Fix oslo policy DeprecatedRule warnings
Since 3.7.0, oslo policy started the DeprecationWarning[1] if deprecated_reason and deprecated_since param are not passed in DeprecatedRule or they are passed in RuleDefault object. These warnings are logged for every test which increase the log size and sometime can full the log buffer and fail the job. [1] https://github.com/openstack/oslo.policy/blob/3.7.0/oslo_policy/policy.py#L1538 Change-Id: Id9d89a04b480cbdcefead93ce55a1f174f948f5d
This commit is contained in:
Ghanshyam Mann
parent
50f0a50cf4
commit
e057378b82
|
|
@ -18,24 +18,31 @@ from keystone.common.policies import base
|
||||||
collection_path = '/v3/users/{user_id}/application_credentials'
|
collection_path = '/v3/users/{user_id}/application_credentials'
|
||||||
resource_path = collection_path + '/{application_credential_id}'
|
resource_path = collection_path + '/{application_credential_id}'
|
||||||
|
|
||||||
deprecated_list_application_credentials_for_user = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_application_credentials',
|
|
||||||
check_str=base.RULE_ADMIN_OR_OWNER
|
|
||||||
)
|
|
||||||
deprecated_get_application_credentials_for_user = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'get_application_credentials',
|
|
||||||
check_str=base.RULE_ADMIN_OR_OWNER
|
|
||||||
)
|
|
||||||
deprecated_delete_application_credentials_for_user = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'delete_application_credentials',
|
|
||||||
check_str=base.RULE_ADMIN_OR_OWNER
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
DEPRECATED_REASON = (
|
||||||
"The application credential API is now aware of system scope and default "
|
"The application credential API is now aware of system scope and default "
|
||||||
"roles."
|
"roles."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
deprecated_list_application_credentials_for_user = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_application_credentials',
|
||||||
|
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_get_application_credentials_for_user = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'get_application_credentials',
|
||||||
|
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_delete_application_credentials_for_user = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_application_credentials',
|
||||||
|
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
application_credential_policies = [
|
application_credential_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_application_credential',
|
name=base.IDENTITY % 'get_application_credential',
|
||||||
|
|
@ -46,9 +53,7 @@ application_credential_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': resource_path,
|
{'path': resource_path,
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_get_application_credentials_for_user,
|
deprecated_rule=deprecated_get_application_credentials_for_user),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_application_credentials',
|
name=base.IDENTITY % 'list_application_credentials',
|
||||||
check_str=base.RULE_SYSTEM_READER_OR_OWNER,
|
check_str=base.RULE_SYSTEM_READER_OR_OWNER,
|
||||||
|
|
@ -58,9 +63,7 @@ application_credential_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': collection_path,
|
{'path': collection_path,
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_application_credentials_for_user,
|
deprecated_rule=deprecated_list_application_credentials_for_user),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_application_credential',
|
name=base.IDENTITY % 'create_application_credential',
|
||||||
check_str=base.RULE_OWNER,
|
check_str=base.RULE_OWNER,
|
||||||
|
|
@ -75,9 +78,7 @@ application_credential_policies = [
|
||||||
description='Delete an application credential.',
|
description='Delete an application credential.',
|
||||||
operations=[{'path': resource_path,
|
operations=[{'path': resource_path,
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_application_credentials_for_user,
|
deprecated_rule=deprecated_delete_application_credentials_for_user)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,31 +15,42 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
deprecated_get_consumer = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'get_consumer',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_list_consumers = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_consumers',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_create_consumer = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_consumer',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_update_consumer = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'update_consumer',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_delete_consumer = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'delete_consumer',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
DEPRECATED_REASON = (
|
||||||
"The OAUTH1 consumer API is now aware of system scope and default roles."
|
"The OAUTH1 consumer API is now aware of system scope and default roles."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
deprecated_get_consumer = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'get_consumer',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_list_consumers = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_consumers',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_create_consumer = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_consumer',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_update_consumer = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'update_consumer',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_delete_consumer = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_consumer',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
consumer_policies = [
|
consumer_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_consumer',
|
name=base.IDENTITY % 'get_consumer',
|
||||||
|
|
@ -48,9 +59,7 @@ consumer_policies = [
|
||||||
description='Show OAUTH1 consumer details.',
|
description='Show OAUTH1 consumer details.',
|
||||||
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_get_consumer,
|
deprecated_rule=deprecated_get_consumer),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_consumers',
|
name=base.IDENTITY % 'list_consumers',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -58,9 +67,7 @@ consumer_policies = [
|
||||||
description='List OAUTH1 consumers.',
|
description='List OAUTH1 consumers.',
|
||||||
operations=[{'path': '/v3/OS-OAUTH1/consumers',
|
operations=[{'path': '/v3/OS-OAUTH1/consumers',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_consumers,
|
deprecated_rule=deprecated_list_consumers),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_consumer',
|
name=base.IDENTITY % 'create_consumer',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -68,9 +75,7 @@ consumer_policies = [
|
||||||
description='Create OAUTH1 consumer.',
|
description='Create OAUTH1 consumer.',
|
||||||
operations=[{'path': '/v3/OS-OAUTH1/consumers',
|
operations=[{'path': '/v3/OS-OAUTH1/consumers',
|
||||||
'method': 'POST'}],
|
'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_create_consumer,
|
deprecated_rule=deprecated_create_consumer),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_consumer',
|
name=base.IDENTITY % 'update_consumer',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -78,9 +83,7 @@ consumer_policies = [
|
||||||
description='Update OAUTH1 consumer.',
|
description='Update OAUTH1 consumer.',
|
||||||
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_consumer,
|
deprecated_rule=deprecated_update_consumer),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_consumer',
|
name=base.IDENTITY % 'delete_consumer',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -88,9 +91,7 @@ consumer_policies = [
|
||||||
description='Delete OAUTH1 consumer.',
|
description='Delete OAUTH1 consumer.',
|
||||||
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_consumer,
|
deprecated_rule=deprecated_delete_consumer),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -21,23 +21,33 @@ DEPRECATED_REASON = (
|
||||||
|
|
||||||
deprecated_get_credential = policy.DeprecatedRule(
|
deprecated_get_credential = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_credential',
|
name=base.IDENTITY % 'get_credential',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_list_credentials = policy.DeprecatedRule(
|
deprecated_list_credentials = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_credentials',
|
name=base.IDENTITY % 'list_credentials',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_create_credential = policy.DeprecatedRule(
|
deprecated_create_credential = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'create_credential',
|
name=base.IDENTITY % 'create_credential',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_update_credential = policy.DeprecatedRule(
|
deprecated_update_credential = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'update_credential',
|
name=base.IDENTITY % 'update_credential',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_delete_credential = policy.DeprecatedRule(
|
deprecated_delete_credential = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'delete_credential',
|
name=base.IDENTITY % 'delete_credential',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -50,8 +60,6 @@ credential_policies = [
|
||||||
operations=[{'path': '/v3/credentials/{credential_id}',
|
operations=[{'path': '/v3/credentials/{credential_id}',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_get_credential,
|
deprecated_rule=deprecated_get_credential,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_credentials',
|
name=base.IDENTITY % 'list_credentials',
|
||||||
|
|
@ -61,8 +69,6 @@ credential_policies = [
|
||||||
operations=[{'path': '/v3/credentials',
|
operations=[{'path': '/v3/credentials',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_credentials,
|
deprecated_rule=deprecated_list_credentials,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_credential',
|
name=base.IDENTITY % 'create_credential',
|
||||||
|
|
@ -72,8 +78,6 @@ credential_policies = [
|
||||||
operations=[{'path': '/v3/credentials',
|
operations=[{'path': '/v3/credentials',
|
||||||
'method': 'POST'}],
|
'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_create_credential,
|
deprecated_rule=deprecated_create_credential,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_credential',
|
name=base.IDENTITY % 'update_credential',
|
||||||
|
|
@ -83,8 +87,6 @@ credential_policies = [
|
||||||
operations=[{'path': '/v3/credentials/{credential_id}',
|
operations=[{'path': '/v3/credentials/{credential_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_credential,
|
deprecated_rule=deprecated_update_credential,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_credential',
|
name=base.IDENTITY % 'delete_credential',
|
||||||
|
|
@ -94,8 +96,6 @@ credential_policies = [
|
||||||
operations=[{'path': '/v3/credentials/{credential_id}',
|
operations=[{'path': '/v3/credentials/{credential_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_credential,
|
deprecated_rule=deprecated_delete_credential,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
)
|
)
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -21,23 +21,33 @@ DEPRECATED_REASON = (
|
||||||
|
|
||||||
deprecated_list_domains = policy.DeprecatedRule(
|
deprecated_list_domains = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_domains',
|
name=base.IDENTITY % 'list_domains',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_get_domain = policy.DeprecatedRule(
|
deprecated_get_domain = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_domain',
|
name=base.IDENTITY % 'get_domain',
|
||||||
check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN
|
check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_update_domain = policy.DeprecatedRule(
|
deprecated_update_domain = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'update_domain',
|
name=base.IDENTITY % 'update_domain',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_create_domain = policy.DeprecatedRule(
|
deprecated_create_domain = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'create_domain',
|
name=base.IDENTITY % 'create_domain',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_delete_domain = policy.DeprecatedRule(
|
deprecated_delete_domain = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'delete_domain',
|
name=base.IDENTITY % 'delete_domain',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER = (
|
SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER = (
|
||||||
'(role:reader and system_scope:all) or '
|
'(role:reader and system_scope:all) or '
|
||||||
|
|
@ -56,9 +66,7 @@ domain_policies = [
|
||||||
description='Show domain details.',
|
description='Show domain details.',
|
||||||
operations=[{'path': '/v3/domains/{domain_id}',
|
operations=[{'path': '/v3/domains/{domain_id}',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_get_domain,
|
deprecated_rule=deprecated_get_domain),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_domains',
|
name=base.IDENTITY % 'list_domains',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -66,9 +74,7 @@ domain_policies = [
|
||||||
description='List domains.',
|
description='List domains.',
|
||||||
operations=[{'path': '/v3/domains',
|
operations=[{'path': '/v3/domains',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_domains,
|
deprecated_rule=deprecated_list_domains),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_domain',
|
name=base.IDENTITY % 'create_domain',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -76,9 +82,7 @@ domain_policies = [
|
||||||
description='Create domain.',
|
description='Create domain.',
|
||||||
operations=[{'path': '/v3/domains',
|
operations=[{'path': '/v3/domains',
|
||||||
'method': 'POST'}],
|
'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_create_domain,
|
deprecated_rule=deprecated_create_domain),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_domain',
|
name=base.IDENTITY % 'update_domain',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -86,9 +90,7 @@ domain_policies = [
|
||||||
description='Update domain.',
|
description='Update domain.',
|
||||||
operations=[{'path': '/v3/domains/{domain_id}',
|
operations=[{'path': '/v3/domains/{domain_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_domain,
|
deprecated_rule=deprecated_update_domain),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_domain',
|
name=base.IDENTITY % 'delete_domain',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -96,9 +98,7 @@ domain_policies = [
|
||||||
description='Delete domain.',
|
description='Delete domain.',
|
||||||
operations=[{'path': '/v3/domains/{domain_id}',
|
operations=[{'path': '/v3/domains/{domain_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_domain,
|
deprecated_rule=deprecated_delete_domain),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,36 +15,46 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
DEPRECATED_REASON = (
|
||||||
|
"The domain config API is now aware of system scope and default roles."
