DRY up credential policies
As a followup to feedback on [1], refactor the system reader/admin + credential owner check strings to a common location to avoid duplication. [1] https://review.opendev.org/607820 Change-Id: I398d6e7d228b2e10059b9494aadd6e54429e1ec4
This commit is contained in:
parent
063a8ac271
commit
eaf08941e0
|
@ -50,6 +50,16 @@ DOMAIN_READER = 'role:reader and domain_id:%(target.domain_id)s'
|
|||
RULE_SYSTEM_ADMIN_OR_OWNER = '(' + SYSTEM_ADMIN + ') or rule:owner'
|
||||
RULE_SYSTEM_READER_OR_OWNER = '(' + SYSTEM_READER + ') or rule:owner'
|
||||
|
||||
# Credential and EC2 Credential policies
|
||||
SYSTEM_READER_OR_CRED_OWNER = (
|
||||
'(' + SYSTEM_READER + ') '
|
||||
'or user_id:%(target.credential.user_id)s'
|
||||
)
|
||||
SYSTEM_ADMIN_OR_CRED_OWNER = (
|
||||
'(' + SYSTEM_ADMIN + ') '
|
||||
'or user_id:%(target.credential.user_id)s'
|
||||
)
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
name='admin_required',
|
||||
|
|
|
@ -15,15 +15,6 @@ from oslo_policy import policy
|
|||
|
||||
from keystone.common.policies import base
|
||||
|
||||
SYSTEM_READER_OR_CRED_OWNER = (
|
||||
'(role:reader and system_scope:all) '
|
||||
'or user_id:%(target.credential.user_id)s'
|
||||
)
|
||||
SYSTEM_ADMIN_OR_CRED_OWNER = (
|
||||
'(role:admin and system_scope:all) '
|
||||
'or user_id:%(target.credential.user_id)s'
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = (
|
||||
'As of the Stein release, the credential API now understands how to '
|
||||
'handle system-scoped tokens in addition to project-scoped tokens, making '
|
||||
|
@ -56,7 +47,7 @@ deprecated_delete_credential = policy.DeprecatedRule(
|
|||
credential_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'get_credential',
|
||||
check_str=SYSTEM_READER_OR_CRED_OWNER,
|
||||
check_str=base.SYSTEM_READER_OR_CRED_OWNER,
|
||||
scope_types=['system', 'project'],
|
||||
description='Show credentials details.',
|
||||
operations=[{'path': '/v3/credentials/{credential_id}',
|
||||
|
@ -67,7 +58,7 @@ credential_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_credentials',
|
||||
check_str=SYSTEM_READER_OR_CRED_OWNER,
|
||||
check_str=base.SYSTEM_READER_OR_CRED_OWNER,
|
||||
scope_types=['system', 'project'],
|
||||
description='List credentials.',
|
||||
operations=[{'path': '/v3/credentials',
|
||||
|
@ -78,7 +69,7 @@ credential_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_credential',
|
||||
check_str=SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
check_str=base.SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
scope_types=['system', 'project'],
|
||||
description='Create credential.',
|
||||
operations=[{'path': '/v3/credentials',
|
||||
|
@ -89,7 +80,7 @@ credential_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'update_credential',
|
||||
check_str=SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
check_str=base.SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
scope_types=['system', 'project'],
|
||||
description='Update credential.',
|
||||
operations=[{'path': '/v3/credentials/{credential_id}',
|
||||
|
@ -100,7 +91,7 @@ credential_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'delete_credential',
|
||||
check_str=SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
check_str=base.SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
scope_types=['system', 'project'],
|
||||
description='Delete credential.',
|
||||
operations=[{'path': '/v3/credentials/{credential_id}',
|
||||
|
|
|
@ -15,15 +15,6 @@ from oslo_policy import policy
|
|||
|
||||
from keystone.common.policies import base
|
||||
|
||||
SYSTEM_READER_OR_CRED_OWNER = (
|
||||
'(role:reader and system_scope:all) '
|
||||
'or user_id:%(target.credential.user_id)s'
|
||||
)
|
||||
SYSTEM_ADMIN_OR_CRED_OWNER = (
|
||||
'(role:admin and system_scope:all) '
|
||||
'or user_id:%(target.credential.user_id)s'
|
||||
)
|
||||
|
||||
deprecated_ec2_get_credential = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'ec2_get_credential',
|
||||
check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER
|
||||
|
@ -52,7 +43,7 @@ automatically.
