openstack/skyline-apiserver
Code Issues Proposed changes

feat: Add barbican policy and service_mapping

Browse Source 
1. add barbican related policy
2. add barbican into service_mapping
3. add releatenote for barbican
4. update releatenote for zun and magnum

Change-Id: I366e4482617654baab9091736e6f2b186aed6371
This commit is contained in:
zhu.boxiang 2022-06-07 14:05:47 +08:00
parent 10c910c6d5
commit fc547f8467
8 changed files with 496 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
etc/skyline.yaml.sample
View File

@ -75,6 +75,7 @@ openstack:
database: trove
identity: keystone
image: glance
key-manager: barbican
load-balancer: octavia
network: neutron
object-store: swift

7
releasenotes/notes/add-barbican-configs-and-policies-3951a6784064045e.yaml Normal file
View File

@ -0,0 +1,7 @@
---
features:
- |
Add ``key-manager: barbican`` into service_mapping of skyline config. So that we will
generate barbican related endpoint into nginx file.
- |
Add barbican related policies. So that we provide policies of barbican to skyline-console.

5
releasenotes/notes/add-magnum-configs-and-policies-b92cbaecac5a9379.yaml
View File

@ -1,4 +1,7 @@
---
features:
- |
Add Magnum config and policy in order to configure endpoint and provide policy to skyline-console.
Add ``container-infra: magnum`` into service_mapping of skyline config. So that we will
generate magnum related endpoint into nginx file.
- |
Add magnum related policies. So that we provide policies of magnum to skyline-console.

5
releasenotes/notes/add-zun-configs-and-policies-6a761034b5851255.yaml
View File

@ -1,4 +1,7 @@
---
features:
- |
Add Zun config and policy in order to configure endpoint and provide policy to skyline-console.
Add ``container: zun`` into service_mapping of skyline config. So that we will
generate zun related endpoint into nginx file.
- |
Add zun related policies. So that we provide policies of zun to skyline-console.

3
skyline_apiserver/config/openstack.py
View File

@ -173,13 +173,14 @@ service_mapping = Opt(
"database": "trove",
"identity": "keystone",
"image": "glance",
"key-manager": "barbican",
"load-balancer": "octavia",
"network": "neutron",
"object-store": "swift",
"orchestration": "heat",
"placement": "placement",
"volumev3": "cinder",
"sharev2": "manilav2",
"volumev3": "cinder",
},
)