|
||||||
|
)
|
||||||
|
|
||||||
deprecated_get_domain_config = policy.DeprecatedRule(
|
deprecated_get_domain_config = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_domain_config',
|
name=base.IDENTITY % 'get_domain_config',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_get_domain_config_default = policy.DeprecatedRule(
|
deprecated_get_domain_config_default = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_domain_config_default',
|
name=base.IDENTITY % 'get_domain_config_default',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_create_domain_config = policy.DeprecatedRule(
|
deprecated_create_domain_config = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'create_domain_config',
|
name=base.IDENTITY % 'create_domain_config',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_update_domain_config = policy.DeprecatedRule(
|
deprecated_update_domain_config = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'update_domain_config',
|
name=base.IDENTITY % 'update_domain_config',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_delete_domain_config = policy.DeprecatedRule(
|
deprecated_delete_domain_config = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'delete_domain_config',
|
name=base.IDENTITY % 'delete_domain_config',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
|
||||||
"The domain config API is now aware of system scope and default roles."
|
|
||||||
)
|
|
||||||
|
|
||||||
domain_config_policies = [
|
domain_config_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_domain_config',
|
name=base.IDENTITY % 'create_domain_config',
|
||||||
|
|
@ -65,9 +75,7 @@ domain_config_policies = [
|
||||||
'method': 'PUT'
|
'method': 'PUT'
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_create_domain_config,
|
deprecated_rule=deprecated_create_domain_config
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_domain_config',
|
name=base.IDENTITY % 'get_domain_config',
|
||||||
|
|
@ -103,8 +111,6 @@ domain_config_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_get_domain_config,
|
deprecated_rule=deprecated_get_domain_config,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_security_compliance_domain_config',
|
name=base.IDENTITY % 'get_security_compliance_domain_config',
|
||||||
|
|
@ -156,8 +162,6 @@ domain_config_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_update_domain_config,
|
deprecated_rule=deprecated_update_domain_config,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_domain_config',
|
name=base.IDENTITY % 'delete_domain_config',
|
||||||
|
|
@ -180,8 +184,6 @@ domain_config_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_delete_domain_config,
|
deprecated_rule=deprecated_delete_domain_config,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_domain_config_default',
|
name=base.IDENTITY % 'get_domain_config_default',
|
||||||
|
|
@ -216,8 +218,6 @@ domain_config_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_get_domain_config_default,
|
deprecated_rule=deprecated_get_domain_config_default,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN
|
|
||||||
)
|
)
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,27 +15,36 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
deprecated_ec2_get_credential = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'ec2_get_credential',
|
|
||||||
check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER
|
|
||||||
)
|
|
||||||
deprecated_ec2_list_credentials = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'ec2_list_credentials',
|
|
||||||
check_str=base.RULE_ADMIN_OR_OWNER
|
|
||||||
)
|
|
||||||
deprecated_ec2_create_credentials = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'ec2_create_credentials',
|
|
||||||
check_str=base.RULE_ADMIN_OR_OWNER
|
|
||||||
)
|
|
||||||
deprecated_ec2_delete_credentials = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'ec2_delete_credentials',
|
|
||||||
check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
DEPRECATED_REASON = (
|
||||||
"The EC2 credential API is now aware of system scope and default roles."
|
"The EC2 credential API is now aware of system scope and default roles."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
deprecated_ec2_get_credential = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'ec2_get_credential',
|
||||||
|
check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_ec2_list_credentials = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'ec2_list_credentials',
|
||||||
|
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_ec2_create_credentials = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'ec2_create_credentials',
|
||||||
|
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_ec2_delete_credentials = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'ec2_delete_credentials',
|
||||||
|
check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
ec2_credential_policies = [
|
ec2_credential_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'ec2_get_credential',
|
name=base.IDENTITY % 'ec2_get_credential',
|
||||||
|
|
@ -45,9 +54,7 @@ ec2_credential_policies = [
|
||||||
operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
|
operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
|
||||||
'{credential_id}'),
|
'{credential_id}'),
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_ec2_get_credential,
|
deprecated_rule=deprecated_ec2_get_credential
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'ec2_list_credentials',
|
name=base.IDENTITY % 'ec2_list_credentials',
|
||||||
|
|
@ -57,8 +64,6 @@ ec2_credential_policies = [
|
||||||
operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
|
operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_ec2_list_credentials,
|
deprecated_rule=deprecated_ec2_list_credentials,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'ec2_create_credential',
|
name=base.IDENTITY % 'ec2_create_credential',
|
||||||
|
|
@ -68,8 +73,6 @@ ec2_credential_policies = [
|
||||||
operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
|
operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
|
||||||
'method': 'POST'}],
|
'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_ec2_create_credentials,
|
deprecated_rule=deprecated_ec2_create_credentials,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'ec2_delete_credential',
|
name=base.IDENTITY % 'ec2_delete_credential',
|
||||||
|
|
@ -80,8 +83,6 @@ ec2_credential_policies = [
|
||||||
'{credential_id}'),
|
'{credential_id}'),
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_ec2_delete_credentials,
|
deprecated_rule=deprecated_ec2_delete_credentials,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN
|
|
||||||
)
|
)
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,24 +15,34 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
DEPRECATED_REASON = (
|
||||||
|
"The endpoint API is now aware of system scope and default roles."
|
||||||
|
)
|
||||||
|
|
||||||
deprecated_get_endpoint = policy.DeprecatedRule(
|
deprecated_get_endpoint = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
|
name=base.IDENTITY % 'get_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_list_endpoints = policy.DeprecatedRule(
|
deprecated_list_endpoints = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED,
|
name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_update_endpoint = policy.DeprecatedRule(
|
deprecated_update_endpoint = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
|
name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_create_endpoint = policy.DeprecatedRule(
|
deprecated_create_endpoint = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
|
name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_delete_endpoint = policy.DeprecatedRule(
|
deprecated_delete_endpoint = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
|
name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
)
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
DEPRECATED_REASON = (
|
|
||||||
"The endpoint API is now aware of system scope and default roles."
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -44,9 +54,7 @@ endpoint_policies = [
|
||||||
description='Show endpoint details.',
|
description='Show endpoint details.',
|
||||||
operations=[{'path': '/v3/endpoints/{endpoint_id}',
|
operations=[{'path': '/v3/endpoints/{endpoint_id}',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_get_endpoint,
|
deprecated_rule=deprecated_get_endpoint),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_endpoints',
|
name=base.IDENTITY % 'list_endpoints',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -54,9 +62,7 @@ endpoint_policies = [
|
||||||
description='List endpoints.',
|
description='List endpoints.',
|
||||||
operations=[{'path': '/v3/endpoints',
|
operations=[{'path': '/v3/endpoints',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_endpoints,
|
deprecated_rule=deprecated_list_endpoints),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_endpoint',
|
name=base.IDENTITY % 'create_endpoint',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -64,9 +70,7 @@ endpoint_policies = [
|
||||||
description='Create endpoint.',
|
description='Create endpoint.',
|
||||||
operations=[{'path': '/v3/endpoints',
|
operations=[{'path': '/v3/endpoints',
|
||||||
'method': 'POST'}],
|
'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_create_endpoint,
|
deprecated_rule=deprecated_create_endpoint),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_endpoint',
|
name=base.IDENTITY % 'update_endpoint',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -74,9 +78,7 @@ endpoint_policies = [
|
||||||
description='Update endpoint.',
|
description='Update endpoint.',
|
||||||
operations=[{'path': '/v3/endpoints/{endpoint_id}',
|
operations=[{'path': '/v3/endpoints/{endpoint_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_endpoint,
|
deprecated_rule=deprecated_update_endpoint),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_endpoint',
|
name=base.IDENTITY % 'delete_endpoint',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -84,9 +86,7 @@ endpoint_policies = [
|
||||||
description='Delete endpoint.',
|
description='Delete endpoint.',
|
||||||
operations=[{'path': '/v3/endpoints/{endpoint_id}',
|
operations=[{'path': '/v3/endpoints/{endpoint_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_endpoint,
|
deprecated_rule=deprecated_delete_endpoint)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,64 +15,85 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
DEPRECATED_REASON = (
|
||||||
|
"The endpoint groups API is now aware of system scope and default roles."
|
||||||
|
)
|
||||||
|
|
||||||
deprecated_list_endpoint_groups = policy.DeprecatedRule(
|
deprecated_list_endpoint_groups = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_endpoint_groups',
|
name=base.IDENTITY % 'list_endpoint_groups',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_get_endpoint_group = policy.DeprecatedRule(
|
deprecated_get_endpoint_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_endpoint_group',
|
name=base.IDENTITY % 'get_endpoint_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule(
|
deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
|
name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule(
|
deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
|
name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_get_endpoint_group_in_project = policy.DeprecatedRule(
|
deprecated_get_endpoint_group_in_project = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_endpoint_group_in_project',
|
name=base.IDENTITY % 'get_endpoint_group_in_project',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule(
|
deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_endpoint_groups_for_project',
|
name=base.IDENTITY % 'list_endpoint_groups_for_project',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_create_endpoint_group = policy.DeprecatedRule(
|
deprecated_create_endpoint_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'create_endpoint_group',
|
name=base.IDENTITY % 'create_endpoint_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_update_endpoint_group = policy.DeprecatedRule(
|
deprecated_update_endpoint_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'update_endpoint_group',
|
name=base.IDENTITY % 'update_endpoint_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_delete_endpoint_group = policy.DeprecatedRule(
|
deprecated_delete_endpoint_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'delete_endpoint_group',
|
name=base.IDENTITY % 'delete_endpoint_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_add_endpoint_group_to_project = policy.DeprecatedRule(
|
deprecated_add_endpoint_group_to_project = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'add_endpoint_group_to_project',
|
name=base.IDENTITY % 'add_endpoint_group_to_project',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule(
|
deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'remove_endpoint_group_from_project',
|
name=base.IDENTITY % 'remove_endpoint_group_from_project',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
)
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
|
||||||
"The endpoint groups API is now aware of system scope and default roles."
