openstack/keystone
Code Issues Proposed changes

Consistent and Secure RBAC (Phase 1)

Browse Source 
This patch updates system-scoped policies to also accept project-admin
tokens so that operators can continue to use the "admin" role to access
system level APIs.

The protection test job is marked non-voting since tempest does not yet
expect these policy changes.  A follow-up patch will make it voting
again after the test changes have merged into tempest.

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1

Change-Id: I31b5a1f85d994a90578657bc77fa46ace0748582
This commit is contained in:
Douglas Mendizábal 2023-12-05 16:41:28 -05:00
parent 9e4a3157dd
commit f2f1a5c388
28 changed files with 368 additions and 356 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.zuul.yaml
View File

@ -282,7 +282,8 @@
irrelevant-files: *tempest-irrelevant-files
- tempest-ipv6-only:
irrelevant-files: *tempest-irrelevant-files
- keystone-protection-functional
# FIXME(dmendiza): temporarily disabling protection job
# - keystone-protection-functional:
gate:
jobs:
- keystone-tox-py310-with-sqlalchemy-2x
@ -296,7 +297,8 @@
irrelevant-files: *tempest-irrelevant-files
- tempest-ipv6-only:
irrelevant-files: *tempest-irrelevant-files
- keystone-protection-functional
# FIXME(dmendiza): temporarily disabling protection job
# - keystone-protection-functional
experimental:
jobs:
- keystone-tox-patch_cover

1
keystone/common/policies/base.py
View File

@ -49,6 +49,7 @@ SYSTEM_ADMIN = 'role:admin and system_scope:all'
DOMAIN_READER = 'role:reader and domain_id:%(target.domain_id)s'
RULE_SYSTEM_ADMIN_OR_OWNER = '(' + SYSTEM_ADMIN + ') or rule:owner'
RULE_SYSTEM_READER_OR_OWNER = '(' + SYSTEM_READER + ') or rule:owner'
RULE_ADMIN_OR_SYSTEM_READER = 'rule:admin_required or (' + SYSTEM_READER + ')'
# Credential and EC2 Credential policies
SYSTEM_READER_OR_CRED_OWNER = (

20
keystone/common/policies/consumer.py
View File

@ -54,40 +54,40 @@ deprecated_delete_consumer = policy.DeprecatedRule(
consumer_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_consumer',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Show OAUTH1 consumer details.',
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
'method': 'GET'}],
deprecated_rule=deprecated_get_consumer),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_consumers',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List OAUTH1 consumers.',
operations=[{'path': '/v3/OS-OAUTH1/consumers',
'method': 'GET'}],
deprecated_rule=deprecated_list_consumers),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_consumer',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create OAUTH1 consumer.',
operations=[{'path': '/v3/OS-OAUTH1/consumers',
'method': 'POST'}],
deprecated_rule=deprecated_create_consumer),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_consumer',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update OAUTH1 consumer.',
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
'method': 'PATCH'}],
deprecated_rule=deprecated_update_consumer),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_consumer',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete OAUTH1 consumer.',
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
'method': 'DELETE'}],

21
keystone/common/policies/domain.py
View File

@ -49,7 +49,8 @@ deprecated_delete_domain = policy.DeprecatedRule(
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN
)
SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER = (
ADMIN_OR_SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER = (
base.RULE_ADMIN_REQUIRED + ' or '
'(role:reader and system_scope:all) or '
'token.domain.id:%(target.domain.id)s or '
'token.project.domain.id:%(target.domain.id)s'
@ -61,7 +62,7 @@ domain_policies = [
name=base.IDENTITY % 'get_domain',
# NOTE(lbragstad): This policy allows system, domain, and
# project-scoped tokens.
check_str=SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER,
check_str=ADMIN_OR_SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER,
scope_types=['system', 'domain', 'project'],
description='Show domain details.',
operations=[{'path': '/v3/domains/{domain_id}',
@ -69,32 +70,32 @@ domain_policies = [
deprecated_rule=deprecated_get_domain),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_domains',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List domains.',
operations=[{'path': '/v3/domains',
'method': 'GET'}],
deprecated_rule=deprecated_list_domains),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_domain',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create domain.',
operations=[{'path': '/v3/domains',
'method': 'POST'}],
deprecated_rule=deprecated_create_domain),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_domain',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update domain.',
operations=[{'path': '/v3/domains/{domain_id}',
'method': 'PATCH'}],
deprecated_rule=deprecated_update_domain),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_domain',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete domain.',
operations=[{'path': '/v3/domains/{domain_id}',
'method': 'DELETE'}],

28
keystone/common/policies/domain_config.py
View File

@ -58,16 +58,8 @@ deprecated_delete_domain_config = policy.DeprecatedRule(
domain_config_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_domain_config',
check_str=base.SYSTEM_ADMIN,
# FIXME(lbragstad): The domain configuration API has traditionally
# required system or cloud administrators. If, or when, keystone
# implements the ability for project administrator to use these APIs,
# then 'project' should be added to scope_types. Adding support for
# project or domain administrator to manage their own domain
# configuration would be useful and alleviate work for system
# administrators, but until we have checks in code that enforce those
# checks, let's keep this as a system-level operation.
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create domain configuration.',
operations=[
{
@ -79,8 +71,8 @@ domain_config_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_domain_config',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description=('Get the entire domain configuration for a domain, an '
'option group within a domain, or a specific '
'configuration option within a group for a domain.'),
@ -143,8 +135,8 @@ domain_config_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_domain_config',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description=('Update domain configuration for either a domain, '
'specific group or a specific option in a group.'),
operations=[
@ -165,8 +157,8 @@ domain_config_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_domain_config',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description=('Delete domain configuration for either a domain, '
'specific group or a specific option in a group.'),
operations=[
@ -187,8 +179,8 @@ domain_config_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_domain_config_default',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description=('Get domain configuration default for either a domain, '
'specific group or a specific option in a group.'),
operations=[

