As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:
1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.
2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.
Also replace policy.json to policy.yaml ref from doc and tests.
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: Ic65d2fd6ce7215b4a47a6fb41b9cbf991f27773b
This change creates a /v3/users/{user_id}/access_rules endpoint to allow
users to view and delete their own access rules. Access rules are not
automatically deleted when an application credential is deleted, so they
can be re-used for other application credentials or explicitly deleted
by the user. Access rules are automatically deleted when the user is
deleted, the same way that application credentials are. Access rules
that are in use by an application credential may not be deleted.
bp whitelist-extension-for-app-creds
Change-Id: I37d243d802cd538189ccfffee6ebf0624b7785d3
Without this change, policy enforcement for the GET /OS-TRUST/trusts API
is hardcoded in the flask dispatcher code. This is a problem because
this enforcement can't be controlled by the operator, as is the norm.
Moreover, it makes the transition to system-scope and
default-roles-aware policies more difficult because there's no sensible
migration from "" to a logical role-based check string.
This patch starts the conversion from hardcoded enforcement to
enforcement via default policies for GET /OS-TRUST/trusts. To do this,
we add two new policy rules, "identity:list_trusts_for_trustor" and
"identity:list_trusts_for_trustee". We need to do this so that we can
keep backwards compatibility with the bizarre behavior that an admin can
list all trusts (GET /OS-TRUST/trusts) but not list trusts for a trustor
or trustee (GET /OS-TRUST/trusts?trustor_user_id={} and
GET/OS-TRUST/trusts?trustee_user_id={}). The tricky part is that it's
plausible that operators may have incorporated the hardcoded empty
default for "identity:list_trusts" into their on-disk policy
configuration, either by never removing the old default policy file that
used to come packaged with keystone, or by generating a sample file and
applying that to disk (we don't recommend that but we don't expressly
forbid or discourage it either). To overcome
this, the trust API code checks whether the "identity:list_trusts" rule
is "" and re-applies the enforcement with a warning. We don't need to do
this for the two new policies because they are initially enforced
in-code and an operator would have to take explicit action on upgrade to
override them.
This change does not use the formal oslo.policy deprecation system
because "" OR'd with the new default is entirely useless as a policy.
Partial-bug: #1818850
Partial-bug: #1818846
Change-Id: I6c1a4ecd756519f7f807c9d28960482e7f0d235b
We plan to expose the enforcement model a deployment is using via
the limit API. This commit prepares for that implementation by
introducing the policy for it.
Change-Id: I03c9cec3646ee354ebcdd4ddc1168e00d611171b
Related-Bug: 1765193
According to the API-WG's suggestion, the update registered
limit/project limit APIs should be refactored as:
1. Change PUT to PATCH
2. Remove batch update limits support for PATCH
Closes-Bug: #1754184
Change-Id: I1102166ab425a55d8eaf85c75d8fd3a7dfbaceb6
In queens the v2.0 APIs were removed. This commit removes the
leftover v2.0 policies documented in the sample policy file.
Change-Id: Ibb841bcbc12d0be365ddb2681310a0eee6724782
Add the controller, router, schema, and policies for application
credentials. If a secret is not provided, one is generated at the
controller layer.
bp application-credentials
Depends-on: Id26a2790acae25f80bd28a8cb121c80cb5064645
Depends-on: Icbd58464182b082854fb5d73ccc93c900ede020c
Change-Id: I7a371d59c19a11e55f17baf12d92327c1258533d
This commit lays down the policies needed to protect the unified limit
API. A subsequent patch will expose the implementation.
bp unified-limits
Change-Id: I952fe6213adce86a92d7d607c9b639076b279f6c
Keystone has APIs for retrieving projects and domains based on the
role assignments a user has on projects and domains. We should
introduce similar functionality for system assignments. This will
make discovering system access for users and client easier.
bp system-scope
Change-Id: Iab577fcd1b57b8b5593c3f9d50a772466383a999
Some entries in the list were prepended with dashes while others were
not. This commit makes all of them consistent.
Change-Id: I80aaa5cfde4c9c111108700e736fb595f6a971e7
This commit introduces new policies that control RBAC for assigning
groups roles on the system. Since the management of system roles is a
system-level operation, each policy has `system` set for scope_types.
bp system-scope
Change-Id: Ide491be9563f74f758c5de55990916292228e0d9
This commit introduces new policies that control RBAC for assigning
users roles on the system. Since the management of system roles is a
system-level operation, each policy has `system` set as scope_types.
bp system-scope
Change-Id: Ie606e769427a5ca422997efe92402e712f3cf45f
This change adds policy rules for project tags. The default
rules for both project updating and project tags will share
the same admin_required rule since tags are an attribute
of project.
Depends-On: Ibcf158f1b8082fbffeb48fa48c6592c87e056d01
Change-Id: Ieb68bd2c9c216b25ad74d320a1c9a297d2b251e7
Partially-Implements: bp project-tags
The self-service password API was left intentionally
unprotected in a change during the stable/ocata cycle:
I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1
The default policy was not removed from the same config and as a
result it was migrated into code during the policy-in-code work.
This isn't necessary since it's not used to protect anything. Policy
should still be enforced on administrative password resets, but that
is done using the `update_user` API.
Change-Id: I431f5ef9d6d5d689a06736640d22997fbddb869c
Closes-Bug: 1705485
A new policy class was introduced that requires
additional parameters when defining policy objects.
This patch switches our trust policy object to
the policy.DocumentedRuleDefault and fills the
required policy parameters as needed.
Implements: bp policy-docs
Change-Id: I7d4bab14ff257ede59a1b49088e16842e5b59a64
Changes identity:get_identity_providers policy rule to
identity:get_identity_provider to match what is checked by the code.
Change-Id: I0841abd30fd15c034b5836e42a18938634b509b1
Closes-Bug: #1703369
Divided the keystone docs into four categories, depending
upon the usage criteria: general information (which will
be common for all), developer documentation,
user documantation and operator documentation.
Change-Id: I2f5dd41acd9874739accc54c4f4fd69460b58334
Ghanshyam Mann