470
skyline_apiserver/policy/manager/barbican.py Normal file
View File

@ -0,0 +1,470 @@
# flake8: noqa
# fmt: off
from . import base
list_rules = (
base.Rule(
name="admin",
check_str=("role:admin"),
description="No description",
),
base.Rule(
name="observer",
check_str=("role:observer"),
description="No description",
),
base.Rule(
name="creator",
check_str=("role:creator"),
description="No description",
),
base.Rule(
name="audit",
check_str=("role:audit"),
description="No description",
),
base.Rule(
name="service_admin",
check_str=("role:key-manager:service-admin"),
description="No description",
),
base.Rule(
name="admin_or_creator",
check_str=("rule:admin or rule:creator"),
description="No description",
),
base.Rule(
name="all_but_audit",
check_str=("rule:admin or rule:observer or rule:creator"),
description="No description",
),
base.Rule(
name="all_users",
check_str=("rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"),
description="No description",
),
base.Rule(
name="secret_project_match",
check_str=("project_id:%(target.secret.project_id)s"),
description="No description",
),
base.Rule(
name="secret_acl_read",
check_str=("'read':%(target.secret.read)s"),
description="No description",
),
base.Rule(
name="secret_private_read",
check_str=("'False':%(target.secret.read_project_access)s"),
description="No description",
),
base.Rule(
name="secret_creator_user",
check_str=("user_id:%(target.secret.creator_id)s"),
description="No description",
),
base.Rule(
name="container_project_match",
check_str=("project_id:%(target.container.project_id)s"),
description="No description",
),
base.Rule(
name="container_acl_read",
check_str=("'read':%(target.container.read)s"),
description="No description",
),
base.Rule(
name="container_private_read",
check_str=("'False':%(target.container.read_project_access)s"),
description="No description",
),
base.Rule(
name="container_creator_user",
check_str=("user_id:%(target.container.creator_id)s"),
description="No description",
),
base.Rule(
name="secret_non_private_read",
check_str=("rule:all_users and rule:secret_project_match and not rule:secret_private_read"),
description="No description",
),
base.Rule(
name="secret_decrypt_non_private_read",
check_str=("rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"),
description="No description",
),
base.Rule(
name="container_non_private_read",
check_str=("rule:all_users and rule:container_project_match and not rule:container_private_read"),
description="No description",
),
base.Rule(
name="secret_project_admin",
check_str=("rule:admin and rule:secret_project_match"),
description="No description",
),
base.Rule(
name="secret_project_creator",
check_str=("rule:creator and rule:secret_project_match and rule:secret_creator_user"),
description="No description",
),
base.Rule(
name="secret_project_creator_role",
check_str=("rule:creator and rule:secret_project_match"),
description="No description",
),
base.Rule(
name="container_project_admin",
check_str=("rule:admin and rule:container_project_match"),
description="No description",
),
base.Rule(
name="container_project_creator",
check_str=("rule:creator and rule:container_project_match and rule:container_creator_user"),
description="No description",
),
base.Rule(
name="container_project_creator_role",
check_str=("rule:creator and rule:container_project_match"),
description="No description",
),
base.APIRule(
name="secret_acls:get",
check_str=("(rule:all_but_audit and rule:secret_project_match) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
description="Retrieve the ACL settings for a given secret.If no ACL is defined for that secret, then Default ACL is returned.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/acl"}],
),
base.APIRule(
name="secret_acls:delete",
check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
description="Delete the ACL settings for a given secret.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/secrets/{secret-id}/acl"}],
),
base.APIRule(
name="secret_acls:put_patch",
check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
description="Create new, replaces, or updates existing ACL for a given secret.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/secrets/{secret-id}/acl"}, {"method": "PATCH", "path": "/v1/secrets/{secret-id}/acl"}],
),
base.APIRule(
name="container_acls:get",
check_str=("(rule:all_but_audit and rule:container_project_match) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
description="Retrieve the ACL settings for a given container.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container-id}/acl"}],
),
base.APIRule(
name="container_acls:delete",
check_str=("rule:container_project_admin or rule:container_project_creator or (rule:container_project_creator_role and rule:container_non_private_read) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
description="Delete ACL for a given container. No content is returned in the case of successful deletion.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/acl"}],
),
base.APIRule(
name="container_acls:put_patch",
check_str=("rule:container_project_admin or rule:container_project_creator or (rule:container_project_creator_role and rule:container_non_private_read) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
description="Create new or replaces existing ACL for a given container.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/containers/{container-id}/acl"}, {"method": "PATCH", "path": "/v1/containers/{container-id}/acl"}],
),
base.APIRule(
name="consumer:get",