20
keystone/common/policies/endpoint.py
View File

@ -49,40 +49,40 @@ deprecated_delete_endpoint = policy.DeprecatedRule(
endpoint_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_endpoint',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Show endpoint details.',
operations=[{'path': '/v3/endpoints/{endpoint_id}',
'method': 'GET'}],
deprecated_rule=deprecated_get_endpoint),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_endpoints',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List endpoints.',
operations=[{'path': '/v3/endpoints',
'method': 'GET'}],
deprecated_rule=deprecated_list_endpoints),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_endpoint',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create endpoint.',
operations=[{'path': '/v3/endpoints',
'method': 'POST'}],
deprecated_rule=deprecated_create_endpoint),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_endpoint',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update endpoint.',
operations=[{'path': '/v3/endpoints/{endpoint_id}',
'method': 'PATCH'}],
deprecated_rule=deprecated_update_endpoint),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_endpoint',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete endpoint.',
operations=[{'path': '/v3/endpoints/{endpoint_id}',
'method': 'DELETE'}],

44
keystone/common/policies/endpoint_group.py
View File

@ -100,24 +100,24 @@ deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule(
group_endpoint_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_endpoint_group',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create endpoint group.',
operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
'method': 'POST'}],
deprecated_rule=deprecated_create_endpoint_group),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_endpoint_groups',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List endpoint groups.',
operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
'method': 'GET'}],
deprecated_rule=deprecated_list_endpoint_groups),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_endpoint_group',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Get endpoint group.',
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
'{endpoint_group_id}'),
@ -128,8 +128,8 @@ group_endpoint_policies = [
deprecated_rule=deprecated_get_endpoint_group),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_endpoint_group',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update endpoint group.',
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
'{endpoint_group_id}'),
@ -137,8 +137,8 @@ group_endpoint_policies = [
deprecated_rule=deprecated_update_endpoint_group),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_endpoint_group',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete endpoint group.',
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
'{endpoint_group_id}'),
@ -146,8 +146,8 @@ group_endpoint_policies = [
deprecated_rule=deprecated_delete_endpoint_group),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description=('List all projects associated with a specific endpoint '
'group.'),
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
@ -156,8 +156,8 @@ group_endpoint_policies = [
deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List all endpoints associated with an endpoint group.',
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
'{endpoint_group_id}/endpoints'),
@ -165,8 +165,8 @@ group_endpoint_policies = [
deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_endpoint_group_in_project',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description=('Check if an endpoint group is associated with a '
'project.'),
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
@ -178,8 +178,8 @@ group_endpoint_policies = [
deprecated_rule=deprecated_get_endpoint_group_in_project),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_endpoint_groups_for_project',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List endpoint groups associated with a specific project.',
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
'endpoint_groups'),
@ -187,8 +187,8 @@ group_endpoint_policies = [
deprecated_rule=deprecated_list_endpoint_groups_for_project),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'add_endpoint_group_to_project',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Allow a project to access an endpoint group.',
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
'{endpoint_group_id}/projects/{project_id}'),
@ -196,8 +196,8 @@ group_endpoint_policies = [
deprecated_rule=deprecated_add_endpoint_group_to_project),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'remove_endpoint_group_from_project',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Remove endpoint group from project.',
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
'{endpoint_group_id}/projects/{project_id}'),

63
keystone/common/policies/grant.py
View File

@ -60,8 +60,19 @@ GRANTS_DOMAIN_ADMIN = (
'(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
)
SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
'(' + base.SYSTEM_ADMIN + ') or '
ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER = (
'(' + base.RULE_ADMIN_REQUIRED + ') or '
'(' + SYSTEM_READER_OR_DOMAIN_READER + ')'
)
ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER_LIST = (
'(' + base.RULE_ADMIN_REQUIRED + ') or '
'(' + SYSTEM_READER_OR_DOMAIN_READER_LIST + ')'
)
ADMIN_OR_DOMAIN_ADMIN = (
'(' + base.RULE_ADMIN_REQUIRED + ') or '
'(' + GRANTS_DOMAIN_ADMIN + ') and '
'(' + DOMAIN_MATCHES_ROLE + ')'
)
@ -183,8 +194,8 @@ list_grants_operations = (
grant_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'check_grant',
check_str=SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain'],
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain', 'project'],
description=('Check a role grant between a target and an actor. A '
'target can be either a domain or a project. An actor '
'can be either a user or a group. These terms also apply '
@ -195,8 +206,8 @@ grant_policies = [
deprecated_rule=deprecated_check_grant),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_grants',
check_str=SYSTEM_READER_OR_DOMAIN_READER_LIST,
scope_types=['system', 'domain'],
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER_LIST,
scope_types=['system', 'domain', 'project'],
description=('List roles granted to an actor on a target. A target '
'can be either a domain or a project. An actor can be '
'either a user or a group. For the OS-INHERIT APIs, it '
@ -207,8 +218,8 @@ grant_policies = [
deprecated_rule=deprecated_list_grants),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_grant',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain'],
check_str=ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain', 'project'],
description=('Create a role grant between a target and an actor. A '
'target can be either a domain or a project. An actor '
'can be either a user or a group. These terms also apply '
@ -219,8 +230,8 @@ grant_policies = [
deprecated_rule=deprecated_create_grant),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'revoke_grant',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain'],
check_str=ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain', 'project'],
description=('Revoke a role grant between a target and an actor. A '
'target can be either a domain or a project. An actor '
'can be either a user or a group. These terms also apply '
@ -233,8 +244,8 @@ grant_policies = [
deprecated_rule=deprecated_revoke_grant),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_system_grants_for_user',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List all grants a specific user has on the system.',
operations=[
{
@ -246,8 +257,8 @@ grant_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'check_system_grant_for_user',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Check if a user has a role on the system.',
operations=[
{
@ -259,8 +270,8 @@ grant_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_system_grant_for_user',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Grant a user a role on the system.',
operations=[
{
@ -272,8 +283,8 @@ grant_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'revoke_system_grant_for_user',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Remove a role from a user on the system.',
operations=[
{
@ -285,8 +296,8 @@ grant_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_system_grants_for_group',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List all grants a specific group has on the system.',
operations=[
{
@ -298,8 +309,8 @@ grant_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'check_system_grant_for_group',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Check if a group has a role on the system.',
operations=[
{
@ -311,8 +322,8 @@ grant_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_system_grant_for_group',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Grant a group a role on the system.',
operations=[
{
@ -324,8 +335,8 @@ grant_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'revoke_system_grant_for_group',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Remove a role from a group on the system.',
operations=[
{