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -84,9 +105,7 @@ group_endpoint_policies = [
|
||||||
description='Create endpoint group.',
|
description='Create endpoint group.',
|
||||||
operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
|
operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
|
||||||
'method': 'POST'}],
|
'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_create_endpoint_group,
|
deprecated_rule=deprecated_create_endpoint_group),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_endpoint_groups',
|
name=base.IDENTITY % 'list_endpoint_groups',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -94,9 +113,7 @@ group_endpoint_policies = [
|
||||||
description='List endpoint groups.',
|
description='List endpoint groups.',
|
||||||
operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
|
operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_endpoint_groups,
|
deprecated_rule=deprecated_list_endpoint_groups),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_endpoint_group',
|
name=base.IDENTITY % 'get_endpoint_group',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -108,9 +125,7 @@ group_endpoint_policies = [
|
||||||
{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||||
'{endpoint_group_id}'),
|
'{endpoint_group_id}'),
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_get_endpoint_group,
|
deprecated_rule=deprecated_get_endpoint_group),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_endpoint_group',
|
name=base.IDENTITY % 'update_endpoint_group',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -119,9 +134,7 @@ group_endpoint_policies = [
|
||||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||||
'{endpoint_group_id}'),
|
'{endpoint_group_id}'),
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_endpoint_group,
|
deprecated_rule=deprecated_update_endpoint_group),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_endpoint_group',
|
name=base.IDENTITY % 'delete_endpoint_group',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -130,9 +143,7 @@ group_endpoint_policies = [
|
||||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||||
'{endpoint_group_id}'),
|
'{endpoint_group_id}'),
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_endpoint_group,
|
deprecated_rule=deprecated_delete_endpoint_group),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
|
name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -142,9 +153,7 @@ group_endpoint_policies = [
|
||||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||||
'{endpoint_group_id}/projects'),
|
'{endpoint_group_id}/projects'),
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group,
|
deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
|
name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -153,9 +162,7 @@ group_endpoint_policies = [
|
||||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||||
'{endpoint_group_id}/endpoints'),
|
'{endpoint_group_id}/endpoints'),
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group,
|
deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_endpoint_group_in_project',
|
name=base.IDENTITY % 'get_endpoint_group_in_project',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -168,9 +175,7 @@ group_endpoint_policies = [
|
||||||
{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||||
'{endpoint_group_id}/projects/{project_id}'),
|
'{endpoint_group_id}/projects/{project_id}'),
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_get_endpoint_group_in_project,
|
deprecated_rule=deprecated_get_endpoint_group_in_project),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_endpoint_groups_for_project',
|
name=base.IDENTITY % 'list_endpoint_groups_for_project',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -179,9 +184,7 @@ group_endpoint_policies = [
|
||||||
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
||||||
'endpoint_groups'),
|
'endpoint_groups'),
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_endpoint_groups_for_project,
|
deprecated_rule=deprecated_list_endpoint_groups_for_project),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'add_endpoint_group_to_project',
|
name=base.IDENTITY % 'add_endpoint_group_to_project',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -190,9 +193,7 @@ group_endpoint_policies = [
|
||||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||||
'{endpoint_group_id}/projects/{project_id}'),
|
'{endpoint_group_id}/projects/{project_id}'),
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_add_endpoint_group_to_project,
|
deprecated_rule=deprecated_add_endpoint_group_to_project),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'remove_endpoint_group_from_project',
|
name=base.IDENTITY % 'remove_endpoint_group_from_project',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -201,9 +202,7 @@ group_endpoint_policies = [
|
||||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||||
'{endpoint_group_id}/projects/{project_id}'),
|
'{endpoint_group_id}/projects/{project_id}'),
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_remove_endpoint_group_from_project,
|
deprecated_rule=deprecated_remove_endpoint_group_from_project)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -66,55 +66,80 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
|
||||||
'(' + DOMAIN_MATCHES_ROLE + ')'
|
'(' + DOMAIN_MATCHES_ROLE + ')'
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_check_system_grant_for_user = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'check_system_grant_for_user',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_list_system_grants_for_user = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_system_grants_for_user',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_create_system_grant_for_user = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_system_grant_for_user',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_revoke_system_grant_for_user = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'revoke_system_grant_for_user',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_check_system_grant_for_group = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'check_system_grant_for_group',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_list_system_grants_for_group = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_system_grants_for_group',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_create_system_grant_for_group = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_system_grant_for_group',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_revoke_system_grant_for_group = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'revoke_system_grant_for_group',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_list_grants = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_check_grant = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_create_grant = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_revoke_grant = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
DEPRECATED_REASON = (
|
||||||
"The assignment API is now aware of system scope and default roles."
|
"The assignment API is now aware of system scope and default roles."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
deprecated_check_system_grant_for_user = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'check_system_grant_for_user',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_list_system_grants_for_user = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_system_grants_for_user',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_create_system_grant_for_user = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_system_grant_for_user',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_revoke_system_grant_for_user = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'revoke_system_grant_for_user',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_check_system_grant_for_group = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'check_system_grant_for_group',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_list_system_grants_for_group = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_system_grants_for_group',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_create_system_grant_for_group = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_system_grant_for_group',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_revoke_system_grant_for_group = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'revoke_system_grant_for_group',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_list_grants = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_check_grant = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_create_grant = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_revoke_grant = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
resource_paths = [
|
resource_paths = [
|
||||||
'/projects/{project_id}/users/{user_id}/roles/{role_id}',
|
'/projects/{project_id}/users/{user_id}/roles/{role_id}',
|
||||||
'/projects/{project_id}/groups/{group_id}/roles/{role_id}',
|
'/projects/{project_id}/groups/{group_id}/roles/{role_id}',
|
||||||
|
|
@ -167,9 +192,7 @@ grant_policies = [
|
||||||
'are inherited to all projects in the subtree, if '
|
'are inherited to all projects in the subtree, if '
|
||||||
'applicable.'),
|
'applicable.'),
|
||||||
operations=list_operations(resource_paths, ['HEAD', 'GET']),
|
operations=list_operations(resource_paths, ['HEAD', 'GET']),
|
||||||
deprecated_rule=deprecated_check_grant,
|
deprecated_rule=deprecated_check_grant),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_grants',
|
name=base.IDENTITY % 'list_grants',
|
||||||
check_str=SYSTEM_READER_OR_DOMAIN_READER_LIST,
|
check_str=SYSTEM_READER_OR_DOMAIN_READER_LIST,
|
||||||
|
|
@ -181,9 +204,7 @@ grant_policies = [
|
||||||
'domains, where grants are inherited to all projects '
|
'domains, where grants are inherited to all projects '
|
||||||
'in the specified domain.'),
|
'in the specified domain.'),
|
||||||
operations=list_grants_operations,
|
operations=list_grants_operations,
|
||||||
deprecated_rule=deprecated_list_grants,
|
deprecated_rule=deprecated_list_grants),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_grant',
|
name=base.IDENTITY % 'create_grant',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
||||||
|
|
@ -195,9 +216,7 @@ grant_policies = [
|
||||||
'are inherited to all projects in the subtree, if '
|
'are inherited to all projects in the subtree, if '
|
||||||
'applicable.'),
|
'applicable.'),
|
||||||
operations=list_operations(resource_paths, ['PUT']),
|
operations=list_operations(resource_paths, ['PUT']),
|
||||||
deprecated_rule=deprecated_create_grant,
|
deprecated_rule=deprecated_create_grant),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'revoke_grant',
|
name=base.IDENTITY % 'revoke_grant',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
||||||
|
|
@ -211,9 +230,7 @@ grant_policies = [
|
||||||
'the target would remove the logical effect of '
|
'the target would remove the logical effect of '
|
||||||
'inheriting it to the target\'s projects subtree.'),
|
'inheriting it to the target\'s projects subtree.'),
|
||||||
operations=list_operations(resource_paths, ['DELETE']),
|
operations=list_operations(resource_paths, ['DELETE']),
|
||||||
deprecated_rule=deprecated_revoke_grant,
|
deprecated_rule=deprecated_revoke_grant),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_system_grants_for_user',
|
name=base.IDENTITY % 'list_system_grants_for_user',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -226,8 +243,6 @@ grant_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_list_system_grants_for_user,
|
deprecated_rule=deprecated_list_system_grants_for_user,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'check_system_grant_for_user',
|
name=base.IDENTITY % 'check_system_grant_for_user',
|
||||||
|
|
@ -241,8 +256,6 @@ grant_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_check_system_grant_for_user,
|
deprecated_rule=deprecated_check_system_grant_for_user,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_system_grant_for_user',
|
name=base.IDENTITY % 'create_system_grant_for_user',
|
||||||
|
|
@ -256,8 +269,6 @@ grant_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_create_system_grant_for_user,
|
deprecated_rule=deprecated_create_system_grant_for_user,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'revoke_system_grant_for_user',
|
name=base.IDENTITY % 'revoke_system_grant_for_user',
|
||||||
|
|
@ -271,8 +282,6 @@ grant_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_revoke_system_grant_for_user,
|
deprecated_rule=deprecated_revoke_system_grant_for_user,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_system_grants_for_group',
|
name=base.IDENTITY % 'list_system_grants_for_group',
|
||||||
|
|
@ -286,8 +295,6 @@ grant_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_list_system_grants_for_group,
|
deprecated_rule=deprecated_list_system_grants_for_group,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'check_system_grant_for_group',
|
name=base.IDENTITY % 'check_system_grant_for_group',
|
||||||
|
|
@ -301,8 +308,6 @@ grant_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_check_system_grant_for_group,
|
deprecated_rule=deprecated_check_system_grant_for_group,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_system_grant_for_group',
|
name=base.IDENTITY % 'create_system_grant_for_group',
|
||||||
|
|
@ -316,8 +321,6 @@ grant_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_create_system_grant_for_group,
|
deprecated_rule=deprecated_create_system_grant_for_group,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'revoke_system_grant_for_group',
|
name=base.IDENTITY % 'revoke_system_grant_for_group',
|
||||||
|
|
@ -331,8 +334,6 @@ grant_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_revoke_system_grant_for_group,
|
deprecated_rule=deprecated_revoke_system_grant_for_group,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
)
|
)
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -51,43 +51,63 @@ DEPRECATED_REASON = (
|
||||||
|
|
||||||
deprecated_get_group = policy.DeprecatedRule(
|
deprecated_get_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_group',
|
name=base.IDENTITY % 'get_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_list_groups = policy.DeprecatedRule(
|
deprecated_list_groups = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_groups',
|
name=base.IDENTITY % 'list_groups',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_list_groups_for_user = policy.DeprecatedRule(
|
deprecated_list_groups_for_user = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_groups_for_user',
|
name=base.IDENTITY % 'list_groups_for_user',
|
||||||
check_str=base.RULE_ADMIN_OR_OWNER
|
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_list_users_in_group = policy.DeprecatedRule(
|
deprecated_list_users_in_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_users_in_group',
|
name=base.IDENTITY % 'list_users_in_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_check_user_in_group = policy.DeprecatedRule(
|
deprecated_check_user_in_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'check_user_in_group',
|
name=base.IDENTITY % 'check_user_in_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_create_group = policy.DeprecatedRule(
|
deprecated_create_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'create_group',
|
name=base.IDENTITY % 'create_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_update_group = policy.DeprecatedRule(
|
deprecated_update_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'update_group',
|
name=base.IDENTITY % 'update_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_delete_group = policy.DeprecatedRule(
|
deprecated_delete_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'delete_group',
|
name=base.IDENTITY % 'delete_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_remove_user_from_group = policy.DeprecatedRule(
|
deprecated_remove_user_from_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'remove_user_from_group',
|
name=base.IDENTITY % 'remove_user_from_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_add_user_to_group = policy.DeprecatedRule(
|
deprecated_add_user_to_group = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'add_user_to_group',
|
name=base.IDENTITY % 'add_user_to_group',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
|
|
||||||
group_policies = [
|
group_policies = [
|
||||||
|
|
@ -100,9 +120,7 @@ group_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/groups/{group_id}',
|
{'path': '/v3/groups/{group_id}',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_get_group,
|
deprecated_rule=deprecated_get_group),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_groups',
|
name=base.IDENTITY % 'list_groups',
|
||||||
check_str=SYSTEM_READER_OR_DOMAIN_READER,
|
check_str=SYSTEM_READER_OR_DOMAIN_READER,
|
||||||
|
|
@ -112,9 +130,7 @@ group_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/groups',
|
{'path': '/v3/groups',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_groups,
|
deprecated_rule=deprecated_list_groups),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_groups_for_user',
|
name=base.IDENTITY % 'list_groups_for_user',
|
||||||
check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER,
|
check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER,
|
||||||
|
|
@ -124,9 +140,7 @@ group_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/users/{user_id}/groups',
