From f89154c3d4a0930c3a5814369fc801de08c79271 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 6 Dec 2017 20:47:27 +0000 Subject: [PATCH] Add scope_types to oauth policies Change-Id: I5f6d96373d2b53632596f6d35ba099e818a0eded --- keystone/common/policies/access_token.py | 9 +++++++++ keystone/common/policies/consumer.py | 5 +++++ 2 files changed, 14 insertions(+) diff --git a/keystone/common/policies/access_token.py b/keystone/common/policies/access_token.py index 974bd62668..00b7e8be9b 100644 --- a/keystone/common/policies/access_token.py +++ b/keystone/common/policies/access_token.py @@ -18,12 +18,17 @@ access_token_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'authorize_request_token', check_str=base.RULE_ADMIN_REQUIRED, + # Since access tokens require a request token and request tokens + # require a project, it makes sense to have a project-scoped token in + # order to access these APIs. + scope_types=['project'], description='Authorize OAUTH1 request token.', operations=[{'path': '/v3/OS-OAUTH1/authorize/{request_token_id}', 'method': 'PUT'}]), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_access_token', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['project'], description='Get OAUTH1 access token for user by access token ID.', operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/' '{access_token_id}'), @@ -31,6 +36,7 @@ access_token_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_access_token_role', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['project'], description='Get role for user OAUTH1 access token.', operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/' '{access_token_id}/roles/{role_id}'), @@ -38,12 +44,14 @@ access_token_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_access_tokens', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['project'], description='List OAUTH1 access tokens for user.', operations=[{'path': '/v3/users/{user_id}/OS-OAUTH1/access_tokens', 'method': 'GET'}]), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_access_token_roles', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['project'], description='List OAUTH1 access token roles.', operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/' '{access_token_id}/roles'), @@ -51,6 +59,7 @@ access_token_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_access_token', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['project'], description='Delete OAUTH1 access token.', operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/' '{access_token_id}'), diff --git a/keystone/common/policies/consumer.py b/keystone/common/policies/consumer.py index c5d284ec5e..6f511f2eef 100644 --- a/keystone/common/policies/consumer.py +++ b/keystone/common/policies/consumer.py @@ -18,30 +18,35 @@ consumer_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_consumer', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], description='Show OAUTH1 consumer details.', operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', 'method': 'GET'}]), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_consumers', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], description='List OAUTH1 consumers.', operations=[{'path': '/v3/OS-OAUTH1/consumers', 'method': 'GET'}]), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_consumer', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], description='Create OAUTH1 consumer.', operations=[{'path': '/v3/OS-OAUTH1/consumers', 'method': 'POST'}]), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_consumer', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], description='Update OAUTH1 consumer.', operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', 'method': 'PATCH'}]), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_consumer', check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], description='Delete OAUTH1 consumer.', operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', 'method': 'DELETE'}])