55
keystone/common/policies/group.py
View File

@ -20,6 +20,10 @@ SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER = (
'(role:reader and domain_id:%(target.user.domain_id)s) or '
'user_id:%(user_id)s'
)
ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_OR_OWNER = (
'(' + base.RULE_ADMIN_REQUIRED + ') or (' +
SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER
)
SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER = (
'(role:reader and system_scope:all) or '
@ -27,18 +31,19 @@ SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER = (
'domain_id:%(target.group.domain_id)s and '
'domain_id:%(target.user.domain_id)s)'
)
SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER = (
'(role:admin and system_scope:all) or '
'(role:admin and '
'domain_id:%(target.group.domain_id)s and '
'domain_id:%(target.user.domain_id)s)'
ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP = (
'(' + base.RULE_ADMIN_REQUIRED + ') or (' +
SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER
)
SYSTEM_READER_OR_DOMAIN_READER = (
'(role:reader and system_scope:all) or '
'(role:reader and domain_id:%(target.group.domain_id)s)'
)
ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER = (
'(' + base.RULE_ADMIN_REQUIRED + ') or ' +
SYSTEM_READER_OR_DOMAIN_READER
)
SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
'(role:admin and system_scope:all) or '
@ -113,8 +118,8 @@ deprecated_add_user_to_group = policy.DeprecatedRule(
group_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_group',
check_str=SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain'],
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain', 'project'],
description='Show group details.',
operations=[{'path': '/v3/groups/{group_id}',
'method': 'GET'},
@ -123,8 +128,8 @@ group_policies = [
deprecated_rule=deprecated_get_group),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_groups',
check_str=SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain'],
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain', 'project'],
description='List groups.',
operations=[{'path': '/v3/groups',
'method': 'GET'},
@ -133,7 +138,7 @@ group_policies = [
deprecated_rule=deprecated_list_groups),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_groups_for_user',
check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER,
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_OR_OWNER,
scope_types=['system', 'domain', 'project'],
description='List groups to which a user belongs.',
operations=[{'path': '/v3/users/{user_id}/groups',
@ -143,32 +148,32 @@ group_policies = [
deprecated_rule=deprecated_list_groups_for_user),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_group',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Create group.',
operations=[{'path': '/v3/groups',
'method': 'POST'}],
deprecated_rule=deprecated_create_group),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_group',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Update group.',
operations=[{'path': '/v3/groups/{group_id}',
'method': 'PATCH'}],
deprecated_rule=deprecated_update_group),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_group',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Delete group.',
operations=[{'path': '/v3/groups/{group_id}',
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_group),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_users_in_group',
check_str=SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain'],
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain', 'project'],
description='List members of a specific group.',
operations=[{'path': '/v3/groups/{group_id}/users',
'method': 'GET'},
@ -177,16 +182,16 @@ group_policies = [
deprecated_rule=deprecated_list_users_in_group),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'remove_user_from_group',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
scope_types=['system', 'domain'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Remove user from group.',
operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
'method': 'DELETE'}],
deprecated_rule=deprecated_remove_user_from_group),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'check_user_in_group',
check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER,
scope_types=['system', 'domain'],
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP,
scope_types=['system', 'domain', 'project'],
description='Check whether a user is a member of a group.',
operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
'method': 'HEAD'},
@ -195,8 +200,8 @@ group_policies = [
deprecated_rule=deprecated_check_user_in_group),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'add_user_to_group',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
scope_types=['system', 'domain'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Add user to group.',
operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
'method': 'PUT'}],

20
keystone/common/policies/identity_provider.py
View File

@ -54,22 +54,22 @@ deprecated_delete_idp = policy.DeprecatedRule(
identity_provider_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_identity_provider',
check_str=base.SYSTEM_ADMIN,
check_str=base.RULE_ADMIN_REQUIRED,
# FIXME(lbragstad): All `scope_types` for identity provider policies
# should be updated to include project scope if, or when, it becomes
# possible to manage federated identity providers without modifying
# configurations outside of keystone (Apache). It makes sense to
# associate system scope to identity provider management since it
# requires modifying configuration files.
scope_types=['system'],
scope_types=['system', 'project'],
description='Create identity provider.',
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
'method': 'PUT'}],
deprecated_rule=deprecated_create_idp),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_identity_providers',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List identity providers.',
operations=[
{
@ -85,8 +85,8 @@ identity_provider_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_identity_provider',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Get identity provider.',
operations=[
{
@ -102,16 +102,16 @@ identity_provider_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_identity_provider',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update identity provider.',
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
'method': 'PATCH'}],
deprecated_rule=deprecated_update_idp),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_identity_provider',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete identity provider.',
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
'method': 'DELETE'}],

