openstack
/
keystone
Code Issues Proposed changes
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
stable/xena
stable/2023.1
stable/yoga
stable/zed
stable/wallaby
stable/train
stable/ussuri
stable/victoria
stable/stein
stable/rocky
xena-em
23.0.0
23.0.0.0rc1
20.0.1
queens-eol
wallaby-em
22.0.0
22.0.0.0rc1
pike-eol
19.0.1
victoria-em
21.0.0
21.0.0.0rc1
18.1.0
ussuri-em
20.0.0
20.0.0.0rc1
17.0.1
ocata-eol
train-em
16.0.2
19.0.0
19.0.0.0rc2
19.0.0.0rc1
stein-em
18.0.0
18.0.0.0rc1
17.0.0
16.0.1
15.0.1
17.0.0.0rc2
17.0.0.0rc1
rocky-em
14.2.0
queens-em
13.0.4
13.0.3
16.0.0
16.0.0.0rc2
16.0.0.0rc1
pike-em
12.0.3
ocata-em
15.0.0
14.1.0
15.0.0.0rc2
15.0.0.0rc1
14.0.1
12.0.2
13.0.2
14.0.0
14.0.0.0rc2
14.0.0.0rc1
12.0.1
11.0.4
13.0.1
14.0.0.0b3
14.0.0.0b2
14.0.0.0b1
13.0.0
13.0.0.0rc2
13.0.0.0rc1
13.0.0.0b3
13.0.0.0b2
newton-eol
13.0.0.0b1
12.0.0
12.0.0.0rc2
12.0.0.0rc1
12.0.0.0b3
10.0.3
11.0.3
mitaka-eol
10.0.2
12.0.0.0b2
11.0.2
11.0.1
12.0.0.0b1
11.0.0
11.0.0.0rc1
9.3.0
10.0.1
11.0.0.0b3
11.0.0.0b2
liberty-eol
11.0.0.0b1
10.0.0
10.0.0.0rc3
10.0.0.0rc2
9.2.0
10.0.0.0rc1
10.0.0.0b3
10.0.0.0b2
9.1.0
10.0.0.0b1
8.1.2
9.0.2
9.0.1
kilo-eol
2015.1.4
9.0.0
9.0.0.0rc3
9.0.0.0rc2
9.0.0.0rc1
8.1.0
9.0.0.0b3
2015.1.3
9.0.0.0b2
8.0.1
juno-eol
9.0.0.0b1
2014.2.4
8.0.0
2015.1.2
8.0.0.0rc2
8.0.0.0rc1
8.0.0.0b3
8.0.0.0b2
2015.1.1
icehouse-eol
8.0.0.0b1
2014.1.5
8.0.0a0
2015.1.0
2015.1.0rc2
2014.2.3
2015.1.0rc1
2015.1.0b3
2014.1.4
2014.2.2
2015.1.0b2
2015.1.0b1
2014.2.1
2014.2
2014.2.rc2
2014.1.3
2014.2.rc1
havana-eol
2013.2.4
2014.2.b3
2014.1.2.1
2014.1.2
2014.2.b2
2014.2.b1
2014.1.1
2014.1
2014.1.rc2
2013.2.3
grizzly-eol
2014.1.rc1
2013.1.5
2014.1.b3
2013.2.2
2014.1.b2
2013.2.1
2014.1.b1
folsom-eol
2013.1.4
2013.2
2013.2.rc4
2013.2.rc3
2013.2.rc2
2013.2.rc1
2013.2.b3
2013.1.3
2013.2.b2
2013.1.2
2013.2.b1
2013.1.1
essex-eol
diablo-eol
2012.2.4
2013.1
2013.1.rc3
2013.1.rc2
2013.1.rc1
2013.1.g3
2012.2.3
grizzly-2
2012.2.1
grizzly-1
2012.1.3
2012.2
folsom-rc2
folsom-rc1
folsom-3
2012.1.2
folsom-2
2012.1.1
folsom-1
2012.1
essex-rc2
essex-rc1
2011.3
2011.3.1
essex-1
essex-2
essex-3
essex-4
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
keystone/keystone/common/policies/access_token.py

72 lines
3.1 KiB
Python
Raw Permalink Blame History

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from keystone.common.policies import base
access_token_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'authorize_request_token',
check_str=base.RULE_ADMIN_REQUIRED,
# Since access tokens require a request token and request tokens
# require a project, it makes sense to have a project-scoped token in
# order to access these APIs.
scope_types=['project'],
description='Authorize OAUTH1 request token.',
operations=[{'path': '/v3/OS-OAUTH1/authorize/{request_token_id}',
'method': 'PUT'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_access_token',
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['project'],
description='Get OAUTH1 access token for user by access token ID.',
operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
'{access_token_id}'),
'method': 'GET'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_access_token_role',
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['project'],
description='Get role for user OAUTH1 access token.',
operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
'{access_token_id}/roles/{role_id}'),
'method': 'GET'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_access_tokens',
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['project'],
description='List OAUTH1 access tokens for user.',
operations=[{'path': '/v3/users/{user_id}/OS-OAUTH1/access_tokens',
'method': 'GET'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_access_token_roles',
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['project'],
description='List OAUTH1 access token roles.',
operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
'{access_token_id}/roles'),
'method': 'GET'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_access_token',
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['project'],
description='Delete OAUTH1 access token.',
operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
'{access_token_id}'),
'method': 'DELETE'}])
]
def list_rules():
return access_token_policies
View Git Blame Copy Permalink