IDENTITY % 'create_system_grant_for_group', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_revoke_system_grant_for_group = policy.DeprecatedRule( - name=base.IDENTITY % 'revoke_system_grant_for_group', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_list_grants = policy.DeprecatedRule( - name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_check_grant = policy.DeprecatedRule( - name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_create_grant = policy.DeprecatedRule( - name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_revoke_grant = policy.DeprecatedRule( - name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED -) - DEPRECATED_REASON = ( "The assignment API is now aware of system scope and default roles." ) +deprecated_check_system_grant_for_user = policy.DeprecatedRule( + name=base.IDENTITY % 'check_system_grant_for_user', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_list_system_grants_for_user = policy.DeprecatedRule( + name=base.IDENTITY % 'list_system_grants_for_user', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_create_system_grant_for_user = policy.DeprecatedRule( + name=base.IDENTITY % 'create_system_grant_for_user', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_revoke_system_grant_for_user = policy.DeprecatedRule( + name=base.IDENTITY % 'revoke_system_grant_for_user', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_check_system_grant_for_group = policy.DeprecatedRule( + name=base.IDENTITY % 'check_system_grant_for_group', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_list_system_grants_for_group = policy.DeprecatedRule( + name=base.IDENTITY % 'list_system_grants_for_group', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_create_system_grant_for_group = policy.DeprecatedRule( + name=base.IDENTITY % 'create_system_grant_for_group', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_revoke_system_grant_for_group = policy.DeprecatedRule( + name=base.IDENTITY % 'revoke_system_grant_for_group', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_list_grants = policy.DeprecatedRule( + name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_check_grant = policy.DeprecatedRule( + name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_create_grant = policy.DeprecatedRule( + name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_revoke_grant = policy.DeprecatedRule( + name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) + + resource_paths = [ '/projects/{project_id}/users/{user_id}/roles/{role_id}', '/projects/{project_id}/groups/{group_id}/roles/{role_id}', @@ -167,9 +192,7 @@ grant_policies = [ 'are inherited to all projects in the subtree, if ' 'applicable.'), operations=list_operations(resource_paths, ['HEAD', 'GET']), - deprecated_rule=deprecated_check_grant, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_check_grant), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_grants', check_str=SYSTEM_READER_OR_DOMAIN_READER_LIST, @@ -181,9 +204,7 @@ grant_policies = [ 'domains, where grants are inherited to all projects ' 'in the specified domain.'), operations=list_grants_operations, - deprecated_rule=deprecated_list_grants, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_grants), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_grant', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -195,9 +216,7 @@ grant_policies = [ 'are inherited to all projects in the subtree, if ' 'applicable.'), operations=list_operations(resource_paths, ['PUT']), - deprecated_rule=deprecated_create_grant, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_grant), policy.DocumentedRuleDefault( name=base.IDENTITY % 'revoke_grant', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -211,9 +230,7 @@ grant_policies = [ 'the target would remove the logical effect of ' 'inheriting it to the target\'s projects subtree.'), operations=list_operations(resource_paths, ['DELETE']), - deprecated_rule=deprecated_revoke_grant, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_revoke_grant), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_system_grants_for_user', check_str=base.SYSTEM_READER, @@ -226,8 +243,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_list_system_grants_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_system_grant_for_user', @@ -241,8 +256,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_check_system_grant_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_system_grant_for_user', @@ -256,8 +269,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_create_system_grant_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'revoke_system_grant_for_user', @@ -271,8 +282,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_revoke_system_grant_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_system_grants_for_group', @@ -286,8 +295,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_list_system_grants_for_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_system_grant_for_group', @@ -301,8 +308,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_check_system_grant_for_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_system_grant_for_group', @@ -316,8 +321,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_create_system_grant_for_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'revoke_system_grant_for_group', @@ -331,8 +334,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_revoke_system_grant_for_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ) ] diff --git a/keystone/common/policies/group.py b/keystone/common/policies/group.py index d33da92892..0106bad6f7 100644 --- a/keystone/common/policies/group.py +++ b/keystone/common/policies/group.py @@ -51,43 +51,63 @@ DEPRECATED_REASON = ( deprecated_get_group = policy.DeprecatedRule( name=base.IDENTITY % 'get_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_groups = policy.DeprecatedRule( name=base.IDENTITY % 'list_groups', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_groups_for_user = policy.DeprecatedRule( name=base.IDENTITY % 'list_groups_for_user', - check_str=base.RULE_ADMIN_OR_OWNER + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_users_in_group = policy.DeprecatedRule( name=base.IDENTITY % 'list_users_in_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_check_user_in_group = policy.DeprecatedRule( name=base.IDENTITY % 'check_user_in_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_group = policy.DeprecatedRule( name=base.IDENTITY % 'create_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_group = policy.DeprecatedRule( name=base.IDENTITY % 'update_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_group = policy.DeprecatedRule( name=base.IDENTITY % 'delete_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_remove_user_from_group = policy.DeprecatedRule( name=base.IDENTITY % 'remove_user_from_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_add_user_to_group = policy.DeprecatedRule( name=base.IDENTITY % 'add_user_to_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) group_policies = [ @@ -100,9 +120,7 @@ group_policies = [ 'method': 'GET'}, {'path': '/v3/groups/{group_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_groups', check_str=SYSTEM_READER_OR_DOMAIN_READER, @@ -112,9 +130,7 @@ group_policies = [ 'method': 'GET'}, {'path': '/v3/groups', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_groups, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_groups), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_groups_for_user', check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER, @@ -124,9 +140,7 @@ group_policies = [ 'method': 'GET'}, {'path': '/v3/users/{user_id}/groups', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_groups_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_groups_for_user), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_group', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -134,9 +148,7 @@ group_policies = [ description='Create group.', operations=[{'path': '/v3/groups', 'method': 'POST'}], - deprecated_rule=deprecated_create_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_group', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -144,9 +156,7 @@ group_policies = [ description='Update group.', operations=[{'path': '/v3/groups/{group_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_group', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -154,9 +164,7 @@ group_policies = [ description='Delete group.', operations=[{'path': '/v3/groups/{group_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_users_in_group', check_str=SYSTEM_READER_OR_DOMAIN_READER, @@ -166,9 +174,7 @@ group_policies = [ 'method': 'GET'}, {'path': '/v3/groups/{group_id}/users', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_users_in_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_users_in_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'remove_user_from_group', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER, @@ -176,9 +182,7 @@ group_policies = [ description='Remove user from group.', operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_remove_user_from_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_remove_user_from_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_user_in_group', check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER, @@ -188,9 +192,7 @@ group_policies = [ 'method': 'HEAD'}, {'path': '/v3/groups/{group_id}/users/{user_id}', 'method': 'GET'}], - deprecated_rule=deprecated_check_user_in_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_check_user_in_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'add_user_to_group', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER, @@ -198,9 +200,7 @@ group_policies = [ description='Add user to group.', operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', 'method': 'PUT'}], - deprecated_rule=deprecated_add_user_to_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_add_user_to_group) ] diff --git a/keystone/common/policies/identity_provider.py b/keystone/common/policies/identity_provider.py index 2236d2aeac..c53d2a3af0 100644 --- a/keystone/common/policies/identity_provider.py +++ b/keystone/common/policies/identity_provider.py @@ -15,31 +15,42 @@ from oslo_policy import policy from keystone.common.policies import base -deprecated_get_idp = policy.DeprecatedRule( - name=base.IDENTITY % 'get_identity_providers', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_list_idp = policy.DeprecatedRule( - name=base.IDENTITY % 'list_identity_providers', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_update_idp = policy.DeprecatedRule( - name=base.IDENTITY % 'update_identity_providers', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_create_idp = policy.DeprecatedRule( - name=base.IDENTITY % 'create_identity_providers', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_delete_idp = policy.DeprecatedRule( - name=base.IDENTITY % 'delete_identity_providers', - check_str=base.RULE_ADMIN_REQUIRED -) - DEPRECATED_REASON = ( "The identity provider API is now aware of system scope and default roles." ) +deprecated_get_idp = policy.DeprecatedRule( + name=base.IDENTITY % 'get_identity_providers', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_list_idp = policy.DeprecatedRule( + name=base.IDENTITY % 'list_identity_providers', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_update_idp = policy.DeprecatedRule( + name=base.IDENTITY % 'update_identity_providers', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_create_idp = policy.DeprecatedRule( + name=base.IDENTITY % 'create_identity_providers', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_delete_idp = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_identity_providers', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) + + identity_provider_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_identity_provider', @@ -54,9 +65,7 @@ identity_provider_policies = [ description='Create identity provider.', operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', 'method': 'PUT'}], - deprecated_rule=deprecated_create_idp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_idp), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_identity_providers', check_str=base.SYSTEM_READER, @@ -73,8 +82,6 @@ identity_provider_policies = [ } ], deprecated_rule=deprecated_list_idp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_identity_provider', @@ -92,8 +99,6 @@ identity_provider_policies = [ } ], deprecated_rule=deprecated_get_idp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_identity_provider', @@ -102,9 +107,7 @@ identity_provider_policies = [ description='Update identity provider.', operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_idp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_idp), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_identity_provider', check_str=base.SYSTEM_ADMIN, @@ -112,9 +115,7 @@ identity_provider_policies = [ description='Delete identity provider.', operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_idp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_idp), ] diff --git a/keystone/common/policies/implied_role.py b/keystone/common/policies/implied_role.py index 6d164b0350..01bcc009b3 100644 --- a/keystone/common/policies/implied_role.py +++ b/keystone/common/policies/implied_role.py @@ -15,33 +15,45 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The implied role API is now aware of system scope and default roles." +) + deprecated_get_implied_role = policy.DeprecatedRule( name=base.IDENTITY % 'get_implied_role', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_implied_roles = policy.DeprecatedRule( name=base.IDENTITY % 'list_implied_roles', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_role_inference_rules = policy.DeprecatedRule( name=base.IDENTITY % 'list_role_inference_rules', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_check_implied_role = policy.DeprecatedRule( name=base.IDENTITY % 'check_implied_role', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_implied_role = policy.DeprecatedRule( name=base.IDENTITY % 'create_implied_role', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_implied_role = policy.DeprecatedRule( name=base.IDENTITY % 'delete_implied_role', check_str=base.RULE_ADMIN_REQUIRED, -) - -DEPRECATED_REASON = ( - "The implied role API is now aware of system scope and default roles." + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) @@ -61,9 +73,7 @@ implied_role_policies = [ operations=[ {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_implied_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_implied_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_implied_roles', check_str=base.SYSTEM_READER, @@ -77,9 +87,7 @@ implied_role_policies = [ operations=[ {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'GET'}, {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_implied_roles, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_implied_roles), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_implied_role', check_str=base.SYSTEM_ADMIN, @@ -91,9 +99,7 @@ implied_role_policies = [ operations=[ {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', 'method': 'PUT'}], - deprecated_rule=deprecated_create_implied_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_implied_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_implied_role', check_str=base.SYSTEM_ADMIN, @@ -106,9 +112,7 @@ implied_role_policies = [ operations=[ {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_implied_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_implied_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_role_inference_rules', check_str=base.SYSTEM_READER, @@ -120,9 +124,7 @@ implied_role_policies = [ operations=[ {'path': '/v3/role_inferences', 'method': 'GET'}, {'path': '/v3/role_inferences', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_role_inference_rules, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_role_inference_rules), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_implied_role', check_str=base.SYSTEM_READER, @@ -134,9 +136,7 @@ implied_role_policies = [ operations=[ {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_check_implied_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_check_implied_role), ] diff --git a/keystone/common/policies/mapping.py b/keystone/common/policies/mapping.py index 498bc7c842..6c4f0de673 100644 --- a/keystone/common/policies/mapping.py +++ b/keystone/common/policies/mapping.py @@ -15,31 +15,42 @@ from oslo_policy import policy from keystone.common.policies import base -deprecated_get_mapping = policy.DeprecatedRule( - name=base.IDENTITY % 