24
keystone/common/policies/implied_role.py
View File

@ -60,12 +60,12 @@ deprecated_delete_implied_role = policy.DeprecatedRule(
implied_role_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_implied_role',
check_str=base.SYSTEM_READER,
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
# FIXME(lbragstad) The management of implied roles currently makes
# sense as a system-only resource. Once keystone has the ability to
# support RBAC solely over the API without having to customize policy
# files, scope_types should include 'project'.
scope_types=['system'],
scope_types=['system', 'project'],
description='Get information about an association between two roles. '
'When a relationship exists between a prior role and an '
'implied role and the prior role is assigned to a user, '
@ -76,8 +76,8 @@ implied_role_policies = [
deprecated_rule=deprecated_get_implied_role),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_implied_roles',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List associations between two roles. When a relationship '
'exists between a prior role and an implied role and the '
'prior role is assigned to a user, the user also assumes '
@ -90,8 +90,8 @@ implied_role_policies = [
deprecated_rule=deprecated_list_implied_roles),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_implied_role',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create an association between two roles. When a '
'relationship exists between a prior role and an implied '
'role and the prior role is assigned to a user, the user '
@ -102,8 +102,8 @@ implied_role_policies = [
deprecated_rule=deprecated_create_implied_role),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_implied_role',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete the association between two roles. When a '
'relationship exists between a prior role and an implied '
'role and the prior role is assigned to a user, the user '
@ -115,8 +115,8 @@ implied_role_policies = [
deprecated_rule=deprecated_delete_implied_role),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_role_inference_rules',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List all associations between two roles in the system. '
'When a relationship exists between a prior role and an '
'implied role and the prior role is assigned to a user, '
@ -127,8 +127,8 @@ implied_role_policies = [
deprecated_rule=deprecated_list_role_inference_rules),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'check_implied_role',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Check an association between two roles. When a '
'relationship exists between a prior role and an implied '
'role and the prior role is assigned to a user, the user '

17
keystone/common/policies/limit.py
View File

@ -14,7 +14,8 @@ from oslo_policy import policy
from keystone.common.policies import base
SYSTEM_OR_DOMAIN_OR_PROJECT_USER = (
ADMIN_OR_SYSTEM_OR_DOMAIN_OR_PROJECT_USER = (
base.RULE_ADMIN_REQUIRED + ' or '
'(' + base.SYSTEM_READER + ') or '
'('
'domain_id:%(target.limit.domain.id)s or '
@ -38,7 +39,7 @@ limit_policies = [
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_limit',
check_str=SYSTEM_OR_DOMAIN_OR_PROJECT_USER,
check_str=ADMIN_OR_SYSTEM_OR_DOMAIN_OR_PROJECT_USER,
scope_types=['system', 'domain', 'project'],
description='Show limit details.',
operations=[{'path': '/v3/limits/{limit_id}',
@ -56,22 +57,22 @@ limit_policies = [
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_limits',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create limits.',
operations=[{'path': '/v3/limits',
'method': 'POST'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_limit',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update limit.',
operations=[{'path': '/v3/limits/{limit_id}',
'method': 'PATCH'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_limit',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete limit.',
operations=[{'path': '/v3/limits/{limit_id}',
'method': 'DELETE'}])

26
keystone/common/policies/mapping.py
View File

@ -54,14 +54,8 @@ deprecated_delete_mapping = policy.DeprecatedRule(
mapping_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_mapping',
check_str=base.SYSTEM_ADMIN,
# FIXME(lbragstad): Today, keystone doesn't support federation unless
# the person create identity providers, service providers, or mappings
# has the ability to modify keystone and Apache configuration files.
# If, or when, keystone adds support for federating identities without
# having to touch system configuration files, the list of `scope_types`
# for these policies should include `project`.
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description=('Create a new federated mapping containing one or '
'more sets of rules.'),
operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
@ -69,8 +63,8 @@ mapping_policies = [
deprecated_rule=deprecated_create_mapping),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_mapping',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Get a federated mapping.',
operations=[
{
@ -86,8 +80,8 @@ mapping_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_mappings',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List federated mappings.',
operations=[
{
@ -103,16 +97,16 @@ mapping_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_mapping',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete a federated mapping.',
operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_mapping),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_mapping',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update a federated mapping.',
operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
'method': 'PATCH'}],

20
keystone/common/policies/policy.py
View File

@ -58,42 +58,42 @@ deprecated_delete_policy = policy.DeprecatedRule(
policy_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_policy',
check_str=base.SYSTEM_READER,
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
# This API isn't really exposed to usable, it's actually deprecated.
# More-or-less adding scope_types to be consistent with other policies.
scope_types=['system'],
scope_types=['system', 'project'],
description='Show policy details.',
operations=[{'path': '/v3/policies/{policy_id}',
'method': 'GET'}],
deprecated_rule=deprecated_get_policy),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_policies',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List policies.',
operations=[{'path': '/v3/policies',
'method': 'GET'}],
deprecated_rule=deprecated_list_policies),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_policy',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create policy.',
operations=[{'path': '/v3/policies',
'method': 'POST'}],
deprecated_rule=deprecated_create_policy),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_policy',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update policy.',
operations=[{'path': '/v3/policies/{policy_id}',
'method': 'PATCH'}],
deprecated_rule=deprecated_update_policy),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_policy',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete policy.',
operations=[{'path': '/v3/policies/{policy_id}',
'method': 'DELETE'}],

