Implement policies for limits

This commit lays down the policies needed to protect the unified limit
API. A subsequent patch will expose the implementation.

bp unified-limits

Change-Id: I952fe6213adce86a92d7d607c9b639076b279f6c
This commit is contained in:
wangxiyuan 2017-12-26 22:19:17 +00:00
parent 0b241dcea5
commit 9ba24b91a4
5 changed files with 162 additions and 0 deletions

View File

@ -25,6 +25,18 @@ identity:create_endpoint POST /v3/endpoints
identity:update_endpoint PATCH /v3/endpoints/{endpoint_id}
identity:delete_endpoint DELETE /v3/endpoints/{endpoint_id}
identity:get_registered_limit GET /v3/registered_limits/{registered_limit_id}
identity:list_registered_limits GET /v3/registered_limits
identity:create_registered_limits POST /v3/registered_limits
identity:update_registered_limits PUT /v3/registered_limits
identity:delete_registered_limit DELETE /v3/registered_limits/{registered_limit_id}
identity:get_limit GET /v3/limits/{limit_id}
identity:list_limits GET /v3/limits
identity:create_limits POST /v3/limits
identity:update_limits PUT /v3/limits
identity:delete_limit DELETE /v3/limits/{limit_id}
identity:get_domain GET /v3/domains/{domain_id}
identity:list_domains GET /v3/domains
identity:create_domain POST /v3/domains

View File

@ -28,6 +28,18 @@
"identity:update_endpoint": "rule:cloud_admin",
"identity:delete_endpoint": "rule:cloud_admin",
"identity:get_registered_limit": "",
"identity:list_registered_limits": "",
"identity:create_registered_limits": "rule:admin_required",
"identity:update_registered_limits": "rule:admin_required",
"identity:delete_registered_limit": "rule:admin_required",
"identity:get_limit": "",
"identity:list_limits": "",
"identity:create_limits": "rule:admin_required",
"identity:update_limits": "rule:admin_required",
"identity:delete_limit": "rule:admin_required",
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
"identity:list_domains": "rule:cloud_admin",
"identity:create_domain": "rule:cloud_admin",

View File

@ -26,6 +26,7 @@ from keystone.common.policies import grant
from keystone.common.policies import group
from keystone.common.policies import identity_provider
from keystone.common.policies import implied_role
from keystone.common.policies import limit
from keystone.common.policies import mapping
from keystone.common.policies import policy
from keystone.common.policies import policy_association
@ -33,6 +34,7 @@ from keystone.common.policies import project
from keystone.common.policies import project_endpoint
from keystone.common.policies import protocol
from keystone.common.policies import region
from keystone.common.policies import registered_limit
from keystone.common.policies import revoke_event
from keystone.common.policies import role
from keystone.common.policies import role_assignment
@ -60,6 +62,7 @@ def list_rules():
group.list_rules(),
identity_provider.list_rules(),
implied_role.list_rules(),
limit.list_rules(),
mapping.list_rules(),
policy.list_rules(),
policy_association.list_rules(),
@ -67,6 +70,7 @@ def list_rules():
project_endpoint.list_rules(),
protocol.list_rules(),
region.list_rules(),
registered_limit.list_rules(),
revoke_event.list_rules(),
role.list_rules(),
role_assignment.list_rules(),

View File

@ -0,0 +1,67 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from keystone.common.policies import base
limit_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_limit',
check_str='',
# Getting a single limit or listing all limits should be information
# accessible to everyone. By setting scope_types=['system', 'project']
# we're making it so that anyone with a role on the system or a project
# can obtain this information. Making changes to a limit should be
# considered a protected system-level API, as noted below with
# scope_types=['system'].
scope_types=['system', 'project'],
description='Show limit details.',
operations=[{'path': '/v3/limits/{limit_id}',
'method': 'GET'},
{'path': '/v3/limits/{limit_id}',
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_limits',
check_str='',
scope_types=['system', 'project'],
description='List limits.',
operations=[{'path': '/v3/limits',
'method': 'GET'},
{'path': '/v3/limits',
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_limits',
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system'],
description='Create limits.',
operations=[{'path': '/v3/limits',
'method': 'POST'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_limits',
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system'],
description='Update limits.',
operations=[{'path': '/v3/limits/{limit_id}',
'method': 'PUT'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_limit',
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system'],
description='Delete limit.',
operations=[{'path': '/v3/limits/{limit_id}',
'method': 'DELETE'}])
]
def list_rules():
return limit_policies

View File

@ -0,0 +1,67 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from keystone.common.policies import base
registered_limit_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_registered_limit',
check_str='',
# Getting a single registered limit or listing all registered limits
# should be information accessible to everyone. By setting
# scope_types=['system', 'project'] we're making it so that anyone with
# a role on the system or a project can obtain this information.
# Making changes to a registered limit should be considered a protected
# system-level API, as noted below with scope_types=['system'].
scope_types=['system', 'project'],
description='Show registered limit details.',
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
'method': 'GET'},
{'path': '/v3/registered_limits/{registered_limit_id}',
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_registered_limits',
check_str='',
scope_types=['system', 'project'],
description='List registered limits.',
operations=[{'path': '/v3/registered_limits',
'method': 'GET'},
{'path': '/v3/registered_limits',
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_registered_limits',
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system'],
description='Create registered limits.',
operations=[{'path': '/v3/registered_limits',
'method': 'POST'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_registered_limits',
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system'],
description='Update registered limits.',
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
'method': 'PUT'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_registered_limit',
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system'],
description='Delete registered limit.',
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
'method': 'DELETE'}])
]
def list_rules():
return registered_limit_policies