OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

66 lines
2.8 KiB

  1. # Licensed under the Apache License, Version 2.0 (the "License"); you may
  2. # not use this file except in compliance with the License. You may obtain
  3. # a copy of the License at
  4. #
  5. # http://www.apache.org/licenses/LICENSE-2.0
  6. #
  7. # Unless required by applicable law or agreed to in writing, software
  8. # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  9. # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  10. # License for the specific language governing permissions and limitations
  11. # under the License.
  12. from oslo_policy import policy
  13. from keystone.common.policies import base
  14. collection_path = '/v3/users/{user_id}/application_credentials'
  15. resource_path = collection_path + '/{application_credential_id}'
  16. application_credential_policies = [
  17. policy.DocumentedRuleDefault(
  18. name=base.IDENTITY % 'get_application_credential',
  19. check_str=base.RULE_ADMIN_OR_OWNER,
  20. # FIXME(cmurphy) A system administrator should be able to manage any
  21. # application credential. A user with a role on a project should be
  22. # able to manage their own application credential. We don't currently
  23. # have a way of describing how a project administrator should or should
  24. # not be able to manage application credentials related to their
  25. # project. scope_types will remain commented out for now and will be
  26. # updated when we have an answer for this. The same applies to the
  27. # other policies in this file.
  28. # scope_types=['system', 'project'],
  29. description='Show application credential details.',
  30. operations=[{'path': resource_path,
  31. 'method': 'GET'},
  32. {'path': resource_path,
  33. 'method': 'HEAD'}]),
  34. policy.DocumentedRuleDefault(
  35. name=base.IDENTITY % 'list_application_credentials',
  36. check_str=base.RULE_ADMIN_OR_OWNER,
  37. # scope_types=['system', 'project'],
  38. description='List application credentials for a user.',
  39. operations=[{'path': collection_path,
  40. 'method': 'GET'},
  41. {'path': collection_path,
  42. 'method': 'HEAD'}]),
  43. policy.DocumentedRuleDefault(
  44. name=base.IDENTITY % 'create_application_credential',
  45. check_str=base.RULE_ADMIN_OR_OWNER,
  46. # scope_types=['system', 'project'],
  47. description='Create an application credential.',
  48. operations=[{'path': collection_path,
  49. 'method': 'POST'}]),
  50. policy.DocumentedRuleDefault(
  51. name=base.IDENTITY % 'delete_application_credential',
  52. check_str=base.RULE_ADMIN_OR_OWNER,
  53. # scope_types=['system', 'project'],
  54. description='Delete an application credential.',
  55. operations=[{'path': resource_path,
  56. 'method': 'DELETE'}])
  57. ]
  58. def list_rules():
  59. return application_credential_policies