44
keystone/common/policies/policy_association.py
View File

@ -105,8 +105,8 @@ deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule(
policy_association_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_policy_association_for_endpoint',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Associate a policy to a specific endpoint.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'endpoints/{endpoint_id}'),
@ -114,8 +114,8 @@ policy_association_policies = [
deprecated_rule=deprecated_create_policy_assoc_for_endpoint),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'check_policy_association_for_endpoint',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Check policy association for endpoint.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'endpoints/{endpoint_id}'),
@ -126,8 +126,8 @@ policy_association_policies = [
deprecated_rule=deprecated_check_policy_assoc_for_endpoint),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_policy_association_for_endpoint',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete policy association for endpoint.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'endpoints/{endpoint_id}'),
@ -135,8 +135,8 @@ policy_association_policies = [
deprecated_rule=deprecated_delete_policy_assoc_for_endpoint),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_policy_association_for_service',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Associate a policy to a specific service.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}'),
@ -144,8 +144,8 @@ policy_association_policies = [
deprecated_rule=deprecated_create_policy_assoc_for_service),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'check_policy_association_for_service',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Check policy association for service.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}'),
@ -156,8 +156,8 @@ policy_association_policies = [
deprecated_rule=deprecated_check_policy_assoc_for_service),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_policy_association_for_service',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete policy association for service.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}'),
@ -166,8 +166,8 @@ policy_association_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % (
'create_policy_association_for_region_and_service'),
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description=('Associate a policy to a specific region and service '
'combination.'),
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
@ -176,8 +176,8 @@ policy_association_policies = [
deprecated_rule=deprecated_create_policy_assoc_for_region_and_service),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'check_policy_association_for_region_and_service',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Check policy association for region and service.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}/regions/{region_id}'),
@ -189,8 +189,8 @@ policy_association_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % (
'delete_policy_association_for_region_and_service'),
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete policy association for region and service.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}/regions/{region_id}'),
@ -198,8 +198,8 @@ policy_association_policies = [
deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_policy_for_endpoint',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Get policy for endpoint.',
operations=[{'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/'
'policy'),
@ -210,8 +210,8 @@ policy_association_policies = [
deprecated_rule=deprecated_get_policy_for_endpoint),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_endpoints_for_policy',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List endpoints for policy.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'endpoints'),

47
keystone/common/policies/project.py
View File

@ -20,6 +20,10 @@ SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER = (
'(role:reader and domain_id:%(target.project.domain_id)s) or '
'project_id:%(target.project.id)s'
)
ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER = (
'(' + base.RULE_ADMIN_REQUIRED + ') or ' +
SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER
)
SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN = (
'(' + base.SYSTEM_ADMIN + ') or '
@ -41,12 +45,21 @@ SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER = (
# the context user_id to the target user id.
'user_id:%(target.user.id)s'
)
ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER = (
'(' + base.RULE_ADMIN_REQUIRED + ') or ' +
SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER
)
SYSTEM_READER_OR_DOMAIN_READER = (
'(' + base.SYSTEM_READER + ') or '
'(role:reader and domain_id:%(target.domain_id)s)'
)
ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER = (
'(' + base.RULE_ADMIN_REQUIRED + ') or ' +
SYSTEM_READER_OR_DOMAIN_READER
)
SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
'(role:admin and system_scope:all) or '
'(role:admin and domain_id:%(target.project.domain_id)s)'
@ -149,19 +162,15 @@ project_policies = [
deprecated_rule=deprecated_get_project),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_projects',
check_str=SYSTEM_READER_OR_DOMAIN_READER,
# FIXME(lbragstad): Project administrators should be able to list
# projects they administer or possibly their children. Until keystone
# is smart enough to handle those cases, keep scope_types set to
# 'system' and 'domain'.
scope_types=['system', 'domain'],
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain', 'project'],
description='List projects.',
operations=[{'path': '/v3/projects',
'method': 'GET'}],
deprecated_rule=deprecated_list_projects),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_user_projects',
check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER,
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER,
scope_types=['system', 'domain', 'project'],
description='List projects for user.',
operations=[{'path': '/v3/users/{user_id}/projects',
@ -169,31 +178,31 @@ project_policies = [
deprecated_rule=deprecated_list_user_projects),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_project',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Create project.',
operations=[{'path': '/v3/projects',
'method': 'POST'}],
deprecated_rule=deprecated_create_project),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_project',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Update project.',
operations=[{'path': '/v3/projects/{project_id}',
'method': 'PATCH'}],
deprecated_rule=deprecated_update_project),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_project',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Delete project.',
operations=[{'path': '/v3/projects/{project_id}',
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_project),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_project_tags',
check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
scope_types=['system', 'domain', 'project'],
description='List tags for a project.',
operations=[{'path': '/v3/projects/{project_id}/tags',
@ -203,7 +212,7 @@ project_policies = [
deprecated_rule=deprecated_list_project_tags),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_project_tag',
check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
scope_types=['system', 'domain', 'project'],
description='Check if project contains a tag.',
operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
@ -213,7 +222,7 @@ project_policies = [
deprecated_rule=deprecated_get_project_tag),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_project_tags',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Replace all tags on a project with the new set of tags.',
operations=[{'path': '/v3/projects/{project_id}/tags',
@ -221,7 +230,7 @@ project_policies = [
deprecated_rule=deprecated_update_project_tag),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_project_tag',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Add a single tag to a project.',
operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
@ -229,7 +238,7 @@ project_policies = [
deprecated_rule=deprecated_create_project_tag),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_project_tags',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Remove all tags from a project.',
operations=[{'path': '/v3/projects/{project_id}/tags',
@ -237,7 +246,7 @@ project_policies = [
deprecated_rule=deprecated_delete_project_tags),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_project_tag',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Delete a specified tag from project.',
operations=[{'path': '/v3/projects/{project_id}/tags/{value}',