check_str=("rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"),
description="DEPRECATED: show information for a specific consumer",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/containers/{container-id}/consumers/{consumer-id}"}],
),
base.APIRule(
name="container_consumers:get",
check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"),
description="List a containers consumers.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/containers/{container-id}/consumers"}],
),
base.APIRule(
name="container_consumers:post",
check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"),
description="Creates a consumer.",
scope_types=["project", "system"],
operations=[{"method": "POST", "path": "/v1/containers/{container-id}/consumers"}],
),
base.APIRule(
name="container_consumers:delete",
check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"),
description="Deletes a consumer.",
scope_types=["project", "system"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/consumers"}],
),
base.APIRule(
name="secret_consumers:get",
check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"),
description="List consumers for a secret.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/consumers"}],
),
base.APIRule(
name="secret_consumers:post",
check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"),
description="Creates a consumer.",
scope_types=["project", "system"],
operations=[{"method": "POST", "path": "/v1/secrets/{secrets-id}/consumers"}],
),
base.APIRule(
name="secret_consumers:delete",
check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"),
description="Deletes a consumer.",
scope_types=["project", "system"],
operations=[{"method": "DELETE", "path": "/v1/secrets/{secrets-id}/consumers"}],
),
base.APIRule(
name="containers:post",
check_str=("rule:admin_or_creator or role:member"),
description="Creates a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
),
base.APIRule(
name="containers:get",
check_str=("rule:all_but_audit or role:member"),
description="Lists a projects containers.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers"}],
),
base.APIRule(
name="container:get",
check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
description="Retrieves a single container.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container-id}"}],
),
base.APIRule(
name="container:delete",
check_str=("rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
description="Deletes a container.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{uuid}"}],
),
base.APIRule(
name="container_secret:post",
check_str=("rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
description="Add a secret to an existing container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container-id}/secrets"}],
),
base.APIRule(
name="container_secret:delete",
check_str=("rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
description="Remove a secret from a container.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/secrets/{secret-id}"}],
),
base.APIRule(
name="orders:get",
check_str=("rule:all_but_audit or role:member"),
description="Gets list of all orders associated with a project.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/orders"}],
),
base.APIRule(
name="orders:post",
check_str=("rule:admin_or_creator or role:member"),
description="Creates an order.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/orders"}],
),
base.APIRule(
name="orders:put",
check_str=("rule:admin_or_creator or role:member"),
description="Unsupported method for the orders API.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/orders"}],
),
base.APIRule(
name="order:get",
check_str=("rule:all_users and project_id:%(target.order.project_id)s or role:member and project_id:%(target.order.project_id)s"),
description="Retrieves an orders metadata.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/orders/{order-id}"}],
),
base.APIRule(
name="order:delete",
check_str=("rule:admin and project_id:%(target.order.project_id)s or role:member and project_id:%(target.order.project_id)s"),
description="Deletes an order.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/orders/{order-id}"}],
),
base.APIRule(
name="quotas:get",
check_str=("rule:all_users or role:reader"),
description="List quotas for the project the user belongs to.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas"}],
),
base.APIRule(
name="project_quotas:get",
check_str=("rule:service_admin or role:reader and system_scope:all"),
description="List quotas for the specified project.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/v1/project-quotas"}, {"method": "GET", "path": "/v1/project-quotas/{uuid}"}],
),
base.APIRule(
name="project_quotas:put",
check_str=("rule:service_admin or role:admin and system_scope:all"),
description="Create or update the configured project quotas for the project with the specified UUID.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/v1/project-quotas/{uuid}"}],
),
base.APIRule(
name="project_quotas:delete",
check_str=("rule:service_admin or role:admin and system_scope:all"),
description="Delete the project quotas configuration for the project with the requested UUID.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/v1/quotas}"}],
),
base.APIRule(
name="secret_meta:get",
check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
description="metadata/: Lists a secrets user-defined metadata. || metadata/{key}: Retrieves a secrets user-added metadata.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/metadata"}, {"method": "GET", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}],
