OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

credential.py 4.3KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116
  1. # Licensed under the Apache License, Version 2.0 (the "License"); you may
  2. # not use this file except in compliance with the License. You may obtain
  3. # a copy of the License at
  4. #
  5. # http://www.apache.org/licenses/LICENSE-2.0
  6. #
  7. # Unless required by applicable law or agreed to in writing, software
  8. # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  9. # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  10. # License for the specific language governing permissions and limitations
  11. # under the License.
  12. from oslo_log import versionutils
  13. from oslo_policy import policy
  14. from keystone.common.policies import base
  15. SYSTEM_READER_OR_CRED_OWNER = (
  16. '(role:reader and system_scope:all) '
  17. 'or user_id:%(target.credential.user_id)s'
  18. )
  19. SYSTEM_ADMIN_OR_CRED_OWNER = (
  20. '(role:admin and system_scope:all) '
  21. 'or user_id:%(target.credential.user_id)s'
  22. )
  23. DEPRECATED_REASON = (
  24. 'As of the Stein release, the credential API now understands how to '
  25. 'handle system-scoped tokens in addition to project-scoped tokens, making '
  26. 'the API more accessible to users without compromising security or '
  27. 'manageability for administrators. The new default policies for this API '
  28. 'account for these changes automatically.'
  29. )
  30. deprecated_get_credential = policy.DeprecatedRule(
  31. name=base.IDENTITY % 'get_credential',
  32. check_str=base.RULE_ADMIN_REQUIRED
  33. )
  34. deprecated_list_credentials = policy.DeprecatedRule(
  35. name=base.IDENTITY % 'list_credentials',
  36. check_str=base.RULE_ADMIN_REQUIRED
  37. )
  38. deprecated_create_credential = policy.DeprecatedRule(
  39. name=base.IDENTITY % 'create_credential',
  40. check_str=base.RULE_ADMIN_REQUIRED
  41. )
  42. deprecated_update_credential = policy.DeprecatedRule(
  43. name=base.IDENTITY % 'update_credential',
  44. check_str=base.RULE_ADMIN_REQUIRED
  45. )
  46. deprecated_delete_credential = policy.DeprecatedRule(
  47. name=base.IDENTITY % 'delete_credential',
  48. check_str=base.RULE_ADMIN_REQUIRED
  49. )
  50. credential_policies = [
  51. policy.DocumentedRuleDefault(
  52. name=base.IDENTITY % 'get_credential',
  53. check_str=SYSTEM_READER_OR_CRED_OWNER,
  54. scope_types=['system', 'project'],
  55. description='Show credentials details.',
  56. operations=[{'path': '/v3/credentials/{credential_id}',
  57. 'method': 'GET'}],
  58. deprecated_rule=deprecated_get_credential,
  59. deprecated_reason=DEPRECATED_REASON,
  60. deprecated_since=versionutils.deprecated.STEIN
  61. ),
  62. policy.DocumentedRuleDefault(
  63. name=base.IDENTITY % 'list_credentials',
  64. check_str=SYSTEM_READER_OR_CRED_OWNER,
  65. scope_types=['system', 'project'],
  66. description='List credentials.',
  67. operations=[{'path': '/v3/credentials',
  68. 'method': 'GET'}],
  69. deprecated_rule=deprecated_list_credentials,
  70. deprecated_reason=DEPRECATED_REASON,
  71. deprecated_since=versionutils.deprecated.STEIN
  72. ),
  73. policy.DocumentedRuleDefault(
  74. name=base.IDENTITY % 'create_credential',
  75. check_str=SYSTEM_ADMIN_OR_CRED_OWNER,
  76. scope_types=['system', 'project'],
  77. description='Create credential.',
  78. operations=[{'path': '/v3/credentials',
  79. 'method': 'POST'}],
  80. deprecated_rule=deprecated_create_credential,
  81. deprecated_reason=DEPRECATED_REASON,
  82. deprecated_since=versionutils.deprecated.STEIN
  83. ),
  84. policy.DocumentedRuleDefault(
  85. name=base.IDENTITY % 'update_credential',
  86. check_str=SYSTEM_ADMIN_OR_CRED_OWNER,
  87. scope_types=['system', 'project'],
  88. description='Update credential.',
  89. operations=[{'path': '/v3/credentials/{credential_id}',
  90. 'method': 'PATCH'}],
  91. deprecated_rule=deprecated_update_credential,
  92. deprecated_reason=DEPRECATED_REASON,
  93. deprecated_since=versionutils.deprecated.STEIN
  94. ),
  95. policy.DocumentedRuleDefault(
  96. name=base.IDENTITY % 'delete_credential',
  97. check_str=SYSTEM_ADMIN_OR_CRED_OWNER,
  98. scope_types=['system', 'project'],
  99. description='Delete credential.',
  100. operations=[{'path': '/v3/credentials/{credential_id}',
  101. 'method': 'DELETE'}],
  102. deprecated_rule=deprecated_delete_credential,
  103. deprecated_reason=DEPRECATED_REASON,
  104. deprecated_since=versionutils.deprecated.STEIN
  105. )
  106. ]
  107. def list_rules():
  108. return credential_policies