|
{'path': '/v3/users/{user_id}/groups',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_groups_for_user,
|
deprecated_rule=deprecated_list_groups_for_user),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_group',
|
name=base.IDENTITY % 'create_group',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
||||||
|
|
@ -134,9 +148,7 @@ group_policies = [
|
||||||
description='Create group.',
|
description='Create group.',
|
||||||
operations=[{'path': '/v3/groups',
|
operations=[{'path': '/v3/groups',
|
||||||
'method': 'POST'}],
|
'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_create_group,
|
deprecated_rule=deprecated_create_group),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_group',
|
name=base.IDENTITY % 'update_group',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
||||||
|
|
@ -144,9 +156,7 @@ group_policies = [
|
||||||
description='Update group.',
|
description='Update group.',
|
||||||
operations=[{'path': '/v3/groups/{group_id}',
|
operations=[{'path': '/v3/groups/{group_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_group,
|
deprecated_rule=deprecated_update_group),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_group',
|
name=base.IDENTITY % 'delete_group',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
||||||
|
|
@ -154,9 +164,7 @@ group_policies = [
|
||||||
description='Delete group.',
|
description='Delete group.',
|
||||||
operations=[{'path': '/v3/groups/{group_id}',
|
operations=[{'path': '/v3/groups/{group_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_group,
|
deprecated_rule=deprecated_delete_group),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_users_in_group',
|
name=base.IDENTITY % 'list_users_in_group',
|
||||||
check_str=SYSTEM_READER_OR_DOMAIN_READER,
|
check_str=SYSTEM_READER_OR_DOMAIN_READER,
|
||||||
|
|
@ -166,9 +174,7 @@ group_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/groups/{group_id}/users',
|
{'path': '/v3/groups/{group_id}/users',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_users_in_group,
|
deprecated_rule=deprecated_list_users_in_group),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'remove_user_from_group',
|
name=base.IDENTITY % 'remove_user_from_group',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
|
||||||
|
|
@ -176,9 +182,7 @@ group_policies = [
|
||||||
description='Remove user from group.',
|
description='Remove user from group.',
|
||||||
operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
|
operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_remove_user_from_group,
|
deprecated_rule=deprecated_remove_user_from_group),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'check_user_in_group',
|
name=base.IDENTITY % 'check_user_in_group',
|
||||||
check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER,
|
check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER,
|
||||||
|
|
@ -188,9 +192,7 @@ group_policies = [
|
||||||
'method': 'HEAD'},
|
'method': 'HEAD'},
|
||||||
{'path': '/v3/groups/{group_id}/users/{user_id}',
|
{'path': '/v3/groups/{group_id}/users/{user_id}',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_check_user_in_group,
|
deprecated_rule=deprecated_check_user_in_group),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'add_user_to_group',
|
name=base.IDENTITY % 'add_user_to_group',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
|
||||||
|
|
@ -198,9 +200,7 @@ group_policies = [
|
||||||
description='Add user to group.',
|
description='Add user to group.',
|
||||||
operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
|
operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_add_user_to_group,
|
deprecated_rule=deprecated_add_user_to_group)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,31 +15,42 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
deprecated_get_idp = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'get_identity_providers',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_list_idp = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_identity_providers',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_update_idp = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'update_identity_providers',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_create_idp = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_identity_providers',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_delete_idp = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'delete_identity_providers',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
DEPRECATED_REASON = (
|
||||||
"The identity provider API is now aware of system scope and default roles."
|
"The identity provider API is now aware of system scope and default roles."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
deprecated_get_idp = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'get_identity_providers',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_list_idp = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_identity_providers',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_update_idp = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'update_identity_providers',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_create_idp = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_identity_providers',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_delete_idp = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_identity_providers',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
identity_provider_policies = [
|
identity_provider_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_identity_provider',
|
name=base.IDENTITY % 'create_identity_provider',
|
||||||
|
|
@ -54,9 +65,7 @@ identity_provider_policies = [
|
||||||
description='Create identity provider.',
|
description='Create identity provider.',
|
||||||
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
|
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_create_idp,
|
deprecated_rule=deprecated_create_idp),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_identity_providers',
|
name=base.IDENTITY % 'list_identity_providers',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -73,8 +82,6 @@ identity_provider_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_list_idp,
|
deprecated_rule=deprecated_list_idp,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_identity_provider',
|
name=base.IDENTITY % 'get_identity_provider',
|
||||||
|
|
@ -92,8 +99,6 @@ identity_provider_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_get_idp,
|
deprecated_rule=deprecated_get_idp,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_identity_provider',
|
name=base.IDENTITY % 'update_identity_provider',
|
||||||
|
|
@ -102,9 +107,7 @@ identity_provider_policies = [
|
||||||
description='Update identity provider.',
|
description='Update identity provider.',
|
||||||
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
|
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_idp,
|
deprecated_rule=deprecated_update_idp),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_identity_provider',
|
name=base.IDENTITY % 'delete_identity_provider',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -112,9 +115,7 @@ identity_provider_policies = [
|
||||||
description='Delete identity provider.',
|
description='Delete identity provider.',
|
||||||
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
|
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_idp,
|
deprecated_rule=deprecated_delete_idp),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,33 +15,45 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
DEPRECATED_REASON = (
|
||||||
|
"The implied role API is now aware of system scope and default roles."
|
||||||
|
)
|
||||||
|
|
||||||
deprecated_get_implied_role = policy.DeprecatedRule(
|
deprecated_get_implied_role = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_implied_role',
|
name=base.IDENTITY % 'get_implied_role',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
deprecated_list_implied_roles = policy.DeprecatedRule(
|
deprecated_list_implied_roles = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_implied_roles',
|
name=base.IDENTITY % 'list_implied_roles',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
deprecated_list_role_inference_rules = policy.DeprecatedRule(
|
deprecated_list_role_inference_rules = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_role_inference_rules',
|
name=base.IDENTITY % 'list_role_inference_rules',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
deprecated_check_implied_role = policy.DeprecatedRule(
|
deprecated_check_implied_role = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'check_implied_role',
|
name=base.IDENTITY % 'check_implied_role',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
deprecated_create_implied_role = policy.DeprecatedRule(
|
deprecated_create_implied_role = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'create_implied_role',
|
name=base.IDENTITY % 'create_implied_role',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
deprecated_delete_implied_role = policy.DeprecatedRule(
|
deprecated_delete_implied_role = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'delete_implied_role',
|
name=base.IDENTITY % 'delete_implied_role',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
)
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
DEPRECATED_REASON = (
|
|
||||||
"The implied role API is now aware of system scope and default roles."
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -61,9 +73,7 @@ implied_role_policies = [
|
||||||
operations=[
|
operations=[
|
||||||
{'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
|
{'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_get_implied_role,
|
deprecated_rule=deprecated_get_implied_role),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_implied_roles',
|
name=base.IDENTITY % 'list_implied_roles',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -77,9 +87,7 @@ implied_role_policies = [
|
||||||
operations=[
|
operations=[
|
||||||
{'path': '/v3/roles/{prior_role_id}/implies', 'method': 'GET'},
|
{'path': '/v3/roles/{prior_role_id}/implies', 'method': 'GET'},
|
||||||
{'path': '/v3/roles/{prior_role_id}/implies', 'method': 'HEAD'}],
|
{'path': '/v3/roles/{prior_role_id}/implies', 'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_implied_roles,
|
deprecated_rule=deprecated_list_implied_roles),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_implied_role',
|
name=base.IDENTITY % 'create_implied_role',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -91,9 +99,7 @@ implied_role_policies = [
|
||||||
operations=[
|
operations=[
|
||||||
{'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
|
{'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_create_implied_role,
|
deprecated_rule=deprecated_create_implied_role),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_implied_role',
|
name=base.IDENTITY % 'delete_implied_role',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -106,9 +112,7 @@ implied_role_policies = [
|
||||||
operations=[
|
operations=[
|
||||||
{'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
|
{'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_implied_role,
|
deprecated_rule=deprecated_delete_implied_role),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_role_inference_rules',
|
name=base.IDENTITY % 'list_role_inference_rules',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -120,9 +124,7 @@ implied_role_policies = [
|
||||||
operations=[
|
operations=[
|
||||||
{'path': '/v3/role_inferences', 'method': 'GET'},
|
{'path': '/v3/role_inferences', 'method': 'GET'},
|
||||||
{'path': '/v3/role_inferences', 'method': 'HEAD'}],
|
{'path': '/v3/role_inferences', 'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_role_inference_rules,
|
deprecated_rule=deprecated_list_role_inference_rules),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'check_implied_role',
|
name=base.IDENTITY % 'check_implied_role',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -134,9 +136,7 @@ implied_role_policies = [
|
||||||
operations=[
|
operations=[
|
||||||
{'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
|
{'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_check_implied_role,
|
deprecated_rule=deprecated_check_implied_role),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,31 +15,42 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
deprecated_get_mapping = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'get_mapping',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_list_mappings = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_mappings',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_update_mapping = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'update_mapping',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_create_mapping = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_mapping',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_delete_mapping = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'delete_mapping',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
DEPRECATED_REASON = (
|
||||||
"The federated mapping API is now aware of system scope and default roles."
|
"The federated mapping API is now aware of system scope and default roles."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
deprecated_get_mapping = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'get_mapping',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_list_mappings = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_mappings',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_update_mapping = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'update_mapping',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_create_mapping = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_mapping',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_delete_mapping = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_mapping',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
mapping_policies = [
|
mapping_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_mapping',
|
name=base.IDENTITY % 'create_mapping',
|
||||||
|
|
@ -55,9 +66,7 @@ mapping_policies = [
|
||||||
'more sets of rules.'),
|
'more sets of rules.'),
|
||||||
operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
|
operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_create_mapping,
|
deprecated_rule=deprecated_create_mapping),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_mapping',
|
name=base.IDENTITY % 'get_mapping',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -73,9 +82,7 @@ mapping_policies = [
|
||||||
'method': 'HEAD'
|
'method': 'HEAD'
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_get_mapping,
|
deprecated_rule=deprecated_get_mapping
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_mappings',
|
name=base.IDENTITY % 'list_mappings',
|
||||||
|
|
@ -93,8 +100,6 @@ mapping_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_list_mappings,
|
deprecated_rule=deprecated_list_mappings,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_mapping',
|
name=base.IDENTITY % 'delete_mapping',
|
||||||
|
|
@ -103,9 +108,7 @@ mapping_policies = [
|
||||||
description='Delete a federated mapping.',
|
description='Delete a federated mapping.',
|
||||||
operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
|
operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_mapping,
|
deprecated_rule=deprecated_delete_mapping),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_mapping',
|
name=base.IDENTITY % 'update_mapping',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -113,9 +116,7 @@ mapping_policies = [
|
||||||
description='Update a federated mapping.',
|
description='Update a federated mapping.',
|
||||||
operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
|
operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_mapping,
|
deprecated_rule=deprecated_update_mapping)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,33 +15,43 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
DEPRECATED_REASON = (
|
||||||
|
"The policy API is now aware of system scope and default roles."
|
||||||
|
)
|
||||||
|
|
||||||
deprecated_get_policy = policy.DeprecatedRule(
|
deprecated_get_policy = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_policy',
|
name=base.IDENTITY % 'get_policy',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_list_policies = policy.DeprecatedRule(
|
deprecated_list_policies = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_policies',
|
name=base.IDENTITY % 'list_policies',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_update_policy = policy.DeprecatedRule(
|
deprecated_update_policy = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'update_policy',
|
name=base.IDENTITY % 'update_policy',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_create_policy = policy.DeprecatedRule(
|
deprecated_create_policy = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'create_policy',
|
name=base.IDENTITY % 'create_policy',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_delete_policy = policy.DeprecatedRule(
|
deprecated_delete_policy = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'delete_policy',
|
name=base.IDENTITY % 'delete_policy',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
)
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
DEPRECATED_REASON = (
|
|
||||||
"The policy API is now aware of system scope and default roles."