'get_mapping', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_list_mappings = policy.DeprecatedRule( - name=base.IDENTITY % 'list_mappings', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_update_mapping = policy.DeprecatedRule( - name=base.IDENTITY % 'update_mapping', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_create_mapping = policy.DeprecatedRule( - name=base.IDENTITY % 'create_mapping', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_delete_mapping = policy.DeprecatedRule( - name=base.IDENTITY % 'delete_mapping', - check_str=base.RULE_ADMIN_REQUIRED -) - DEPRECATED_REASON = ( "The federated mapping API is now aware of system scope and default roles." ) +deprecated_get_mapping = policy.DeprecatedRule( + name=base.IDENTITY % 'get_mapping', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_list_mappings = policy.DeprecatedRule( + name=base.IDENTITY % 'list_mappings', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_update_mapping = policy.DeprecatedRule( + name=base.IDENTITY % 'update_mapping', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_create_mapping = policy.DeprecatedRule( + name=base.IDENTITY % 'create_mapping', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_delete_mapping = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_mapping', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) + + mapping_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_mapping', @@ -55,9 +66,7 @@ mapping_policies = [ 'more sets of rules.'), operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', 'method': 'PUT'}], - deprecated_rule=deprecated_create_mapping, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_mapping), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_mapping', check_str=base.SYSTEM_READER, @@ -73,9 +82,7 @@ mapping_policies = [ 'method': 'HEAD' } ], - deprecated_rule=deprecated_get_mapping, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN + deprecated_rule=deprecated_get_mapping ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_mappings', @@ -93,8 +100,6 @@ mapping_policies = [ } ], deprecated_rule=deprecated_list_mappings, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_mapping', @@ -103,9 +108,7 @@ mapping_policies = [ description='Delete a federated mapping.', operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_mapping, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_mapping), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_mapping', check_str=base.SYSTEM_ADMIN, @@ -113,9 +116,7 @@ mapping_policies = [ description='Update a federated mapping.', operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_mapping, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_update_mapping) ] diff --git a/keystone/common/policies/policy.py b/keystone/common/policies/policy.py index 4c912f33cf..502fa9de07 100644 --- a/keystone/common/policies/policy.py +++ b/keystone/common/policies/policy.py @@ -15,33 +15,43 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The policy API is now aware of system scope and default roles." +) + deprecated_get_policy = policy.DeprecatedRule( name=base.IDENTITY % 'get_policy', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_policies = policy.DeprecatedRule( name=base.IDENTITY % 'list_policies', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_update_policy = policy.DeprecatedRule( name=base.IDENTITY % 'update_policy', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_policy = policy.DeprecatedRule( name=base.IDENTITY % 'create_policy', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_policy = policy.DeprecatedRule( name=base.IDENTITY % 'delete_policy', check_str=base.RULE_ADMIN_REQUIRED, -) - -DEPRECATED_REASON = ( - "The policy API is now aware of system scope and default roles." + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) @@ -55,9 +65,7 @@ policy_policies = [ description='Show policy details.', operations=[{'path': '/v3/policies/{policy_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_policy, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_policy), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_policies', check_str=base.SYSTEM_READER, @@ -65,9 +73,7 @@ policy_policies = [ description='List policies.', operations=[{'path': '/v3/policies', 'method': 'GET'}], - deprecated_rule=deprecated_list_policies, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_policies), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_policy', check_str=base.SYSTEM_ADMIN, @@ -75,9 +81,7 @@ policy_policies = [ description='Create policy.', operations=[{'path': '/v3/policies', 'method': 'POST'}], - deprecated_rule=deprecated_create_policy, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_policy), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_policy', check_str=base.SYSTEM_ADMIN, @@ -85,9 +89,7 @@ policy_policies = [ description='Update policy.', operations=[{'path': '/v3/policies/{policy_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_policy, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_update_policy), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_policy', check_str=base.SYSTEM_ADMIN, @@ -95,9 +97,7 @@ policy_policies = [ description='Delete policy.', operations=[{'path': '/v3/policies/{policy_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_policy, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_delete_policy) ] diff --git a/keystone/common/policies/policy_association.py b/keystone/common/policies/policy_association.py index af5790058e..1cf6f86ec3 100644 --- a/keystone/common/policies/policy_association.py +++ b/keystone/common/policies/policy_association.py @@ -19,65 +19,88 @@ from keystone.common.policies import base # System-scoped tokens should be required to manage policy associations to # existing system-level resources. +DEPRECATED_REASON = ( + "The policy association API is now aware of system scope and default " + "roles." +) + deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'check_policy_association_for_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_check_policy_assoc_for_service = policy.DeprecatedRule( name=base.IDENTITY % 'check_policy_association_for_service', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule( name=base.IDENTITY % 'check_policy_association_for_region_and_service', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_policy_for_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'get_policy_for_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_endpoints_for_policy = policy.DeprecatedRule( name=base.IDENTITY % 'list_endpoints_for_policy', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'create_policy_association_for_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'delete_policy_association_for_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_policy_assoc_for_service = policy.DeprecatedRule( name=base.IDENTITY % 'create_policy_association_for_service', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule( name=base.IDENTITY % 'delete_policy_association_for_service', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule( name=base.IDENTITY % 'create_policy_association_for_region_and_service', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule( name=base.IDENTITY % 'delete_policy_association_for_region_and_service', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) -DEPRECATED_REASON = ( - "The policy association API is now aware of system scope and default " - "roles." -) policy_association_policies = [ policy.DocumentedRuleDefault( @@ -88,9 +111,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'endpoints/{endpoint_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_create_policy_assoc_for_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_policy_assoc_for_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_policy_association_for_endpoint', check_str=base.SYSTEM_READER, @@ -102,9 +123,7 @@ policy_association_policies = [ {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'endpoints/{endpoint_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_check_policy_assoc_for_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_check_policy_assoc_for_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_policy_association_for_endpoint', check_str=base.SYSTEM_ADMIN, @@ -113,9 +132,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'endpoints/{endpoint_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_policy_assoc_for_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_policy_assoc_for_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_policy_association_for_service', check_str=base.SYSTEM_ADMIN, @@ -124,9 +141,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_create_policy_assoc_for_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_policy_assoc_for_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_policy_association_for_service', check_str=base.SYSTEM_READER, @@ -138,9 +153,7 @@ policy_association_policies = [ {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_check_policy_assoc_for_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_check_policy_assoc_for_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_policy_association_for_service', check_str=base.SYSTEM_ADMIN, @@ -149,9 +162,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_policy_assoc_for_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_policy_assoc_for_service), policy.DocumentedRuleDefault( name=base.IDENTITY % ( 'create_policy_association_for_region_and_service'), @@ -162,9 +173,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}/regions/{region_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_create_policy_assoc_for_region_and_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_policy_assoc_for_region_and_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_policy_association_for_region_and_service', check_str=base.SYSTEM_READER, @@ -176,9 +185,7 @@ policy_association_policies = [ {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}/regions/{region_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_check_policy_assoc_for_region_and_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_check_policy_assoc_for_region_and_service), policy.DocumentedRuleDefault( name=base.IDENTITY % ( 'delete_policy_association_for_region_and_service'), @@ -188,9 +195,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}/regions/{region_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_policy_for_endpoint', check_str=base.SYSTEM_READER, @@ -202,9 +207,7 @@ policy_association_policies = [ {'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/' 'policy'), 'method': 'HEAD'}], - deprecated_rule=deprecated_get_policy_for_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_policy_for_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoints_for_policy', check_str=base.SYSTEM_READER, @@ -213,9 +216,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'endpoints'), 'method': 'GET'}], - deprecated_rule=deprecated_list_endpoints_for_policy, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_list_endpoints_for_policy) ] diff --git a/keystone/common/policies/project.py b/keystone/common/policies/project.py index c7b7c0a9d6..db7cdee9fe 100644 --- a/keystone/common/policies/project.py +++ b/keystone/common/policies/project.py @@ -52,60 +52,84 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = ( '(role:admin and domain_id:%(target.project.domain_id)s)' ) -deprecated_list_projects = policy.DeprecatedRule( - name=base.IDENTITY % 'list_projects', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_get_project = policy.DeprecatedRule( - name=base.IDENTITY % 'get_project', - check_str=base.RULE_ADMIN_OR_TARGET_PROJECT -) -deprecated_list_user_projects = policy.DeprecatedRule( - name=base.IDENTITY % 'list_user_projects', - check_str=base.RULE_ADMIN_OR_OWNER -) -deprecated_create_project = policy.DeprecatedRule( - name=base.IDENTITY % 'create_project', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_update_project = policy.DeprecatedRule( - name=base.IDENTITY % 'update_project', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_delete_project = policy.DeprecatedRule( - name=base.IDENTITY % 'delete_project', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_list_project_tags = policy.DeprecatedRule( - name=base.IDENTITY % 'list_project_tags', - check_str=base.RULE_ADMIN_OR_TARGET_PROJECT -) -deprecated_get_project_tag = policy.DeprecatedRule( - name=base.IDENTITY % 'get_project_tag', - check_str=base.RULE_ADMIN_OR_TARGET_PROJECT -) -deprecated_update_project_tag = policy.DeprecatedRule( - name=base.IDENTITY % 'update_project_tags', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_create_project_tag = policy.DeprecatedRule( - name=base.IDENTITY % 'create_project_tag', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_delete_project_tag = policy.DeprecatedRule( - name=base.IDENTITY % 'delete_project_tag', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_delete_project_tags = policy.DeprecatedRule( - name=base.IDENTITY % 'delete_project_tags', - check_str=base.RULE_ADMIN_REQUIRED -) - - DEPRECATED_REASON = ( "The project API is now aware of system scope and default roles." ) +deprecated_list_projects = policy.DeprecatedRule( + name=base.IDENTITY % 'list_projects', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_get_project = policy.DeprecatedRule( + name=base.IDENTITY % 'get_project', + check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_list_user_projects = policy.DeprecatedRule( + name=base.IDENTITY % 'list_user_projects', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_create_project = policy.DeprecatedRule( + name=base.IDENTITY % 'create_project', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_update_project = policy.DeprecatedRule( + name=base.IDENTITY % 'update_project', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_delete_project = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_project', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_list_project_tags = policy.DeprecatedRule( + name=base.IDENTITY % 'list_project_tags', + check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_get_project_tag = policy.DeprecatedRule( + name=base.IDENTITY % 'get_project_tag', + check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_update_project_tag = policy.DeprecatedRule( + name=base.IDENTITY % 'update_project_tags', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_create_project_tag = policy.DeprecatedRule( + name=base.IDENTITY % 'create_project_tag', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_delete_project_tag = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_project_tag', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_delete_project_tags = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_project_tags', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) + + TAGS_DEPRECATED_REASON = """ As of the Train release, the project tags API understands how to handle system-scoped tokens in addition to project and domain tokens, making the API @@ -122,9 +146,7 @@ project_policies = [ description='Show project details.', operations=[{'path': '/v3/projects/{project_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_projects', check_str=SYSTEM_READER_OR_DOMAIN_READER, @@ -136,9 +158,7 @@ project_policies = [ description='List projects.', operations=[{'path': '/v3/projects', 'method': 'GET'}], - deprecated_rule=deprecated_list_projects, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_projects), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_user_projects', check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER, @@ -146,9 +166,7 @@ project_policies = [ description='List projects for user.', operations=[{'path': '/v3/users/{user_id}/projects', 'method': 'GET'}], - deprecated_rule=deprecated_list_user_projects, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_user_projects), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_project', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -156,9 +174,7 @@ project_policies = [ description='Create project.', operations=[{'path': '/v3/projects', 'method': 'POST'}], - deprecated_rule=deprecated_create_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_project', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -166,9 +182,7 @@ project_policies = [ description='Update project.', operations=[{'path': '/v3/projects/{project_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_project', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -176,9 +190,7 @@ project_policies = [ description='Delete project.', operations=[{'path': '/v3/projects/{project_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_project_tags', check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER, @@ -188,9 +200,7 @@ project_policies = [ 'method': 'GET'}, {'path': '/v3/projects/{project_id}/tags', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_project_tags, - deprecated_reason=TAGS_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_project_tags), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_project_tag', check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER, @@ -200,9 +210,7 @@ project_policies = [ 'method': 'GET'}, {'path': '/v3/projects/{project_id}/tags/{value}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_project_tag, - deprecated_reason=TAGS_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_project_tag), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_project_tags', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, @@ -210,9 +218,7 @@ project_policies = [ description='Replace all tags on a project with the new set of tags.', operations=[{'path': '/v3/projects/{project_id}/tags', 'method': 'PUT'}], - deprecated_rule=deprecated_update_project_tag, - deprecated_reason=TAGS_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_update_project_tag), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_project_tag', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, @@ -220,9 +226,7 @@ project_policies = [ description='Add a single tag to a project.', operations=[{'path': '/v3/projects/{project_id}/tags/{value}', 'method': 'PUT'}], - deprecated_rule=deprecated_create_project_tag, - deprecated_reason=TAGS_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_project_tag), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_project_tags', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, @@ -230,9 +234,7 @@ project_policies = [ description='Remove all tags from a project.', operations=[{'path': '/v3/projects/{project_id}/tags', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_project_tags, - deprecated_reason=TAGS_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_project_tags), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_project_tag', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, @@ -240,9 +242,7 @@ project_policies = [ description='Delete a specified tag from project.', operations=[{'path': '/v3/projects/{project_id}/tags/{value}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_project_tag, - deprecated_reason=TAGS_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_delete_project_tag) ] diff --git a/keystone/common/policies/project_endpoint.py b/keystone/common/policies/project_endpoint.py index c04cddd4d6..86a020e02e 100644 --- a/keystone/common/policies/project_endpoint.py +++ b/keystone/common/policies/project_endpoint.py @@ -15,31 +15,6 @@ from oslo_policy import policy from keystone.common.policies import base -deprecated_list_projects_for_endpoint = policy.DeprecatedRule( - name=base.IDENTITY % 'list_projects_for_endpoint', - check_str=base.RULE_ADMIN_REQUIRED, -) - -deprecated_add_endpoint_to_project = policy.DeprecatedRule( - name=base.IDENTITY % 'add_endpoint_to_project', - check_str=base.RULE_ADMIN_REQUIRED, -) - -deprecated_check_endpoint_in_project = policy.DeprecatedRule( - name=base.IDENTITY % 'check_endpoint_in_project', - check_str=base.RULE_ADMIN_REQUIRED, -) - -deprecated_list_endpoints_for_project = policy.DeprecatedRule( - name=base.IDENTITY % 'list_endpoints_for_project', - check_str=base.RULE_ADMIN_REQUIRED, -) - -deprecated_remove_endpoint_from_project = policy.DeprecatedRule( - name=base.IDENTITY % 'remove_endpoint_from_project', - check_str=base.RULE_ADMIN_REQUIRED, -) - DEPRECATED_REASON = """ As of the Train release, the project endpoint API now understands default roles and system-scoped tokens, making the API more granular by default without @@ -48,6 +23,41 @@ automatically. Be sure to take these new defaults into consideration if you are relying on overrides in your deployment for the project endpoint API. """ +deprecated_list_projects_for_endpoint = policy.DeprecatedRule( + name=base.IDENTITY % 'list_projects_for_endpoint', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) + +deprecated_add_endpoint_to_project = policy.DeprecatedRule( + name=base.IDENTITY % 'add_endpoint_to_project', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) + +deprecated_check_endpoint_in_project = policy.DeprecatedRule( + name=base.IDENTITY % 'check_endpoint_in_project', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) + +deprecated_list_endpoints_for_project = policy.DeprecatedRule( + name=base.IDENTITY % 'list_endpoints_for_project', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) + +deprecated_remove_endpoint_from_project = policy.DeprecatedRule( + name=base.IDENTITY % 'remove_endpoint_from_project', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) + project_endpoint_policies = [ @@ -63,9 +73,7 @@ project_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/' 'projects'), 'method': 'GET'}], - deprecated_rule=deprecated_list_projects_for_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_projects_for_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'add_endpoint_to_project', check_str=base.SYSTEM_ADMIN, @@ -74,9 +82,7 @@ project_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' 'endpoints/{endpoint_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_add_endpoint_to_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_add_endpoint_to_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_endpoint_in_project', check_str=base.SYSTEM_READER, @@ -88,9 +94,7 @@ project_endpoint_policies = [ {'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' 'endpoints/{endpoint_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_check_endpoint_in_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_check_endpoint_in_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoints_for_project', check_str=base.SYSTEM_READER, @@ -99,9 +103,7 @@ project_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' 'endpoints'), 'method': 'GET'}], - deprecated_rule=deprecated_list_endpoints_for_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_endpoints_for_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'remove_endpoint_from_project', check_str=base.SYSTEM_ADMIN, @@ -111,9 +113,7 @@ project_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' 'endpoints/{endpoint_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_remove_endpoint_from_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_remove_endpoint_from_project), ] diff --git a/keystone/common/policies/protocol.py b/keystone/common/policies/protocol.py index de2a7299e8..887fc70dfa 100644 --- a/keystone/common/policies/protocol.py +++ b/keystone/common/policies/protocol.py @@ -15,32 +15,43 @@ from oslo_policy import policy from keystone.common.policies import base -deprecated_get_protocol = policy.DeprecatedRule( - name=base.IDENTITY % 'get_protocol', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_list_protocols = policy.DeprecatedRule( - name=base.IDENTITY % 'list_protocols', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_update_protocol = policy.DeprecatedRule( - name=base.IDENTITY % 'update_protocol', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_create_protocol = policy.DeprecatedRule( - name=base.IDENTITY % 'create_protocol', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_delete_protocol = policy.DeprecatedRule( - name=base.IDENTITY % 'delete_protocol', - check_str=base.RULE_ADMIN_REQUIRED -) - DEPRECATED_REASON = ( "The federated protocol API is now aware of system scope and default " "roles." ) +deprecated_get_protocol = policy.DeprecatedRule( + name=base.IDENTITY % 'get_protocol', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_list_protocols = policy.DeprecatedRule( + name=base.IDENTITY % 'list_protocols', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_update_protocol = policy.DeprecatedRule( + name=base.IDENTITY % 'update_protocol', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_create_protocol = policy.DeprecatedRule( + name=base.IDENTITY % 'create_protocol', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_delete_protocol = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_protocol', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) + + protocol_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_protocol', @@ -53,9 +64,7 @@ protocol_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' 