),
base.APIRule(
name="secret_meta:post",
check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
description="Adds a new key/value pair to the secrets user-defined metadata.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}],
),
base.APIRule(
name="secret_meta:put",
check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
description="metadata/: Sets the user-defined metadata for a secret || metadata/{key}: Updates an existing key/value pair in the secrets user-defined metadata.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/secrets/{secret-id}/metadata"}, {"method": "PUT", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}],
),
base.APIRule(
name="secret_meta:delete",
check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
description="Delete secret user-defined metadata by key.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}],
),
base.APIRule(
name="secret:decrypt",
check_str=("rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
description="Retrieve a secrets payload.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/secrets/{uuid}/payload"}],
),
base.APIRule(
name="secret:get",
check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
description="Retrieves a secrets metadata.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}"}],
),
base.APIRule(
name="secret:put",
check_str=("rule:admin_or_creator and rule:secret_project_match or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
description="Add the payload to an existing metadata-only secret.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/secrets/{secret-id}"}],
),
base.APIRule(
name="secret:delete",
check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and not rule:secret_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
description="Delete a secret by uuid.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/secrets/{secret-id}"}],
),
base.APIRule(
name="secrets:post",
check_str=("rule:admin_or_creator or role:member"),
description="Creates a Secret entity.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/secrets"}],
),
base.APIRule(
name="secrets:get",
check_str=("rule:all_but_audit or role:member"),
description="Lists a projects secrets.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/secrets"}],
),
base.APIRule(
name="secretstores:get",
check_str=("rule:all_users or role:reader"),
description="Get list of available secret store backends.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secret-stores"}],
),
base.APIRule(
name="secretstores:get_global_default",
check_str=("rule:all_users or role:reader"),
description="Get a reference to the secret store that is used as default secret store backend for the deployment.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secret-stores/global-default"}],
),
base.APIRule(
name="secretstores:get_preferred",
check_str=("rule:all_users or role:reader"),
description="Get a reference to the preferred secret store if assigned previously.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secret-stores/preferred"}],
),
base.APIRule(
name="secretstore_preferred:post",
check_str=("rule:admin"),
description="Set a secret store backend to be preferred store backend for their project.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/secret-stores/{ss-id}/preferred"}],
),
base.APIRule(
name="secretstore_preferred:delete",
check_str=("rule:admin"),
description="Remove preferred secret store backend setting for their project.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/secret-stores/{ss-id}/preferred"}],
),
base.APIRule(
name="secretstore:get",
check_str=("rule:all_users or role:reader"),
description="Get details of secret store by its ID.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secret-stores/{ss-id}"}],
),
base.APIRule(
name="transport_key:get",
check_str=("rule:all_users or role:reader"),
description="Get a specific transport key.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/transport_keys/{key-id}}"}],
),
base.APIRule(
name="transport_key:delete",
check_str=("role:admin and system_scope:all"),
description="Delete a specific transport key.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/v1/transport_keys/{key-id}"}],
),
base.APIRule(
name="transport_keys:get",
check_str=("rule:all_users or role:reader"),
description="Get a list of all transport keys.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/transport_keys"}],
),
base.APIRule(
name="transport_keys:post",
check_str=("role:admin and system_scope:all"),
description="Create a new transport key.",
scope_types=["system"],
operations=[{"method": "POST", "path": "/v1/transport_keys"}],
),
)
__all__ = ("list_rules",)

1
skyline_apiserver/types/constants.py
View File

@ -45,6 +45,7 @@ POLICY_NS = "oslo.policy.policies"
SUPPORTED_SERVICE_EPS = {
# openstack_service: [<entry_point_name>, <entry_point_name>,]
"barbican": ["barbican"],
"cinder": ["cinder"],
"glance": ["glance"],
"heat": ["heat"],

8
tools/post_install.sh
View File

@ -19,7 +19,8 @@ INSTALL_PROJECTS="keystone \
octavia \
manila \
magnum \
zun"
zun\
barbican"
BRANCH=`git rev-parse --abbrev-ref HEAD`
for project in ${INSTALL_PROJECTS}
@ -31,3 +32,8 @@ for deprecated_project in ${INSTALL_DEPRECATED_PROJECTS}
do
pip install -U ${deprecated_project}
done
# Patch barbican
# https://review.opendev.org/c/openstack/barbican/+/839147
patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/barbican/common/policies/secrets.py"
sed -i "s/'GET\"'/'GET'/g" $patch_path