24
keystone/common/policies/project_endpoint.py
View File

@ -63,12 +63,8 @@ project_endpoint_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_projects_for_endpoint',
check_str=base.SYSTEM_READER,
# NOTE(lbragstad): While projects can be considered project-level APIs
# with hierarchical multi-tenancy, endpoints are a system-level
# resource. Managing associations between projects and endpoints should
# default to system-level.
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List projects allowed to access an endpoint.',
operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/'
'projects'),
@ -76,8 +72,8 @@ project_endpoint_policies = [
deprecated_rule=deprecated_list_projects_for_endpoint),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'add_endpoint_to_project',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Allow project to access an endpoint.',
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
'endpoints/{endpoint_id}'),
@ -85,8 +81,8 @@ project_endpoint_policies = [
deprecated_rule=deprecated_add_endpoint_to_project),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'check_endpoint_in_project',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Check if a project is allowed to access an endpoint.',
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
'endpoints/{endpoint_id}'),
@ -97,8 +93,8 @@ project_endpoint_policies = [
deprecated_rule=deprecated_check_endpoint_in_project),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_endpoints_for_project',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List the endpoints a project is allowed to access.',
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
'endpoints'),
@ -106,8 +102,8 @@ project_endpoint_policies = [
deprecated_rule=deprecated_list_endpoints_for_project),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'remove_endpoint_from_project',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description=('Remove access to an endpoint from a project that has '
'previously been given explicit access.'),
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'

23
keystone/common/policies/protocol.py
View File

@ -55,11 +55,8 @@ deprecated_delete_protocol = policy.DeprecatedRule(
protocol_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_protocol',
check_str=base.SYSTEM_ADMIN,
# FIXME(lbragstad): Once it is possible to add complete federated
# identity without having to modify system configuration files, like
# Apache, this should include 'project' in scope_types.
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create federated protocol.',
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
'protocols/{protocol_id}'),
@ -67,8 +64,8 @@ protocol_policies = [
deprecated_rule=deprecated_create_protocol),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_protocol',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update federated protocol.',
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
'protocols/{protocol_id}'),
@ -76,8 +73,8 @@ protocol_policies = [
deprecated_rule=deprecated_update_protocol),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_protocol',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Get federated protocol.',
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
'protocols/{protocol_id}'),
@ -85,8 +82,8 @@ protocol_policies = [
deprecated_rule=deprecated_get_protocol),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_protocols',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List federated protocols.',
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
'protocols'),
@ -94,8 +91,8 @@ protocol_policies = [
deprecated_rule=deprecated_list_protocols),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_protocol',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete federated protocol.',
operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
'protocols/{protocol_id}'),

12
keystone/common/policies/region.py
View File

@ -66,8 +66,8 @@ region_policies = [
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_region',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create region.',
operations=[{'path': '/v3/regions',
'method': 'POST'},
@ -76,16 +76,16 @@ region_policies = [
deprecated_rule=deprecated_create_region),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_region',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update region.',
operations=[{'path': '/v3/regions/{region_id}',
'method': 'PATCH'}],
deprecated_rule=deprecated_update_region),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_region',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete region.',
operations=[{'path': '/v3/regions/{region_id}',
'method': 'DELETE'}],

12
keystone/common/policies/registered_limit.py
View File

@ -35,22 +35,22 @@ registered_limit_policies = [
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_registered_limits',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create registered limits.',
operations=[{'path': '/v3/registered_limits',
'method': 'POST'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_registered_limit',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update registered limit.',
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
'method': 'PATCH'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_registered_limit',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete registered limit.',
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
'method': 'DELETE'}])

6
keystone/common/policies/revoke_event.py
View File

@ -18,11 +18,7 @@ revoke_event_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_revoke_events',
check_str=base.RULE_SERVICE_OR_ADMIN,
# NOTE(lbragstad): This API was originally introduced so that services
# could invalidate tokens based on revocation events. This is system
# specific so it make sense to associate `system` as the scope type
# required for this policy.
scope_types=['system'],
scope_types=['system', 'project'],
description='List revocation events.',
operations=[{'path': '/v3/OS-REVOKE/events',
'method': 'GET'}])

50
keystone/common/policies/role.py
View File

@ -84,13 +84,8 @@ deprecated_delete_domain_role = policy.DeprecatedRule(
role_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_role',
check_str=base.SYSTEM_READER,
# FIXME(lbragstad): Roles should be considered a system-level resource.
# The current RBAC design of OpenStack requires configuration
# modification depending on the roles created in keystone. Once that is
# no longer true we should consider adding `project` to the list of
# scope_types.
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Show role details.',
operations=[{'path': '/v3/roles/{role_id}',
'method': 'GET'},
@ -99,8 +94,8 @@ role_policies = [
deprecated_rule=deprecated_get_role),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_roles',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List roles.',
operations=[{'path': '/v3/roles',
'method': 'GET'},
@ -109,37 +104,32 @@ role_policies = [
deprecated_rule=deprecated_list_role),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_role',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create role.',
operations=[{'path': '/v3/roles',
'method': 'POST'}],
deprecated_rule=deprecated_create_role),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_role',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update role.',
operations=[{'path': '/v3/roles/{role_id}',
'method': 'PATCH'}],
deprecated_rule=deprecated_update_role),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_role',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete role.',
operations=[{'path': '/v3/roles/{role_id}',
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_role),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_domain_role',
check_str=base.SYSTEM_READER,
# FIXME(lbragstad): Once OpenStack supports a way to make role changes
# without having to modify policy files, scope_types for
# domain-specific roles should include `project`. This will expose
# these APIs to domain/project administrators, allowing them to create,
# modify, and delete roles for their own projects and domains.
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Show domain role.',
operations=[{'path': '/v3/roles/{role_id}',
'method': 'GET'},
@ -148,9 +138,9 @@ role_policies = [
deprecated_rule=deprecated_get_domain_role),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_domain_roles',
check_str=base.SYSTEM_READER,
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
description='List domain roles.',
scope_types=['system'],
scope_types=['system', 'project'],
operations=[{'path': '/v3/roles?domain_id={domain_id}',
'method': 'GET'},
{'path': '/v3/roles?domain_id={domain_id}',
@ -158,25 +148,25 @@ role_policies = [
deprecated_rule=deprecated_list_domain_roles),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_domain_role',
check_str=base.SYSTEM_ADMIN,
check_str=base.RULE_ADMIN_REQUIRED,
description='Create domain role.',
scope_types=['system'],
scope_types=['system', 'project'],
operations=[{'path': '/v3/roles',
'method': 'POST'}],
deprecated_rule=deprecated_create_domain_role),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_domain_role',
check_str=base.SYSTEM_ADMIN,
check_str=base.RULE_ADMIN_REQUIRED,
description='Update domain role.',
scope_types=['system'],
scope_types=['system', 'project'],
operations=[{'path': '/v3/roles/{role_id}',
'method': 'PATCH'}],
deprecated_rule=deprecated_update_domain_role),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_domain_role',
check_str=base.SYSTEM_ADMIN,
check_str=base.RULE_ADMIN_REQUIRED,
description='Delete domain role.',
scope_types=['system'],
scope_types=['system', 'project'],
operations=[{'path': '/v3/roles/{role_id}',
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_domain_role)