|
|||
ec2_credential_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'ec2_get_credential',
|
||||
check_str=SYSTEM_READER_OR_CRED_OWNER,
|
||||
check_str=base.SYSTEM_READER_OR_CRED_OWNER,
|
||||
scope_types=['system', 'project'],
|
||||
description='Show ec2 credential details.',
|
||||
operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
|
||||
|
@ -86,7 +77,7 @@ ec2_credential_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'ec2_delete_credential',
|
||||
check_str=SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
check_str=base.SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
scope_types=['system', 'project'],
|
||||
description='Delete ec2 credential.',
|
||||
operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
|
||||
|
|
|
@ -15,7 +15,7 @@ import uuid
|
|||
from oslo_serialization import jsonutils
|
||||
from six.moves import http_client
|
||||
|
||||
from keystone.common.policies import credential as cp
|
||||
from keystone.common.policies import base as bp
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone.tests.common import auth as common_auth
|
||||
|
@ -1131,10 +1131,10 @@ class ProjectAdminTests(base_classes.TestCaseWithBootstrap,
|
|||
# broken behavior with better scope checking.
|
||||
with open(self.policy_file_name, 'w') as f:
|
||||
overridden_policies = {
|
||||
'identity:get_credential': cp.SYSTEM_READER_OR_CRED_OWNER,
|
||||
'identity:list_credentials': cp.SYSTEM_READER_OR_CRED_OWNER,
|
||||
'identity:create_credential': cp.SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
'identity:update_credential': cp.SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
'identity:delete_credential': cp.SYSTEM_ADMIN_OR_CRED_OWNER
|
||||
'identity:get_credential': bp.SYSTEM_READER_OR_CRED_OWNER,
|
||||
'identity:list_credentials': bp.SYSTEM_READER_OR_CRED_OWNER,
|
||||
'identity:create_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
'identity:update_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
'identity:delete_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER
|
||||
}
|
||||
f.write(jsonutils.dumps(overridden_policies))
|
||||
|
|
|
@ -14,7 +14,6 @@ from oslo_serialization import jsonutils
|
|||
from six.moves import http_client
|
||||
|
||||
from keystone.common.policies import base as bp
|
||||
from keystone.common.policies import ec2_credential as ec
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone.tests.common import auth as common_auth
|
||||
|
@ -398,11 +397,11 @@ class ProjectAdminTests(base_classes.TestCaseWithBootstrap,
|
|||
# this broken behavior with better scope checking.
|
||||
with open(self.policy_file_name, 'w') as f:
|
||||
overridden_policies = {
|
||||
'identity:ec2_get_credential': ec.SYSTEM_READER_OR_CRED_OWNER,
|
||||
'identity:ec2_get_credential': bp.SYSTEM_READER_OR_CRED_OWNER,
|
||||
'identity:ec2_list_credentials': bp.RULE_SYSTEM_READER_OR_OWNER,
|
||||
'identity:ec2_create_credential': ec.SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
'identity:ec2_update_credential': ec.SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
'identity:ec2_delete_credential': ec.SYSTEM_ADMIN_OR_CRED_OWNER
|
||||
'identity:ec2_create_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
'identity:ec2_update_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER,
|
||||
'identity:ec2_delete_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER
|
||||
}
|
||||
f.write(jsonutils.dumps(overridden_policies))
|
||||
|
||||
|
|
Loading…
Reference in New Issue