'protocols/{protocol_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_create_protocol, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_protocol), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_protocol', check_str=base.SYSTEM_ADMIN, @@ -64,9 +73,7 @@ protocol_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' 'protocols/{protocol_id}'), 'method': 'PATCH'}], - deprecated_rule=deprecated_update_protocol, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_protocol), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_protocol', check_str=base.SYSTEM_READER, @@ -75,9 +82,7 @@ protocol_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' 'protocols/{protocol_id}'), 'method': 'GET'}], - deprecated_rule=deprecated_get_protocol, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_protocol), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_protocols', check_str=base.SYSTEM_READER, @@ -86,9 +91,7 @@ protocol_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' 'protocols'), 'method': 'GET'}], - deprecated_rule=deprecated_list_protocols, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_protocols), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_protocol', check_str=base.SYSTEM_ADMIN, @@ -97,9 +100,7 @@ protocol_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' 'protocols/{protocol_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_protocol, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_delete_protocol) ] diff --git a/keystone/common/policies/region.py b/keystone/common/policies/region.py index bf60f8ff91..f13299dd2d 100644 --- a/keystone/common/policies/region.py +++ b/keystone/common/policies/region.py @@ -15,23 +15,30 @@ from oslo_policy import policy from keystone.common.policies import base -deprecated_create_region = policy.DeprecatedRule( - name=base.IDENTITY % 'create_region', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_update_region = policy.DeprecatedRule( - name=base.IDENTITY % 'update_region', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_delete_region = policy.DeprecatedRule( - name=base.IDENTITY % 'delete_region', - check_str=base.RULE_ADMIN_REQUIRED -) - DEPRECATED_REASON = ( "The region API is now aware of system scope and default roles." ) +deprecated_create_region = policy.DeprecatedRule( + name=base.IDENTITY % 'create_region', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_update_region = policy.DeprecatedRule( + name=base.IDENTITY % 'update_region', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_delete_region = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_region', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) + + region_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_region', @@ -66,9 +73,7 @@ region_policies = [ 'method': 'POST'}, {'path': '/v3/regions/{region_id}', 'method': 'PUT'}], - deprecated_rule=deprecated_create_region, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_region), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_region', check_str=base.SYSTEM_ADMIN, @@ -76,9 +81,7 @@ region_policies = [ description='Update region.', operations=[{'path': '/v3/regions/{region_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_region, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_region), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_region', check_str=base.SYSTEM_ADMIN, @@ -86,9 +89,7 @@ region_policies = [ description='Delete region.', operations=[{'path': '/v3/regions/{region_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_region, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_region), ] diff --git a/keystone/common/policies/role.py b/keystone/common/policies/role.py index 7d6a38e461..b372efbbac 100644 --- a/keystone/common/policies/role.py +++ b/keystone/common/policies/role.py @@ -15,51 +15,72 @@ from oslo_policy import policy from keystone.common.policies import base -deprecated_get_role = policy.DeprecatedRule( - name=base.IDENTITY % 'get_role', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_list_role = policy.DeprecatedRule( - name=base.IDENTITY % 'list_roles', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_update_role = policy.DeprecatedRule( - name=base.IDENTITY % 'update_role', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_create_role = policy.DeprecatedRule( - name=base.IDENTITY % 'create_role', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_delete_role = policy.DeprecatedRule( - name=base.IDENTITY % 'delete_role', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_get_domain_role = policy.DeprecatedRule( - name=base.IDENTITY % 'get_domain_role', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_list_domain_roles = policy.DeprecatedRule( - name=base.IDENTITY % 'list_domain_roles', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_update_domain_role = policy.DeprecatedRule( - name=base.IDENTITY % 'update_domain_role', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_create_domain_role = policy.DeprecatedRule( - name=base.IDENTITY % 'create_domain_role', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_delete_domain_role = policy.DeprecatedRule( - name=base.IDENTITY % 'delete_domain_role', - check_str=base.RULE_ADMIN_REQUIRED -) - DEPRECATED_REASON = ( "The role API is now aware of system scope and default roles." ) +deprecated_get_role = policy.DeprecatedRule( + name=base.IDENTITY % 'get_role', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_list_role = policy.DeprecatedRule( + name=base.IDENTITY % 'list_roles', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_update_role = policy.DeprecatedRule( + name=base.IDENTITY % 'update_role', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_create_role = policy.DeprecatedRule( + name=base.IDENTITY % 'create_role', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_delete_role = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_role', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_get_domain_role = policy.DeprecatedRule( + name=base.IDENTITY % 'get_domain_role', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_list_domain_roles = policy.DeprecatedRule( + name=base.IDENTITY % 'list_domain_roles', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_update_domain_role = policy.DeprecatedRule( + name=base.IDENTITY % 'update_domain_role', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_create_domain_role = policy.DeprecatedRule( + name=base.IDENTITY % 'create_domain_role', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) +deprecated_delete_domain_role = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_domain_role', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) + + role_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_role', @@ -75,9 +96,7 @@ role_policies = [ 'method': 'GET'}, {'path': '/v3/roles/{role_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_roles', check_str=base.SYSTEM_READER, @@ -87,9 +106,7 @@ role_policies = [ 'method': 'GET'}, {'path': '/v3/roles', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_role', check_str=base.SYSTEM_ADMIN, @@ -97,9 +114,7 @@ role_policies = [ description='Create role.', operations=[{'path': '/v3/roles', 'method': 'POST'}], - deprecated_rule=deprecated_create_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_role', check_str=base.SYSTEM_ADMIN, @@ -107,9 +122,7 @@ role_policies = [ description='Update role.', operations=[{'path': '/v3/roles/{role_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_role', check_str=base.SYSTEM_ADMIN, @@ -117,9 +130,7 @@ role_policies = [ description='Delete role.', operations=[{'path': '/v3/roles/{role_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_domain_role', check_str=base.SYSTEM_READER, @@ -134,9 +145,7 @@ role_policies = [ 'method': 'GET'}, {'path': '/v3/roles/{role_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_domain_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_domain_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_domain_roles', check_str=base.SYSTEM_READER, @@ -146,9 +155,7 @@ role_policies = [ 'method': 'GET'}, {'path': '/v3/roles?domain_id={domain_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_domain_roles, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_domain_roles), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_domain_role', check_str=base.SYSTEM_ADMIN, @@ -156,9 +163,7 @@ role_policies = [ scope_types=['system'], operations=[{'path': '/v3/roles', 'method': 'POST'}], - deprecated_rule=deprecated_create_domain_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_domain_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_domain_role', check_str=base.SYSTEM_ADMIN, @@ -166,9 +171,7 @@ role_policies = [ scope_types=['system'], operations=[{'path': '/v3/roles/{role_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_domain_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_update_domain_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_domain_role', check_str=base.SYSTEM_ADMIN, @@ -176,9 +179,7 @@ role_policies = [ scope_types=['system'], operations=[{'path': '/v3/roles/{role_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_domain_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_delete_domain_role) ] diff --git a/keystone/common/policies/role_assignment.py b/keystone/common/policies/role_assignment.py index c70f292f38..5dea3dc2f3 100644 --- a/keystone/common/policies/role_assignment.py +++ b/keystone/common/policies/role_assignment.py @@ -25,19 +25,24 @@ SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN = ( '(role:admin and project_id:%(target.project.id)s)' ) -deprecated_list_role_assignments = policy.DeprecatedRule( - name=base.IDENTITY % 'list_role_assignments', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_list_role_assignments_for_tree = policy.DeprecatedRule( - name=base.IDENTITY % 'list_role_assignments_for_tree', - check_str=base.RULE_ADMIN_REQUIRED -) - DEPRECATED_REASON = ( "The assignment API is now aware of system scope and default roles." ) +deprecated_list_role_assignments = policy.DeprecatedRule( + name=base.IDENTITY % 'list_role_assignments', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_list_role_assignments_for_tree = policy.DeprecatedRule( + name=base.IDENTITY % 'list_role_assignments_for_tree', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN +) + + role_assignment_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_role_assignments', @@ -48,9 +53,7 @@ role_assignment_policies = [ 'method': 'GET'}, {'path': '/v3/role_assignments', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_role_assignments, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_role_assignments), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_role_assignments_for_tree', check_str=SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN, @@ -61,9 +64,7 @@ role_assignment_policies = [ 'method': 'GET'}, {'path': '/v3/role_assignments?include_subtree', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_role_assignments_for_tree, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_role_assignments_for_tree), ] diff --git a/keystone/common/policies/service.py b/keystone/common/policies/service.py index 66d3aaa727..0287076312 100644 --- a/keystone/common/policies/service.py +++ b/keystone/common/policies/service.py @@ -15,31 +15,42 @@ from oslo_policy import policy from keystone.common.policies import base -deprecated_get_service = policy.DeprecatedRule( - name=base.IDENTITY % 'get_service', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_list_service = policy.DeprecatedRule( - name=base.IDENTITY % 'list_services', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_update_service = policy.DeprecatedRule( - name=base.IDENTITY % 'update_service', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_create_service = policy.DeprecatedRule( - name=base.IDENTITY % 'create_service', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_delete_service = policy.DeprecatedRule( - name=base.IDENTITY % 'delete_service', - check_str=base.RULE_ADMIN_REQUIRED -) - DEPRECATED_REASON = ( "The service API is now aware of system scope and default roles." ) +deprecated_get_service = policy.DeprecatedRule( + name=base.IDENTITY % 'get_service', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_list_service = policy.DeprecatedRule( + name=base.IDENTITY % 'list_services', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_update_service = policy.DeprecatedRule( + name=base.IDENTITY % 'update_service', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_create_service = policy.DeprecatedRule( + name=base.IDENTITY % 'create_service', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_delete_service = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_service', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) + + service_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_service', @@ -48,9 +59,7 @@ service_policies = [ description='Show service details.', operations=[{'path': '/v3/services/{service_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_services', check_str=base.SYSTEM_READER, @@ -58,9 +67,7 @@ service_policies = [ description='List services.', operations=[{'path': '/v3/services', 'method': 'GET'}], - deprecated_rule=deprecated_list_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_service', check_str=base.SYSTEM_ADMIN, @@ -68,9 +75,7 @@ service_policies = [ description='Create service.', operations=[{'path': '/v3/services', 'method': 'POST'}], - deprecated_rule=deprecated_create_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_service', check_str=base.SYSTEM_ADMIN, @@ -78,9 +83,7 @@ service_policies = [ description='Update service.', operations=[{'path': '/v3/services/{service_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_service', check_str=base.SYSTEM_ADMIN, @@ -88,9 +91,7 @@ service_policies = [ description='Delete service.', operations=[{'path': '/v3/services/{service_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_delete_service) ] diff --git a/keystone/common/policies/service_provider.py b/keystone/common/policies/service_provider.py index 4d0e3cb90e..657368aea9 100644 --- a/keystone/common/policies/service_provider.py +++ b/keystone/common/policies/service_provider.py @@ -15,31 +15,42 @@ from oslo_policy import policy from keystone.common.policies import base -deprecated_get_sp = policy.DeprecatedRule( - name=base.IDENTITY % 'get_service_provider', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_list_sp = policy.DeprecatedRule( - name=base.IDENTITY % 'list_service_providers', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_update_sp = policy.DeprecatedRule( - name=base.IDENTITY % 'update_service_provider', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_create_sp = policy.DeprecatedRule( - name=base.IDENTITY % 'create_service_provider', - check_str=base.RULE_ADMIN_REQUIRED -) -deprecated_delete_sp = policy.DeprecatedRule( - name=base.IDENTITY % 'delete_service_provider', - check_str=base.RULE_ADMIN_REQUIRED -) - DEPRECATED_REASON = ( "The service provider API is now aware of system scope and default roles." ) +deprecated_get_sp = policy.DeprecatedRule( + name=base.IDENTITY % 'get_service_provider', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_list_sp = policy.DeprecatedRule( + name=base.IDENTITY % 'list_service_providers', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_update_sp = policy.DeprecatedRule( + name=base.IDENTITY % 'update_service_provider', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_create_sp = policy.DeprecatedRule( + name=base.IDENTITY % 'create_service_provider', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) +deprecated_delete_sp = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_service_provider', + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN +) + + service_provider_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_service_provider', @@ -55,9 +66,7 @@ service_provider_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' '{service_provider_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_create_sp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_sp), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_service_providers', check_str=base.SYSTEM_READER, @@ -73,9 +82,7 @@ service_provider_policies = [ 'method': 'HEAD' } ], - deprecated_rule=deprecated_list_sp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN + deprecated_rule=deprecated_list_sp ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_service_provider', @@ -94,9 +101,7 @@ service_provider_policies = [ 'method': 'HEAD' } ], - deprecated_rule=deprecated_get_sp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN + deprecated_rule=deprecated_get_sp ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_service_provider', @@ -106,9 +111,7 @@ service_provider_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' '{service_provider_id}'), 'method': 'PATCH'}], - deprecated_rule=deprecated_update_sp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_sp), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_service_provider', check_str=base.SYSTEM_ADMIN, @@ -117,9 +120,7 @@ service_provider_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' '{service_provider_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_sp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_delete_sp) ] diff --git a/keystone/common/policies/token.py b/keystone/common/policies/token.py index 9fa3c52f16..cb321b0593 100644 --- a/keystone/common/policies/token.py +++ b/keystone/common/policies/token.py @@ -21,15 +21,21 @@ DEPRECATED_REASON = ( deprecated_check_token = policy.DeprecatedRule( name=base.IDENTITY % 'check_token', - check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT + check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_validate_token = policy.DeprecatedRule( name=base.IDENTITY % 'validate_token', - check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT + check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_revoke_token = policy.DeprecatedRule( name=base.IDENTITY % 'revoke_token', - check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT + check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) SYSTEM_ADMIN_OR_TOKEN_SUBJECT = ( @@ -52,9 +58,7 @@ token_policies = [ description='Check a token.', operations=[{'path': '/v3/auth/tokens', 'method': 'HEAD'}], - deprecated_rule=deprecated_check_token, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_check_token), policy.DocumentedRuleDefault( name=base.IDENTITY % 'validate_token', check_str=SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT, @@ -62,9 +66,7 @@ token_policies = [ description='Validate a token.', operations=[{'path': '/v3/auth/tokens', 'method': 'GET'}], - deprecated_rule=deprecated_validate_token, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_validate_token), policy.DocumentedRuleDefault( name=base.IDENTITY % 'revoke_token', check_str=SYSTEM_ADMIN_OR_TOKEN_SUBJECT, @@ -72,9 +74,7 @@ token_policies = [ description='Revoke a token.', operations=[{'path': '/v3/auth/tokens', 'method': 'DELETE'}], - deprecated_rule=deprecated_revoke_token, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_revoke_token) ] diff --git a/keystone/common/policies/trust.py b/keystone/common/policies/trust.py index 82acb0a93f..7678106a8d 100644 --- a/keystone/common/policies/trust.py +++ b/keystone/common/policies/trust.py @@ -24,29 +24,39 @@ SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR +DEPRECATED_REASON = ( + "The trust API is now aware of system scope and default roles." +) + deprecated_list_trusts = policy.DeprecatedRule( name=base.IDENTITY % 'list_trusts', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_roles_for_trust = policy.DeprecatedRule( name=base.IDENTITY % 'list_roles_for_trust', - check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE + check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_role_for_trust = policy.DeprecatedRule( name=base.IDENTITY % 'get_role_for_trust', - check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE + check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_trust = policy.DeprecatedRule( name=base.IDENTITY % 'delete_trust', - check_str=RULE_TRUSTOR + check_str=RULE_TRUSTOR, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_trust = policy.DeprecatedRule( name=base.IDENTITY % 'get_trust', - check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE -) - -DEPRECATED_REASON = ( - "The trust API is now aware of system scope and default roles." + check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) trust_policies = [ @@ -69,9 +79,7 @@ trust_policies = [ 'method': 'GET'}, {'path': '/v3/OS-TRUST/trusts', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_trusts, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_trusts), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_trusts_for_trustor', check_str=SYSTEM_READER_OR_TRUSTOR, @@ -103,9 +111,7 @@ trust_policies = [ 'method': 'GET'}, {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_roles_for_trust, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_roles_for_trust), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_role_for_trust', check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE, @@ -115,9 +121,7 @@ trust_policies = [ 'method': 'GET'}, {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_role_for_trust, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_role_for_trust), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_trust', check_str=SYSTEM_ADMIN_OR_TRUSTOR, @@ -125,9 +129,7 @@ trust_policies = [ description='Revoke trust.', operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_trust, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_trust), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_trust', check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE, @@ -137,9 +139,7 @@ trust_policies = [ 'method': 'GET'}, {'path': '/v3/OS-TRUST/trusts/{trust_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_trust, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_get_trust) ] diff --git a/keystone/common/policies/user.py b/keystone/common/policies/user.py index 75a0062cf1..0534f70f6d 100644 --- a/keystone/common/policies/user.py +++ b/keystone/common/policies/user.py @@ -36,23 +36,33 @@ DEPRECATED_REASON = ( deprecated_get_user = policy.DeprecatedRule( name=base.IDENTITY % 'get_user', - check_str=base.RULE_ADMIN_OR_OWNER + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_users = policy.DeprecatedRule( name=base.IDENTITY % 'list_users', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_user = policy.DeprecatedRule( name=base.IDENTITY % 'create_user', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_user = policy.DeprecatedRule( name=base.IDENTITY % 'update_user', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_user = policy.DeprecatedRule( name=base.IDENTITY % 'delete_user', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) user_policies = [ @@ -65,9 +75,7 @@ user_policies = [ 'method': 'GET'}, {'path': '/v3/users/{user_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_user), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_users', check_str=SYSTEM_READER_OR_DOMAIN_READER, @@ -77,9 +85,7 @@ user_policies = [ 'method': 'GET'}, {'path': '/v3/users', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_users, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_users), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_projects_for_user', check_str='', @@ -111,9 +117,7 @@ user_policies = [ description='Create a user.', operations=[{'path': '/v3/users', 'method': 'POST'}], - deprecated_rule=deprecated_create_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_user), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_user', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -121,9 +125,7 @@ user_policies = [ description='Update a user, including administrative password resets.', operations=[{'path': '/v3/users/{user_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_user), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_user', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -131,9 +133,7 @@ user_policies = [ description='Delete a user.', operations=[{'path': '/v3/users/{user_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_delete_user) ] diff --git a/lower-constraints.txt b/lower-constraints.txt index 431589d020..3ceae8a1da 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -32,7 +32,7 @@ oslo.i18n==3.15.3 oslo.log==3.44.0 oslo.messaging==5.29.0 oslo.middleware==3.31.0 -oslo.policy==3.6.0 +oslo.policy==3.7.0 oslo.serialization==2.18.0 oslo.upgradecheck==1.3.0 oslo.utils==3.33.0 diff --git a/requirements.txt b/requirements.txt index 3464fb3fc4..f77c246652 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ oslo.db>=6.0.0 # Apache-2.0 oslo.i18n>=3.15.3 # Apache-2.0 oslo.log>=3.44.0 # Apache-2.0 oslo.middleware>=3.31.0 # Apache-2.0 -oslo.policy>=3.6.0 # Apache-2.0 +oslo.policy>=3.7.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.upgradecheck>=1.3.0 # Apache-2.0 oslo.utils>=3.33.0 # Apache-2.0