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -55,9 +65,7 @@ policy_policies = [
|
||||||
description='Show policy details.',
|
description='Show policy details.',
|
||||||
operations=[{'path': '/v3/policies/{policy_id}',
|
operations=[{'path': '/v3/policies/{policy_id}',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_get_policy,
|
deprecated_rule=deprecated_get_policy),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_policies',
|
name=base.IDENTITY % 'list_policies',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -65,9 +73,7 @@ policy_policies = [
|
||||||
description='List policies.',
|
description='List policies.',
|
||||||
operations=[{'path': '/v3/policies',
|
operations=[{'path': '/v3/policies',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_policies,
|
deprecated_rule=deprecated_list_policies),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_policy',
|
name=base.IDENTITY % 'create_policy',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -75,9 +81,7 @@ policy_policies = [
|
||||||
description='Create policy.',
|
description='Create policy.',
|
||||||
operations=[{'path': '/v3/policies',
|
operations=[{'path': '/v3/policies',
|
||||||
'method': 'POST'}],
|
'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_create_policy,
|
deprecated_rule=deprecated_create_policy),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_policy',
|
name=base.IDENTITY % 'update_policy',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -85,9 +89,7 @@ policy_policies = [
|
||||||
description='Update policy.',
|
description='Update policy.',
|
||||||
operations=[{'path': '/v3/policies/{policy_id}',
|
operations=[{'path': '/v3/policies/{policy_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_policy,
|
deprecated_rule=deprecated_update_policy),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_policy',
|
name=base.IDENTITY % 'delete_policy',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -95,9 +97,7 @@ policy_policies = [
|
||||||
description='Delete policy.',
|
description='Delete policy.',
|
||||||
operations=[{'path': '/v3/policies/{policy_id}',
|
operations=[{'path': '/v3/policies/{policy_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_policy,
|
deprecated_rule=deprecated_delete_policy)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -19,65 +19,88 @@ from keystone.common.policies import base
|
||||||
# System-scoped tokens should be required to manage policy associations to
|
# System-scoped tokens should be required to manage policy associations to
|
||||||
# existing system-level resources.
|
# existing system-level resources.
|
||||||
|
|
||||||
|
DEPRECATED_REASON = (
|
||||||
|
"The policy association API is now aware of system scope and default "
|
||||||
|
"roles."
|
||||||
|
)
|
||||||
|
|
||||||
deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule(
|
deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'check_policy_association_for_endpoint',
|
name=base.IDENTITY % 'check_policy_association_for_endpoint',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_check_policy_assoc_for_service = policy.DeprecatedRule(
|
deprecated_check_policy_assoc_for_service = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'check_policy_association_for_service',
|
name=base.IDENTITY % 'check_policy_association_for_service',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule(
|
deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'check_policy_association_for_region_and_service',
|
name=base.IDENTITY % 'check_policy_association_for_region_and_service',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_get_policy_for_endpoint = policy.DeprecatedRule(
|
deprecated_get_policy_for_endpoint = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_policy_for_endpoint',
|
name=base.IDENTITY % 'get_policy_for_endpoint',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_list_endpoints_for_policy = policy.DeprecatedRule(
|
deprecated_list_endpoints_for_policy = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_endpoints_for_policy',
|
name=base.IDENTITY % 'list_endpoints_for_policy',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule(
|
deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'create_policy_association_for_endpoint',
|
name=base.IDENTITY % 'create_policy_association_for_endpoint',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule(
|
deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'delete_policy_association_for_endpoint',
|
name=base.IDENTITY % 'delete_policy_association_for_endpoint',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_create_policy_assoc_for_service = policy.DeprecatedRule(
|
deprecated_create_policy_assoc_for_service = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'create_policy_association_for_service',
|
name=base.IDENTITY % 'create_policy_association_for_service',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule(
|
deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'delete_policy_association_for_service',
|
name=base.IDENTITY % 'delete_policy_association_for_service',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule(
|
deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'create_policy_association_for_region_and_service',
|
name=base.IDENTITY % 'create_policy_association_for_region_and_service',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule(
|
deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'delete_policy_association_for_region_and_service',
|
name=base.IDENTITY % 'delete_policy_association_for_region_and_service',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
|
||||||
"The policy association API is now aware of system scope and default "
|
|
||||||
"roles."
|
|
||||||
)
|
|
||||||
|
|
||||||
policy_association_policies = [
|
policy_association_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
|
|
@ -88,9 +111,7 @@ policy_association_policies = [
|
||||||
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
||||||
'endpoints/{endpoint_id}'),
|
'endpoints/{endpoint_id}'),
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_create_policy_assoc_for_endpoint,
|
deprecated_rule=deprecated_create_policy_assoc_for_endpoint),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'check_policy_association_for_endpoint',
|
name=base.IDENTITY % 'check_policy_association_for_endpoint',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -102,9 +123,7 @@ policy_association_policies = [
|
||||||
{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
||||||
'endpoints/{endpoint_id}'),
|
'endpoints/{endpoint_id}'),
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_check_policy_assoc_for_endpoint,
|
deprecated_rule=deprecated_check_policy_assoc_for_endpoint),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_policy_association_for_endpoint',
|
name=base.IDENTITY % 'delete_policy_association_for_endpoint',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -113,9 +132,7 @@ policy_association_policies = [
|
||||||
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
||||||
'endpoints/{endpoint_id}'),
|
'endpoints/{endpoint_id}'),
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_policy_assoc_for_endpoint,
|
deprecated_rule=deprecated_delete_policy_assoc_for_endpoint),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_policy_association_for_service',
|
name=base.IDENTITY % 'create_policy_association_for_service',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -124,9 +141,7 @@ policy_association_policies = [
|
||||||
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
||||||
'services/{service_id}'),
|
'services/{service_id}'),
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_create_policy_assoc_for_service,
|
deprecated_rule=deprecated_create_policy_assoc_for_service),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'check_policy_association_for_service',
|
name=base.IDENTITY % 'check_policy_association_for_service',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -138,9 +153,7 @@ policy_association_policies = [
|
||||||
{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
||||||
'services/{service_id}'),
|
'services/{service_id}'),
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_check_policy_assoc_for_service,
|
deprecated_rule=deprecated_check_policy_assoc_for_service),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_policy_association_for_service',
|
name=base.IDENTITY % 'delete_policy_association_for_service',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -149,9 +162,7 @@ policy_association_policies = [
|
||||||
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
||||||
'services/{service_id}'),
|
'services/{service_id}'),
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_policy_assoc_for_service,
|
deprecated_rule=deprecated_delete_policy_assoc_for_service),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % (
|
name=base.IDENTITY % (
|
||||||
'create_policy_association_for_region_and_service'),
|
'create_policy_association_for_region_and_service'),
|
||||||
|
|
@ -162,9 +173,7 @@ policy_association_policies = [
|
||||||
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
||||||
'services/{service_id}/regions/{region_id}'),
|
'services/{service_id}/regions/{region_id}'),
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_create_policy_assoc_for_region_and_service,
|
deprecated_rule=deprecated_create_policy_assoc_for_region_and_service),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'check_policy_association_for_region_and_service',
|
name=base.IDENTITY % 'check_policy_association_for_region_and_service',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -176,9 +185,7 @@ policy_association_policies = [
|
||||||
{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
||||||
'services/{service_id}/regions/{region_id}'),
|
'services/{service_id}/regions/{region_id}'),
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_check_policy_assoc_for_region_and_service,
|
deprecated_rule=deprecated_check_policy_assoc_for_region_and_service),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % (
|
name=base.IDENTITY % (
|
||||||
'delete_policy_association_for_region_and_service'),
|
'delete_policy_association_for_region_and_service'),
|
||||||
|
|
@ -188,9 +195,7 @@ policy_association_policies = [
|
||||||
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
||||||
'services/{service_id}/regions/{region_id}'),
|
'services/{service_id}/regions/{region_id}'),
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service,
|
deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_policy_for_endpoint',
|
name=base.IDENTITY % 'get_policy_for_endpoint',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -202,9 +207,7 @@ policy_association_policies = [
|
||||||
{'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/'
|
{'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/'
|
||||||
'policy'),
|
'policy'),
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_get_policy_for_endpoint,
|
deprecated_rule=deprecated_get_policy_for_endpoint),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_endpoints_for_policy',
|
name=base.IDENTITY % 'list_endpoints_for_policy',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -213,9 +216,7 @@ policy_association_policies = [
|
||||||
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
|
||||||
'endpoints'),
|
'endpoints'),
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_endpoints_for_policy,
|
deprecated_rule=deprecated_list_endpoints_for_policy)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -52,60 +52,84 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
|
||||||
'(role:admin and domain_id:%(target.project.domain_id)s)'
|
'(role:admin and domain_id:%(target.project.domain_id)s)'
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_list_projects = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_projects',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_get_project = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'get_project',
|
|
||||||
check_str=base.RULE_ADMIN_OR_TARGET_PROJECT
|
|
||||||
)
|
|
||||||
deprecated_list_user_projects = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_user_projects',
|
|
||||||
check_str=base.RULE_ADMIN_OR_OWNER
|
|
||||||
)
|
|
||||||
deprecated_create_project = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_project',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_update_project = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'update_project',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_delete_project = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'delete_project',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_list_project_tags = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_project_tags',
|
|
||||||
check_str=base.RULE_ADMIN_OR_TARGET_PROJECT
|
|
||||||
)
|
|
||||||
deprecated_get_project_tag = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'get_project_tag',
|
|
||||||
check_str=base.RULE_ADMIN_OR_TARGET_PROJECT
|
|
||||||
)
|
|
||||||
deprecated_update_project_tag = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'update_project_tags',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_create_project_tag = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_project_tag',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_delete_project_tag = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'delete_project_tag',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_delete_project_tags = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'delete_project_tags',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
DEPRECATED_REASON = (
|
||||||
"The project API is now aware of system scope and default roles."
