diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst index da1d2095a7..68920ed52d 100644 --- a/doc/source/getting-started/policy_mapping.rst +++ b/doc/source/getting-started/policy_mapping.rst @@ -99,6 +99,11 @@ identity:list_grants GET `grant_collection identity:create_grant PUT `grant_resources`_ identity:revoke_grant DELETE `grant_resources`_ +identity:list_system_grants_for_user GET /v3/system/users/{user_id}/roles +identity:check_system_grant_for_user GET /v3/system/users/{user_id}/roles/{role_id} +identity:create_system_grant_for_user PUT /v3/system/users/{user_id}/roles/{role_id} +identity:revoke_system_grant_for_user DELETE /v3/system/users/{user_id}/roles/{role_id} + identity:list_role_assignments GET /v3/role_assignments identity:list_role_assignments_for_tree GET /v3/role_assignments?include_subtree diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 89239dae34..9044c16ba1 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -109,6 +109,11 @@ "identity:list_role_inference_rules": "rule:cloud_admin", "identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", + "identity:list_system_grants_for_user": "rule:admin_required", + "identity:check_system_grant_for_user": "rule:admin_required", + "identity:create_system_grant_for_user": "rule:admin_required", + "identity:revoke_system_grant_for_user": "rule:admin_required", + "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants", "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", diff --git a/keystone/common/policies/grant.py b/keystone/common/policies/grant.py index 7aacace138..d64f273395 100644 --- a/keystone/common/policies/grant.py +++ b/keystone/common/policies/grant.py @@ -97,7 +97,55 @@ grant_policies = [ 'applicable. In that case, revoking the role grant in ' 'the target would remove the logical effect of ' 'inheriting it to the target\'s projects subtree.'), - operations=list_operations(resource_paths, ['DELETE'])) + operations=list_operations(resource_paths, ['DELETE'])), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'list_system_grants_for_user', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='List all grants a specific user has on the system.', + operations=[ + { + 'path': '/v3/system/users/{user_id}/roles', + 'method': ['HEAD', 'GET'] + } + ] + ), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'check_system_grant_for_user', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='Check if a user has a role on the system.', + operations=[ + { + 'path': '/v3/system/users/{user_id}/roles/{role_id}', + 'method': ['HEAD', 'GET'] + } + ] + ), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'create_system_grant_for_user', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='Grant a user a role on the system.', + operations=[ + { + 'path': '/v3/system/users/{user_id}/roles/{role_id}', + 'method': ['PUT'] + } + ] + ), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'revoke_system_grant_for_user', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='Remove a role from a user on the system.', + operations=[ + { + 'path': '/v3/system/users/{user_id}/roles/{role_id}', + 'method': ['DELETE'] + } + ] + ) ]