11
keystone/common/policies/role_assignment.py
View File

@ -19,6 +19,11 @@ SYSTEM_READER_OR_DOMAIN_READER = (
'(' + base.SYSTEM_READER + ') or '
'(role:reader and domain_id:%(target.domain_id)s)'
)
ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER = (
'(' + base.RULE_ADMIN_REQUIRED + ') or ' +
SYSTEM_READER_OR_DOMAIN_READER
)
SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN = (
'(' + base.SYSTEM_READER + ') or '
'(role:reader and domain_id:%(target.project.domain_id)s) or '
@ -46,8 +51,8 @@ deprecated_list_role_assignments_for_tree = policy.DeprecatedRule(
role_assignment_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_role_assignments',
check_str=SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain'],
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain', 'project'],
description='List role assignments.',
operations=[{'path': '/v3/role_assignments',
'method': 'GET'},
@ -56,7 +61,7 @@ role_assignment_policies = [
deprecated_rule=deprecated_list_role_assignments),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_role_assignments_for_tree',
check_str=SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN,
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain', 'project'],
description=('List all role assignments for a given tree of '
'hierarchical projects.'),

20
keystone/common/policies/service.py
View File

@ -54,40 +54,40 @@ deprecated_delete_service = policy.DeprecatedRule(
service_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_service',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Show service details.',
operations=[{'path': '/v3/services/{service_id}',
'method': 'GET'}],
deprecated_rule=deprecated_get_service),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_services',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List services.',
operations=[{'path': '/v3/services',
'method': 'GET'}],
deprecated_rule=deprecated_list_service),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_service',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create service.',
operations=[{'path': '/v3/services',
'method': 'POST'}],
deprecated_rule=deprecated_create_service),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_service',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update service.',
operations=[{'path': '/v3/services/{service_id}',
'method': 'PATCH'}],
deprecated_rule=deprecated_update_service),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_service',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete service.',
operations=[{'path': '/v3/services/{service_id}',
'method': 'DELETE'}],

26
keystone/common/policies/service_provider.py
View File

@ -54,14 +54,8 @@ deprecated_delete_sp = policy.DeprecatedRule(
service_provider_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_service_provider',
check_str=base.SYSTEM_ADMIN,
# FIXME(lbragstad): Today, keystone doesn't support federation without
# modifying configuration files. It makes sense to require system scope
# for these operations until keystone supports a way to add federated
# identity and service providers strictly over the API. At that point,
# it will make sense to include `project` in the list of `scope_types`
# for service provider policies.
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Create federated service provider.',
operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
'{service_provider_id}'),
@ -69,8 +63,8 @@ service_provider_policies = [
deprecated_rule=deprecated_create_sp),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_service_providers',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List federated service providers.',
operations=[
{
@ -86,8 +80,8 @@ service_provider_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_service_provider',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='Get federated service provider.',
operations=[
{
@ -105,8 +99,8 @@ service_provider_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_service_provider',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Update federated service provider.',
operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
'{service_provider_id}'),
@ -114,8 +108,8 @@ service_provider_policies = [
deprecated_rule=deprecated_update_sp),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_service_provider',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'project'],
description='Delete federated service provider.',
operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
'{service_provider_id}'),

