Merge "Move access token to DocumentedRuleDefault"

2017-04-15 08:17:36 +00:00 · 2017-04-15 08:17:36 +00:00 · 4dd73a8543
parent 968575a0e5 72e0ea0c10
commit 4dd73a8543
1 changed files with 34 additions and 12 deletions
--- a/keystone/common/policies/access_token.py
+++ b/keystone/common/policies/access_token.py
@ -15,24 +15,46 @@ from oslo_policy import policy
 from keystone.common.policies import base

 access_token_policies = [
-    policy.RuleDefault(
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'authorize_request_token',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Authorize OAUTH1 request token.',
+        operations=[{'path': '/v3/OS-OAUTH1/authorize/{request_token_id}',
+                     'method': 'PUT'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_access_token',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Get OAUTH1 access token for user by access token ID.',
+        operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
+                              '{access_token_id}'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_access_token_role',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Get role for user OAUTH1 access token.',
+        operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
+                              '{access_token_id}/roles/{role_id}'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_access_tokens',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List OAUTH1 access tokens for user.',
+        operations=[{'path': '/v3/users/{user_id}/OS-OAUTH1/access_tokens',
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_access_token_roles',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List OAUTH1 access token roles.',
+        operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
+                              '{access_token_id}/roles'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_access_token',
-        check_str=base.RULE_ADMIN_REQUIRED)
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Delete OAUTH1 access token.',
+        operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
+                              '{access_token_id}'),
+                     'method': 'DELETE'}])
 ]