|
"The project API is now aware of system scope and default roles."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
deprecated_list_projects = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_projects',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_get_project = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'get_project',
|
||||||
|
check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_list_user_projects = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_user_projects',
|
||||||
|
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_create_project = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_update_project = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'update_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_delete_project = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_list_project_tags = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_project_tags',
|
||||||
|
check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_get_project_tag = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'get_project_tag',
|
||||||
|
check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_update_project_tag = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'update_project_tags',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_create_project_tag = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_project_tag',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_delete_project_tag = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_project_tag',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_delete_project_tags = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_project_tags',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
TAGS_DEPRECATED_REASON = """
|
TAGS_DEPRECATED_REASON = """
|
||||||
As of the Train release, the project tags API understands how to handle
|
As of the Train release, the project tags API understands how to handle
|
||||||
system-scoped tokens in addition to project and domain tokens, making the API
|
system-scoped tokens in addition to project and domain tokens, making the API
|
||||||
|
|
@ -122,9 +146,7 @@ project_policies = [
|
||||||
description='Show project details.',
|
description='Show project details.',
|
||||||
operations=[{'path': '/v3/projects/{project_id}',
|
operations=[{'path': '/v3/projects/{project_id}',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_get_project,
|
deprecated_rule=deprecated_get_project),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_projects',
|
name=base.IDENTITY % 'list_projects',
|
||||||
check_str=SYSTEM_READER_OR_DOMAIN_READER,
|
check_str=SYSTEM_READER_OR_DOMAIN_READER,
|
||||||
|
|
@ -136,9 +158,7 @@ project_policies = [
|
||||||
description='List projects.',
|
description='List projects.',
|
||||||
operations=[{'path': '/v3/projects',
|
operations=[{'path': '/v3/projects',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_projects,
|
deprecated_rule=deprecated_list_projects),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_user_projects',
|
name=base.IDENTITY % 'list_user_projects',
|
||||||
check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER,
|
check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER,
|
||||||
|
|
@ -146,9 +166,7 @@ project_policies = [
|
||||||
description='List projects for user.',
|
description='List projects for user.',
|
||||||
operations=[{'path': '/v3/users/{user_id}/projects',
|
operations=[{'path': '/v3/users/{user_id}/projects',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_user_projects,
|
deprecated_rule=deprecated_list_user_projects),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_project',
|
name=base.IDENTITY % 'create_project',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
||||||
|
|
@ -156,9 +174,7 @@ project_policies = [
|
||||||
description='Create project.',
|
description='Create project.',
|
||||||
operations=[{'path': '/v3/projects',
|
operations=[{'path': '/v3/projects',
|
||||||
'method': 'POST'}],
|
'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_create_project,
|
deprecated_rule=deprecated_create_project),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_project',
|
name=base.IDENTITY % 'update_project',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
||||||
|
|
@ -166,9 +182,7 @@ project_policies = [
|
||||||
description='Update project.',
|
description='Update project.',
|
||||||
operations=[{'path': '/v3/projects/{project_id}',
|
operations=[{'path': '/v3/projects/{project_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_project,
|
deprecated_rule=deprecated_update_project),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_project',
|
name=base.IDENTITY % 'delete_project',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
||||||
|
|
@ -176,9 +190,7 @@ project_policies = [
|
||||||
description='Delete project.',
|
description='Delete project.',
|
||||||
operations=[{'path': '/v3/projects/{project_id}',
|
operations=[{'path': '/v3/projects/{project_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_project,
|
deprecated_rule=deprecated_delete_project),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_project_tags',
|
name=base.IDENTITY % 'list_project_tags',
|
||||||
check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
|
check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
|
||||||
|
|
@ -188,9 +200,7 @@ project_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/projects/{project_id}/tags',
|
{'path': '/v3/projects/{project_id}/tags',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_project_tags,
|
deprecated_rule=deprecated_list_project_tags),
|
||||||
deprecated_reason=TAGS_DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_project_tag',
|
name=base.IDENTITY % 'get_project_tag',
|
||||||
check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
|
check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
|
||||||
|
|
@ -200,9 +210,7 @@ project_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/projects/{project_id}/tags/{value}',
|
{'path': '/v3/projects/{project_id}/tags/{value}',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_get_project_tag,
|
deprecated_rule=deprecated_get_project_tag),
|
||||||
deprecated_reason=TAGS_DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_project_tags',
|
name=base.IDENTITY % 'update_project_tags',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
|
||||||
|
|
@ -210,9 +218,7 @@ project_policies = [
|
||||||
description='Replace all tags on a project with the new set of tags.',
|
description='Replace all tags on a project with the new set of tags.',
|
||||||
operations=[{'path': '/v3/projects/{project_id}/tags',
|
operations=[{'path': '/v3/projects/{project_id}/tags',
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_update_project_tag,
|
deprecated_rule=deprecated_update_project_tag),
|
||||||
deprecated_reason=TAGS_DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_project_tag',
|
name=base.IDENTITY % 'create_project_tag',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
|
||||||
|
|
@ -220,9 +226,7 @@ project_policies = [
|
||||||
description='Add a single tag to a project.',
|
description='Add a single tag to a project.',
|
||||||
operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
|
operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_create_project_tag,
|
deprecated_rule=deprecated_create_project_tag),
|
||||||
deprecated_reason=TAGS_DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_project_tags',
|
name=base.IDENTITY % 'delete_project_tags',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
|
||||||
|
|
@ -230,9 +234,7 @@ project_policies = [
|
||||||
description='Remove all tags from a project.',
|
description='Remove all tags from a project.',
|
||||||
operations=[{'path': '/v3/projects/{project_id}/tags',
|
operations=[{'path': '/v3/projects/{project_id}/tags',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_project_tags,
|
deprecated_rule=deprecated_delete_project_tags),
|
||||||
deprecated_reason=TAGS_DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_project_tag',
|
name=base.IDENTITY % 'delete_project_tag',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
|
||||||
|
|
@ -240,9 +242,7 @@ project_policies = [
|
||||||
description='Delete a specified tag from project.',
|
description='Delete a specified tag from project.',
|
||||||
operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
|
operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_project_tag,
|
deprecated_rule=deprecated_delete_project_tag)
|
||||||
deprecated_reason=TAGS_DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,31 +15,6 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
deprecated_list_projects_for_endpoint = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_projects_for_endpoint',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
|
||||||
)
|
|
||||||
|
|
||||||
deprecated_add_endpoint_to_project = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'add_endpoint_to_project',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
|
||||||
)
|
|
||||||
|
|
||||||
deprecated_check_endpoint_in_project = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'check_endpoint_in_project',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
|
||||||
)
|
|
||||||
|
|
||||||
deprecated_list_endpoints_for_project = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_endpoints_for_project',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
|
||||||
)
|
|
||||||
|
|
||||||
deprecated_remove_endpoint_from_project = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'remove_endpoint_from_project',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
As of the Train release, the project endpoint API now understands default
|
As of the Train release, the project endpoint API now understands default
|
||||||
roles and system-scoped tokens, making the API more granular by default without
|
roles and system-scoped tokens, making the API more granular by default without
|
||||||
|
|
@ -48,6 +23,41 @@ automatically. Be sure to take these new defaults into consideration if you are
|
||||||
relying on overrides in your deployment for the project endpoint API.
|
relying on overrides in your deployment for the project endpoint API.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
deprecated_list_projects_for_endpoint = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_projects_for_endpoint',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
|
||||||
|
deprecated_add_endpoint_to_project = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'add_endpoint_to_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
|
||||||
|
deprecated_check_endpoint_in_project = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'check_endpoint_in_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
|
||||||
|
deprecated_list_endpoints_for_project = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_endpoints_for_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
|
||||||
|
deprecated_remove_endpoint_from_project = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'remove_endpoint_from_project',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
project_endpoint_policies = [
|
project_endpoint_policies = [
|
||||||
|
|
||||||
|
|
@ -63,9 +73,7 @@ project_endpoint_policies = [
|
||||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/'
|
operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/'
|
||||||
'projects'),
|
'projects'),
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_projects_for_endpoint,
|
deprecated_rule=deprecated_list_projects_for_endpoint),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'add_endpoint_to_project',
|
name=base.IDENTITY % 'add_endpoint_to_project',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -74,9 +82,7 @@ project_endpoint_policies = [
|
||||||
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
||||||
'endpoints/{endpoint_id}'),
|
'endpoints/{endpoint_id}'),
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_add_endpoint_to_project,
|
deprecated_rule=deprecated_add_endpoint_to_project),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'check_endpoint_in_project',
|
name=base.IDENTITY % 'check_endpoint_in_project',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -88,9 +94,7 @@ project_endpoint_policies = [
|
||||||
{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
||||||
'endpoints/{endpoint_id}'),
|
'endpoints/{endpoint_id}'),
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_check_endpoint_in_project,
|
deprecated_rule=deprecated_check_endpoint_in_project),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_endpoints_for_project',
|
name=base.IDENTITY % 'list_endpoints_for_project',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -99,9 +103,7 @@ project_endpoint_policies = [
|
||||||
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
||||||
'endpoints'),
|
'endpoints'),
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_endpoints_for_project,
|
deprecated_rule=deprecated_list_endpoints_for_project),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'remove_endpoint_from_project',
|
name=base.IDENTITY % 'remove_endpoint_from_project',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -111,9 +113,7 @@ project_endpoint_policies = [
|
||||||
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
||||||
'endpoints/{endpoint_id}'),
|
'endpoints/{endpoint_id}'),
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_remove_endpoint_from_project,
|
deprecated_rule=deprecated_remove_endpoint_from_project),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,32 +15,43 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
deprecated_get_protocol = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'get_protocol',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_list_protocols = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_protocols',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_update_protocol = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'update_protocol',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_create_protocol = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_protocol',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_delete_protocol = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'delete_protocol',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
DEPRECATED_REASON = (
|
||||||
"The federated protocol API is now aware of system scope and default "
|
"The federated protocol API is now aware of system scope and default "
|
||||||
"roles."
|
"roles."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
deprecated_get_protocol = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'get_protocol',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_list_protocols = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_protocols',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_update_protocol = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'update_protocol',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_create_protocol = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_protocol',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_delete_protocol = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_protocol',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
protocol_policies = [
|
protocol_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_protocol',
|
name=base.IDENTITY % 'create_protocol',
|
||||||
|
|
@ -53,9 +64,7 @@ protocol_policies = [
|
||||||
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
|
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
|
||||||
'protocols/{protocol_id}'),
|
'protocols/{protocol_id}'),
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_create_protocol,
|
deprecated_rule=deprecated_create_protocol),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_protocol',
|
name=base.IDENTITY % 'update_protocol',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -64,9 +73,7 @@ protocol_policies = [
|
||||||
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
|
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
|
||||||
'protocols/{protocol_id}'),
|
'protocols/{protocol_id}'),
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_protocol,
|
deprecated_rule=deprecated_update_protocol),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_protocol',
|
name=base.IDENTITY % 'get_protocol',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -75,9 +82,7 @@ protocol_policies = [
|
||||||
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
|
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
|
||||||
'protocols/{protocol_id}'),
|
'protocols/{protocol_id}'),
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_get_protocol,
|
deprecated_rule=deprecated_get_protocol),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_protocols',
|
name=base.IDENTITY % 'list_protocols',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -86,9 +91,7 @@ protocol_policies = [
|
||||||
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
|
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
|
||||||
'protocols'),
|
'protocols'),
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_protocols,
|
deprecated_rule=deprecated_list_protocols),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_protocol',
|
name=base.IDENTITY % 'delete_protocol',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -97,9 +100,7 @@ protocol_policies = [
|
||||||
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
|
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
|
||||||
'protocols/{protocol_id}'),
|
'protocols/{protocol_id}'),
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_protocol,
|
deprecated_rule=deprecated_delete_protocol)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,23 +15,30 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
deprecated_create_region = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_region',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_update_region = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'update_region',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_delete_region = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'delete_region',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
DEPRECATED_REASON = (
|
||||||
"The region API is now aware of system scope and default roles."
