Add scope_types to oauth policies
Change-Id: I5f6d96373d2b53632596f6d35ba099e818a0eded
This commit is contained in:
parent
c59c660a10
commit
f89154c3d4
@ -18,12 +18,17 @@ access_token_policies = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'authorize_request_token',
|
name=base.IDENTITY % 'authorize_request_token',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
# Since access tokens require a request token and request tokens
|
||||||
|
# require a project, it makes sense to have a project-scoped token in
|
||||||
|
# order to access these APIs.
|
||||||
|
scope_types=['project'],
|
||||||
description='Authorize OAUTH1 request token.',
|
description='Authorize OAUTH1 request token.',
|
||||||
operations=[{'path': '/v3/OS-OAUTH1/authorize/{request_token_id}',
|
operations=[{'path': '/v3/OS-OAUTH1/authorize/{request_token_id}',
|
||||||
'method': 'PUT'}]),
|
'method': 'PUT'}]),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_access_token',
|
name=base.IDENTITY % 'get_access_token',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['project'],
|
||||||
description='Get OAUTH1 access token for user by access token ID.',
|
description='Get OAUTH1 access token for user by access token ID.',
|
||||||
operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
|
operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
|
||||||
'{access_token_id}'),
|
'{access_token_id}'),
|
||||||
@ -31,6 +36,7 @@ access_token_policies = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_access_token_role',
|
name=base.IDENTITY % 'get_access_token_role',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['project'],
|
||||||
description='Get role for user OAUTH1 access token.',
|
description='Get role for user OAUTH1 access token.',
|
||||||
operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
|
operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
|
||||||
'{access_token_id}/roles/{role_id}'),
|
'{access_token_id}/roles/{role_id}'),
|
||||||
@ -38,12 +44,14 @@ access_token_policies = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_access_tokens',
|
name=base.IDENTITY % 'list_access_tokens',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['project'],
|
||||||
description='List OAUTH1 access tokens for user.',
|
description='List OAUTH1 access tokens for user.',
|
||||||
operations=[{'path': '/v3/users/{user_id}/OS-OAUTH1/access_tokens',
|
operations=[{'path': '/v3/users/{user_id}/OS-OAUTH1/access_tokens',
|
||||||
'method': 'GET'}]),
|
'method': 'GET'}]),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_access_token_roles',
|
name=base.IDENTITY % 'list_access_token_roles',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['project'],
|
||||||
description='List OAUTH1 access token roles.',
|
description='List OAUTH1 access token roles.',
|
||||||
operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
|
operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
|
||||||
'{access_token_id}/roles'),
|
'{access_token_id}/roles'),
|
||||||
@ -51,6 +59,7 @@ access_token_policies = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_access_token',
|
name=base.IDENTITY % 'delete_access_token',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['project'],
|
||||||
description='Delete OAUTH1 access token.',
|
description='Delete OAUTH1 access token.',
|
||||||
operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
|
operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
|
||||||
'{access_token_id}'),
|
'{access_token_id}'),
|
||||||
|
@ -18,30 +18,35 @@ consumer_policies = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_consumer',
|
name=base.IDENTITY % 'get_consumer',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['system'],
|
||||||
description='Show OAUTH1 consumer details.',
|
description='Show OAUTH1 consumer details.',
|
||||||
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
||||||
'method': 'GET'}]),
|
'method': 'GET'}]),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_consumers',
|
name=base.IDENTITY % 'list_consumers',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['system'],
|
||||||
description='List OAUTH1 consumers.',
|
description='List OAUTH1 consumers.',
|
||||||
operations=[{'path': '/v3/OS-OAUTH1/consumers',
|
operations=[{'path': '/v3/OS-OAUTH1/consumers',
|
||||||
'method': 'GET'}]),
|
'method': 'GET'}]),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_consumer',
|
name=base.IDENTITY % 'create_consumer',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['system'],
|
||||||
description='Create OAUTH1 consumer.',
|
description='Create OAUTH1 consumer.',
|
||||||
operations=[{'path': '/v3/OS-OAUTH1/consumers',
|
operations=[{'path': '/v3/OS-OAUTH1/consumers',
|
||||||
'method': 'POST'}]),
|
'method': 'POST'}]),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_consumer',
|
name=base.IDENTITY % 'update_consumer',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['system'],
|
||||||
description='Update OAUTH1 consumer.',
|
description='Update OAUTH1 consumer.',
|
||||||
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
||||||
'method': 'PATCH'}]),
|
'method': 'PATCH'}]),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_consumer',
|
name=base.IDENTITY % 'delete_consumer',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
scope_types=['system'],
|
||||||
description='Delete OAUTH1 consumer.',
|
description='Delete OAUTH1 consumer.',
|
||||||
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
||||||
'method': 'DELETE'}])
|
'method': 'DELETE'}])
|
||||||
|
Loading…
Reference in New Issue
Block a user