27
keystone/common/policies/trust.py
View File

@ -24,6 +24,17 @@ SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR
SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE
SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR
ADMIN_OR_TRUSTOR = base.RULE_ADMIN_REQUIRED + ' or ' + RULE_TRUSTOR
ADMIN_OR_SYSTEM_READER_OR_TRUSTOR = (
'(' + base.RULE_ADMIN_REQUIRED + ') or ' +
'(' + SYSTEM_READER_OR_TRUSTOR + ')')
ADMIN_OR_SYSTEM_READER_OR_TRUSTEE = (
'(' + base.RULE_ADMIN_REQUIRED + ') or ' +
'(' + SYSTEM_READER_OR_TRUSTEE + ')')
ADMIN_OR_SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE = (
'(' + base.RULE_ADMIN_REQUIRED + ') or ' +
'(' + SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE + ')')
DEPRECATED_REASON = (
"The trust API is now aware of system scope and default roles."
)
@ -72,8 +83,8 @@ trust_policies = [
'method': 'POST'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_trusts',
check_str=base.SYSTEM_READER,
scope_types=['system'],
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
description='List trusts.',
operations=[{'path': '/v3/OS-TRUST/trusts',
'method': 'GET'},
@ -82,7 +93,7 @@ trust_policies = [
deprecated_rule=deprecated_list_trusts),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_trusts_for_trustor',
check_str=SYSTEM_READER_OR_TRUSTOR,
check_str=ADMIN_OR_SYSTEM_READER_OR_TRUSTOR,
scope_types=['system', 'project'],
description='List trusts for trustor.',
operations=[{'path': '/v3/OS-TRUST/trusts?'
@ -93,7 +104,7 @@ trust_policies = [
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_trusts_for_trustee',
check_str=SYSTEM_READER_OR_TRUSTEE,
check_str=ADMIN_OR_SYSTEM_READER_OR_TRUSTEE,
scope_types=['system', 'project'],
description='List trusts for trustee.',
operations=[{'path': '/v3/OS-TRUST/trusts?'
@ -104,7 +115,7 @@ trust_policies = [
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_roles_for_trust',
check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
check_str=ADMIN_OR_SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
scope_types=['system', 'project'],
description='List roles delegated by a trust.',
operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles',
@ -114,7 +125,7 @@ trust_policies = [
deprecated_rule=deprecated_list_roles_for_trust),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_role_for_trust',
check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
check_str=ADMIN_OR_SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
scope_types=['system', 'project'],
description='Check if trust delegates a particular role.',
operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',
@ -124,7 +135,7 @@ trust_policies = [
deprecated_rule=deprecated_get_role_for_trust),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_trust',
check_str=SYSTEM_ADMIN_OR_TRUSTOR,
check_str=ADMIN_OR_TRUSTOR,
scope_types=['system', 'project'],
description='Revoke trust.',
operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
@ -132,7 +143,7 @@ trust_policies = [
deprecated_rule=deprecated_delete_trust),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_trust',
check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
check_str=ADMIN_OR_SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
scope_types=['system', 'project'],
description='Get trust.',
operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',

30
keystone/common/policies/user.py
View File

@ -20,14 +20,18 @@ SYSTEM_READER_OR_DOMAIN_READER_OR_USER = (
'(role:reader and token.domain.id:%(target.user.domain_id)s) or '
'user_id:%(target.user.id)s'
)
ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER_OR_USER = (
'(' + base.RULE_ADMIN_REQUIRED + ') or ' +
SYSTEM_READER_OR_DOMAIN_READER_OR_USER
)
SYSTEM_READER_OR_DOMAIN_READER = (
'(' + base.SYSTEM_READER + ') or (' + base.DOMAIN_READER + ')'
)
SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
'(role:admin and system_scope:all) or '
'(role:admin and token.domain.id:%(target.user.domain_id)s)'
ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER = (
'(' + base.RULE_ADMIN_REQUIRED + ') or ' +
SYSTEM_READER_OR_DOMAIN_READER
)
DEPRECATED_REASON = (
@ -68,7 +72,7 @@ deprecated_delete_user = policy.DeprecatedRule(
user_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_user',
check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_USER,
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER_OR_USER,
scope_types=['system', 'domain', 'project'],
description='Show user details.',
operations=[{'path': '/v3/users/{user_id}',
@ -78,8 +82,8 @@ user_policies = [
deprecated_rule=deprecated_get_user),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_users',
check_str=SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain'],
check_str=ADMIN_OR_SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain', 'project'],
description='List users.',
operations=[{'path': '/v3/users',
'method': 'GET'},
@ -112,24 +116,24 @@ user_policies = [
'method': 'GET'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_user',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Create a user.',
operations=[{'path': '/v3/users',
'method': 'POST'}],
deprecated_rule=deprecated_create_user),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_user',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Update a user, including administrative password resets.',
operations=[{'path': '/v3/users/{user_id}',
'method': 'PATCH'}],
deprecated_rule=deprecated_update_user),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_user',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain'],
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system', 'domain', 'project'],
description='Delete a user.',
operations=[{'path': '/v3/users/{user_id}',
'method': 'DELETE'}],

27
keystone/tests/unit/test_v3_trust.py
View File

@ -178,7 +178,7 @@ class TestTrustOperations(test_v3.RestfulTestCase):
self.assertEqual(3, len(trusts))
self.assertValidTrustListResponse(r)
# list all trusts as the trustor as the trustee.
# list all trusts for trustee as the trustor
list_as_trustor_url = (
'/OS-TRUST/trusts?trustee_user_id=%s' % self.user_id
)
@ -188,17 +188,20 @@ class TestTrustOperations(test_v3.RestfulTestCase):
self.assertEqual(0, len(trusts))
# list all trusts as the trustee is forbidden
list_all_as_trustee_url = (
'/OS-TRUST/trusts?trustee_user_id=%s' % self.trustee_user_id
)
r = self.get(
list_all_as_trustee_url,
expected_status=http.client.FORBIDDEN
)
self.head(
list_all_as_trustee_url,
expected_status=http.client.FORBIDDEN
)
# FIXME(dmendiza): This test is not written to do what the above
# comment says it should be doing. The main issue is that it's
# still using the trustor credentiasl to make the request.
# list_all_as_trustee_url = (
# '/OS-TRUST/trusts?trustee_user_id=%s' % self.trustee_user_id
# )
# r = self.get(
# list_all_as_trustee_url,
# expected_status=http.client.FORBIDDEN
# )
# self.head(
# list_all_as_trustee_url,
# expected_status=http.client.FORBIDDEN
# )
def test_create_trust_with_expiration_in_the_past_fails(self):
ref = unit.new_trust_ref(