|
"The region API is now aware of system scope and default roles."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
deprecated_create_region = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_region',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_update_region = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'update_region',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_delete_region = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_region',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
region_policies = [
|
region_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_region',
|
name=base.IDENTITY % 'get_region',
|
||||||
|
|
@ -66,9 +73,7 @@ region_policies = [
|
||||||
'method': 'POST'},
|
'method': 'POST'},
|
||||||
{'path': '/v3/regions/{region_id}',
|
{'path': '/v3/regions/{region_id}',
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_create_region,
|
deprecated_rule=deprecated_create_region),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_region',
|
name=base.IDENTITY % 'update_region',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -76,9 +81,7 @@ region_policies = [
|
||||||
description='Update region.',
|
description='Update region.',
|
||||||
operations=[{'path': '/v3/regions/{region_id}',
|
operations=[{'path': '/v3/regions/{region_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_region,
|
deprecated_rule=deprecated_update_region),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_region',
|
name=base.IDENTITY % 'delete_region',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -86,9 +89,7 @@ region_policies = [
|
||||||
description='Delete region.',
|
description='Delete region.',
|
||||||
operations=[{'path': '/v3/regions/{region_id}',
|
operations=[{'path': '/v3/regions/{region_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_region,
|
deprecated_rule=deprecated_delete_region),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,51 +15,72 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
deprecated_get_role = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'get_role',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_list_role = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_roles',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_update_role = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'update_role',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_create_role = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_role',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_delete_role = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'delete_role',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_get_domain_role = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'get_domain_role',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_list_domain_roles = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_domain_roles',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_update_domain_role = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'update_domain_role',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_create_domain_role = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_domain_role',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_delete_domain_role = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'delete_domain_role',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
DEPRECATED_REASON = (
|
||||||
"The role API is now aware of system scope and default roles."
|
"The role API is now aware of system scope and default roles."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
deprecated_get_role = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'get_role',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_list_role = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_roles',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_update_role = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'update_role',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_create_role = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_role',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_delete_role = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_role',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_get_domain_role = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'get_domain_role',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_list_domain_roles = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_domain_roles',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_update_domain_role = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'update_domain_role',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_create_domain_role = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_domain_role',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
deprecated_delete_domain_role = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_domain_role',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
role_policies = [
|
role_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_role',
|
name=base.IDENTITY % 'get_role',
|
||||||
|
|
@ -75,9 +96,7 @@ role_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/roles/{role_id}',
|
{'path': '/v3/roles/{role_id}',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_get_role,
|
deprecated_rule=deprecated_get_role),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_roles',
|
name=base.IDENTITY % 'list_roles',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -87,9 +106,7 @@ role_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/roles',
|
{'path': '/v3/roles',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_role,
|
deprecated_rule=deprecated_list_role),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_role',
|
name=base.IDENTITY % 'create_role',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -97,9 +114,7 @@ role_policies = [
|
||||||
description='Create role.',
|
description='Create role.',
|
||||||
operations=[{'path': '/v3/roles',
|
operations=[{'path': '/v3/roles',
|
||||||
'method': 'POST'}],
|
'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_create_role,
|
deprecated_rule=deprecated_create_role),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_role',
|
name=base.IDENTITY % 'update_role',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -107,9 +122,7 @@ role_policies = [
|
||||||
description='Update role.',
|
description='Update role.',
|
||||||
operations=[{'path': '/v3/roles/{role_id}',
|
operations=[{'path': '/v3/roles/{role_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_role,
|
deprecated_rule=deprecated_update_role),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_role',
|
name=base.IDENTITY % 'delete_role',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -117,9 +130,7 @@ role_policies = [
|
||||||
description='Delete role.',
|
description='Delete role.',
|
||||||
operations=[{'path': '/v3/roles/{role_id}',
|
operations=[{'path': '/v3/roles/{role_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_role,
|
deprecated_rule=deprecated_delete_role),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_domain_role',
|
name=base.IDENTITY % 'get_domain_role',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -134,9 +145,7 @@ role_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/roles/{role_id}',
|
{'path': '/v3/roles/{role_id}',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_get_domain_role,
|
deprecated_rule=deprecated_get_domain_role),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_domain_roles',
|
name=base.IDENTITY % 'list_domain_roles',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -146,9 +155,7 @@ role_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/roles?domain_id={domain_id}',
|
{'path': '/v3/roles?domain_id={domain_id}',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_domain_roles,
|
deprecated_rule=deprecated_list_domain_roles),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_domain_role',
|
name=base.IDENTITY % 'create_domain_role',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -156,9 +163,7 @@ role_policies = [
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
operations=[{'path': '/v3/roles',
|
operations=[{'path': '/v3/roles',
|
||||||
'method': 'POST'}],
|
'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_create_domain_role,
|
deprecated_rule=deprecated_create_domain_role),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_domain_role',
|
name=base.IDENTITY % 'update_domain_role',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -166,9 +171,7 @@ role_policies = [
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
operations=[{'path': '/v3/roles/{role_id}',
|
operations=[{'path': '/v3/roles/{role_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_domain_role,
|
deprecated_rule=deprecated_update_domain_role),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_domain_role',
|
name=base.IDENTITY % 'delete_domain_role',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -176,9 +179,7 @@ role_policies = [
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
operations=[{'path': '/v3/roles/{role_id}',
|
operations=[{'path': '/v3/roles/{role_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_domain_role,
|
deprecated_rule=deprecated_delete_domain_role)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -25,19 +25,24 @@ SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN = (
|
||||||
'(role:admin and project_id:%(target.project.id)s)'
|
'(role:admin and project_id:%(target.project.id)s)'
|
||||||
)
|
)
|
||||||
|
|
||||||
deprecated_list_role_assignments = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_role_assignments',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_list_role_assignments_for_tree = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_role_assignments_for_tree',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
DEPRECATED_REASON = (
|
||||||
"The assignment API is now aware of system scope and default roles."
|
"The assignment API is now aware of system scope and default roles."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
deprecated_list_role_assignments = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_role_assignments',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_list_role_assignments_for_tree = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_role_assignments_for_tree',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
role_assignment_policies = [
|
role_assignment_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_role_assignments',
|
name=base.IDENTITY % 'list_role_assignments',
|
||||||
|
|
@ -48,9 +53,7 @@ role_assignment_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/role_assignments',
|
{'path': '/v3/role_assignments',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_role_assignments,
|
deprecated_rule=deprecated_list_role_assignments),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_role_assignments_for_tree',
|
name=base.IDENTITY % 'list_role_assignments_for_tree',
|
||||||
check_str=SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN,
|
check_str=SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN,
|
||||||
|
|
@ -61,9 +64,7 @@ role_assignment_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/role_assignments?include_subtree',
|
{'path': '/v3/role_assignments?include_subtree',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_role_assignments_for_tree,
|
deprecated_rule=deprecated_list_role_assignments_for_tree),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,31 +15,42 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
deprecated_get_service = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'get_service',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_list_service = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_services',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_update_service = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'update_service',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_create_service = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_service',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_delete_service = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'delete_service',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
DEPRECATED_REASON = (
|
||||||
"The service API is now aware of system scope and default roles."
|
"The service API is now aware of system scope and default roles."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
deprecated_get_service = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'get_service',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_list_service = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_services',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_update_service = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'update_service',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_create_service = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_service',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_delete_service = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_service',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
service_policies = [
|
service_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_service',
|
name=base.IDENTITY % 'get_service',
|
||||||
|
|
@ -48,9 +59,7 @@ service_policies = [
|
||||||
description='Show service details.',
|
description='Show service details.',
|
||||||
operations=[{'path': '/v3/services/{service_id}',
|
operations=[{'path': '/v3/services/{service_id}',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_get_service,
|
deprecated_rule=deprecated_get_service),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_services',
|
name=base.IDENTITY % 'list_services',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -58,9 +67,7 @@ service_policies = [
|
||||||
description='List services.',
|
description='List services.',
|
||||||
operations=[{'path': '/v3/services',
|
operations=[{'path': '/v3/services',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_list_service,
|
deprecated_rule=deprecated_list_service),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_service',
|
name=base.IDENTITY % 'create_service',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -68,9 +75,7 @@ service_policies = [
|
||||||
description='Create service.',
|
description='Create service.',
|
||||||
operations=[{'path': '/v3/services',
|
operations=[{'path': '/v3/services',
|
||||||
'method': 'POST'}],
|
'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_create_service,
|
deprecated_rule=deprecated_create_service),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_service',
|
name=base.IDENTITY % 'update_service',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -78,9 +83,7 @@ service_policies = [
|
||||||
description='Update service.',
|
description='Update service.',
|
||||||
operations=[{'path': '/v3/services/{service_id}',
|
operations=[{'path': '/v3/services/{service_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_service,
|
deprecated_rule=deprecated_update_service),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_service',
|
name=base.IDENTITY % 'delete_service',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -88,9 +91,7 @@ service_policies = [
|
||||||
description='Delete service.',
|
description='Delete service.',
|
||||||
operations=[{'path': '/v3/services/{service_id}',
|
operations=[{'path': '/v3/services/{service_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_service,
|
deprecated_rule=deprecated_delete_service)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,31 +15,42 @@ from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
deprecated_get_sp = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'get_service_provider',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_list_sp = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'list_service_providers',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_update_sp = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'update_service_provider',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_create_sp = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'create_service_provider',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
deprecated_delete_sp = policy.DeprecatedRule(
|
|
||||||
name=base.IDENTITY % 'delete_service_provider',
|
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = (
|
DEPRECATED_REASON = (
|
||||||
"The service provider API is now aware of system scope and default roles."
|
"The service provider API is now aware of system scope and default roles."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
deprecated_get_sp = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'get_service_provider',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_list_sp = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_service_providers',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_update_sp = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'update_service_provider',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_create_sp = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_service_provider',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
deprecated_delete_sp = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_service_provider',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
service_provider_policies = [
|
service_provider_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_service_provider',
|
name=base.IDENTITY % 'create_service_provider',
|
||||||
|
|
@ -55,9 +66,7 @@ service_provider_policies = [
|
||||||
operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
|
operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
|
||||||
'{service_provider_id}'),
|
'{service_provider_id}'),
|
||||||
'method': 'PUT'}],
|
'method': 'PUT'}],
|
||||||
deprecated_rule=deprecated_create_sp,
|
deprecated_rule=deprecated_create_sp),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_service_providers',
|
name=base.IDENTITY % 'list_service_providers',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
|
@ -73,9 +82,7 @@ service_provider_policies = [
|
||||||
'method': 'HEAD'
|
'method': 'HEAD'
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_list_sp,
|
deprecated_rule=deprecated_list_sp
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_service_provider',
|
name=base.IDENTITY % 'get_service_provider',
|
||||||
|
|
@ -94,9 +101,7 @@ service_provider_policies = [
|
||||||
'method': 'HEAD'
|
'method': 'HEAD'
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
deprecated_rule=deprecated_get_sp,
|
deprecated_rule=deprecated_get_sp
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN
|
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_service_provider',
|
name=base.IDENTITY % 'update_service_provider',
|
||||||
|
|
@ -106,9 +111,7 @@ service_provider_policies = [
|
||||||
operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
|
operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
|
||||||
'{service_provider_id}'),
|
'{service_provider_id}'),
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_sp,
|
deprecated_rule=deprecated_update_sp),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_service_provider',
|
name=base.IDENTITY % 'delete_service_provider',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
|
@ -117,9 +120,7 @@ service_provider_policies = [
|
||||||
operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
|
operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
|
||||||
'{service_provider_id}'),
|
'{service_provider_id}'),
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_sp,
|
deprecated_rule=deprecated_delete_sp)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -21,15 +21,21 @@ DEPRECATED_REASON = (
|
||||||
|
|
||||||
deprecated_check_token = policy.DeprecatedRule(
|
deprecated_check_token = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'check_token',
|
name=base.IDENTITY % 'check_token',
|
||||||
check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT
|
check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
deprecated_validate_token = policy.DeprecatedRule(
|
deprecated_validate_token = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'validate_token',
|
name=base.IDENTITY % 'validate_token',
|
||||||
check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT
|
check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
deprecated_revoke_token = policy.DeprecatedRule(
|
deprecated_revoke_token = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'revoke_token',
|
name=base.IDENTITY % 'revoke_token',
|
||||||
check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT
|
check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
SYSTEM_ADMIN_OR_TOKEN_SUBJECT = (
|
SYSTEM_ADMIN_OR_TOKEN_SUBJECT = (
|
||||||
|
|
@ -52,9 +58,7 @@ token_policies = [
|
||||||
description='Check a token.',
|
description='Check a token.',
|
||||||
operations=[{'path': '/v3/auth/tokens',
|
operations=[{'path': '/v3/auth/tokens',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_check_token,
|
deprecated_rule=deprecated_check_token),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'validate_token',
|
name=base.IDENTITY % 'validate_token',
|
||||||
check_str=SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT,
|
check_str=SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT,
|
||||||
|
|
@ -62,9 +66,7 @@ token_policies = [
|
||||||
description='Validate a token.',
|
description='Validate a token.',
|
||||||
operations=[{'path': '/v3/auth/tokens',
|
operations=[{'path': '/v3/auth/tokens',
|
||||||
'method': 'GET'}],
|
'method': 'GET'}],
|
||||||
deprecated_rule=deprecated_validate_token,
|
deprecated_rule=deprecated_validate_token),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'revoke_token',
|
name=base.IDENTITY % 'revoke_token',
|
||||||
check_str=SYSTEM_ADMIN_OR_TOKEN_SUBJECT,
|
check_str=SYSTEM_ADMIN_OR_TOKEN_SUBJECT,
|
||||||
|
|
@ -72,9 +74,7 @@ token_policies = [
|
||||||
description='Revoke a token.',
|
description='Revoke a token.',
|
||||||
operations=[{'path': '/v3/auth/tokens',
|
operations=[{'path': '/v3/auth/tokens',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_revoke_token,
|
deprecated_rule=deprecated_revoke_token)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -24,29 +24,39 @@ SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR
|
||||||
SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE
|
SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE
|
||||||
SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR
|
SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR
|
||||||
|
|
||||||
|
DEPRECATED_REASON = (
|
||||||
|
"The trust API is now aware of system scope and default roles."
|
||||||
|
)
|
||||||
|
|
||||||
deprecated_list_trusts = policy.DeprecatedRule(
|
deprecated_list_trusts = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_trusts',
|
name=base.IDENTITY % 'list_trusts',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
deprecated_list_roles_for_trust = policy.DeprecatedRule(
|
deprecated_list_roles_for_trust = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_roles_for_trust',
|
name=base.IDENTITY % 'list_roles_for_trust',
|
||||||
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
|
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
deprecated_get_role_for_trust = policy.DeprecatedRule(
|
deprecated_get_role_for_trust = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_role_for_trust',
|
name=base.IDENTITY % 'get_role_for_trust',
|
||||||
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
|
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
deprecated_delete_trust = policy.DeprecatedRule(
|
deprecated_delete_trust = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'delete_trust',
|
name=base.IDENTITY % 'delete_trust',
|
||||||
check_str=RULE_TRUSTOR
|
check_str=RULE_TRUSTOR,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
deprecated_get_trust = policy.DeprecatedRule(
|
deprecated_get_trust = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_trust',
|
name=base.IDENTITY % 'get_trust',
|
||||||
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
|
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE,
|
||||||
)
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
DEPRECATED_REASON = (
|
|
||||||
"The trust API is now aware of system scope and default roles."
|
|
||||||
)
|
)
|
||||||
|
|
||||||
trust_policies = [
|
trust_policies = [
|
||||||
|
|
@ -69,9 +79,7 @@ trust_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/OS-TRUST/trusts',
|
{'path': '/v3/OS-TRUST/trusts',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_trusts,
|
deprecated_rule=deprecated_list_trusts),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_trusts_for_trustor',
|
name=base.IDENTITY % 'list_trusts_for_trustor',
|
||||||
check_str=SYSTEM_READER_OR_TRUSTOR,
|
check_str=SYSTEM_READER_OR_TRUSTOR,
|
||||||
|
|
@ -103,9 +111,7 @@ trust_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles',
|
{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_roles_for_trust,
|
deprecated_rule=deprecated_list_roles_for_trust),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_role_for_trust',
|
name=base.IDENTITY % 'get_role_for_trust',
|
||||||
check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
|
check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
|
||||||
|
|
@ -115,9 +121,7 @@ trust_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',
|
{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_get_role_for_trust,
|
deprecated_rule=deprecated_get_role_for_trust),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_trust',
|
name=base.IDENTITY % 'delete_trust',
|
||||||
check_str=SYSTEM_ADMIN_OR_TRUSTOR,
|
check_str=SYSTEM_ADMIN_OR_TRUSTOR,
|
||||||
|
|
@ -125,9 +129,7 @@ trust_policies = [
|
||||||
description='Revoke trust.',
|
description='Revoke trust.',
|
||||||
operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
|
operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_trust,
|
deprecated_rule=deprecated_delete_trust),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_trust',
|
name=base.IDENTITY % 'get_trust',
|
||||||
check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
|
check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
|
||||||
|
|
@ -137,9 +139,7 @@ trust_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/OS-TRUST/trusts/{trust_id}',
|
{'path': '/v3/OS-TRUST/trusts/{trust_id}',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_get_trust,
|
deprecated_rule=deprecated_get_trust)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.TRAIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -36,23 +36,33 @@ DEPRECATED_REASON = (
|
||||||
|
|
||||||
deprecated_get_user = policy.DeprecatedRule(
|
deprecated_get_user = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_user',
|
name=base.IDENTITY % 'get_user',
|
||||||
check_str=base.RULE_ADMIN_OR_OWNER
|
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_list_users = policy.DeprecatedRule(
|
deprecated_list_users = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_users',
|
name=base.IDENTITY % 'list_users',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_create_user = policy.DeprecatedRule(
|
deprecated_create_user = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'create_user',
|
name=base.IDENTITY % 'create_user',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_update_user = policy.DeprecatedRule(
|
deprecated_update_user = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'update_user',
|
name=base.IDENTITY % 'update_user',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
deprecated_delete_user = policy.DeprecatedRule(
|
deprecated_delete_user = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'delete_user',
|
name=base.IDENTITY % 'delete_user',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN
|
||||||
)
|
)
|
||||||
|
|
||||||
user_policies = [
|
user_policies = [
|
||||||
|
|
@ -65,9 +75,7 @@ user_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/users/{user_id}',
|
{'path': '/v3/users/{user_id}',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_get_user,
|
deprecated_rule=deprecated_get_user),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_users',
|
name=base.IDENTITY % 'list_users',
|
||||||
check_str=SYSTEM_READER_OR_DOMAIN_READER,
|
check_str=SYSTEM_READER_OR_DOMAIN_READER,
|
||||||
|
|
@ -77,9 +85,7 @@ user_policies = [
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
{'path': '/v3/users',
|
{'path': '/v3/users',
|
||||||
'method': 'HEAD'}],
|
'method': 'HEAD'}],
|
||||||
deprecated_rule=deprecated_list_users,
|
deprecated_rule=deprecated_list_users),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_projects_for_user',
|
name=base.IDENTITY % 'list_projects_for_user',
|
||||||
check_str='',
|
check_str='',
|
||||||
|
|
@ -111,9 +117,7 @@ user_policies = [
|
||||||
description='Create a user.',
|
description='Create a user.',
|
||||||
operations=[{'path': '/v3/users',
|
operations=[{'path': '/v3/users',
|
||||||
'method': 'POST'}],
|
'method': 'POST'}],
|
||||||
deprecated_rule=deprecated_create_user,
|
deprecated_rule=deprecated_create_user),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_user',
|
name=base.IDENTITY % 'update_user',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
||||||
|
|
@ -121,9 +125,7 @@ user_policies = [
|
||||||
description='Update a user, including administrative password resets.',
|
description='Update a user, including administrative password resets.',
|
||||||
operations=[{'path': '/v3/users/{user_id}',
|
operations=[{'path': '/v3/users/{user_id}',
|
||||||
'method': 'PATCH'}],
|
'method': 'PATCH'}],
|
||||||
deprecated_rule=deprecated_update_user,
|
deprecated_rule=deprecated_update_user),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_user',
|
name=base.IDENTITY % 'delete_user',
|
||||||
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
|
||||||
|
|
@ -131,9 +133,7 @@ user_policies = [
|
||||||
description='Delete a user.',
|
description='Delete a user.',
|
||||||
operations=[{'path': '/v3/users/{user_id}',
|
operations=[{'path': '/v3/users/{user_id}',
|
||||||
'method': 'DELETE'}],
|
'method': 'DELETE'}],
|
||||||
deprecated_rule=deprecated_delete_user,
|
deprecated_rule=deprecated_delete_user)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since=versionutils.deprecated.STEIN)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -32,7 +32,7 @@ oslo.i18n==3.15.3
|
||||||
oslo.log==3.44.0
|
oslo.log==3.44.0
|
||||||
oslo.messaging==5.29.0
|
oslo.messaging==5.29.0
|
||||||
oslo.middleware==3.31.0
|
oslo.middleware==3.31.0
|
||||||
oslo.policy==3.6.0
|
oslo.policy==3.7.0
|
||||||
oslo.serialization==2.18.0
|
oslo.serialization==2.18.0
|
||||||
oslo.upgradecheck==1.3.0
|
oslo.upgradecheck==1.3.0
|
||||||
oslo.utils==3.33.0
|
oslo.utils==3.33.0
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ oslo.db>=6.0.0 # Apache-2.0
|
||||||
oslo.i18n>=3.15.3 # Apache-2.0
|
oslo.i18n>=3.15.3 # Apache-2.0
|
||||||
oslo.log>=3.44.0 # Apache-2.0
|
oslo.log>=3.44.0 # Apache-2.0
|
||||||
oslo.middleware>=3.31.0 # Apache-2.0
|
oslo.middleware>=3.31.0 # Apache-2.0
|
||||||
oslo.policy>=3.6.0 # Apache-2.0
|
oslo.policy>=3.7.0 # Apache-2.0
|
||||||
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
|
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
|
||||||
oslo.upgradecheck>=1.3.0 # Apache-2.0
|
oslo.upgradecheck>=1.3.0 # Apache-2.0
|
||||||
oslo.utils>=3.33.0 # Apache-2.0
|
oslo.utils>=3.33.0 # Apache-2.0
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue