Address comments from Policy in Code 5

This patch addresses a few minor comments from review [1]. [1]: https://review.openstack.org/#/c/435757/ Implements blueprint policy-in-code Change-Id: Ia826d97eaf5d38353254c21999f5acf8f1e35ad8
2017-03-22 23:22:31 +00:00 · 2017-03-22 23:22:31 +00:00 · 08feb508a8
parent 2dbd5d99bb
commit 08feb508a8
5 changed files with 34 additions and 32 deletions
--- a/keystone/common/policies/init.py
+++ b/keystone/common/policies/init.py
@ -22,7 +22,6 @@ from keystone.common.policies import domain_config
 from keystone.common.policies import ec2_credential
 from keystone.common.policies import endpoint
 from keystone.common.policies import endpoint_group
-from keystone.common.policies import for_user
 from keystone.common.policies import grant
 from keystone.common.policies import group
 from keystone.common.policies import identity_provider
@ -56,7 +55,6 @@ def list_rules():
        ec2_credential.list_rules(),
        endpoint.list_rules(),
        endpoint_group.list_rules(),
-        for_user.list_rules(),
        grant.list_rules(),
        group.list_rules(),
        identity_provider.list_rules(),
--- a/keystone/common/policies/base.py
+++ b/keystone/common/policies/base.py
@ -13,10 +13,11 @@
 from oslo_policy import policy

 IDENTITY = 'identity:%s'
+RULE_ADMIN_REQUIRED = 'rule:admin_required'
+RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
 RULE_ADMIN_OR_CREDENTIAL_OWNER = (
    'rule:admin_required or '
    '(rule:owner and user_id:%(target.credential.user_id)s)')
-RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
 RULE_ADMIN_OR_TARGET_DOMAIN = (
    'rule:admin_required or '
    'token.project.domain.id:%(target.domain.id)s')
@ -24,7 +25,6 @@ RULE_ADMIN_OR_TARGET_PROJECT = (
    'rule:admin_required or '
    'project_id:%(target.project.id)s')
 RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
-RULE_ADMIN_REQUIRED = 'rule:admin_required'
 RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
 RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
 RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
--- a/keystone/common/policies/for_user.py
+++ b/keystone/common/policies/for_user.py
@ -1,28 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from oslo_policy import policy
-
-from keystone.common.policies import base
-
-service_policies = [
-    policy.RuleDefault(
-        name=base.IDENTITY % 'list_projects_for_user',
-        check_str=''),
-    policy.RuleDefault(
-        name=base.IDENTITY % 'list_domains_for_user',
-        check_str=''),
-]
-
-
-def list_rules():
-    return service_policies
--- a/keystone/common/policies/user.py
+++ b/keystone/common/policies/user.py
@ -21,6 +21,12 @@ user_policies = [
    policy.RuleDefault(
        name=base.IDENTITY % 'list_users',
        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_projects_for_user',
+        check_str=''),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_domains_for_user',
+        check_str=''),
    policy.RuleDefault(
        name=base.IDENTITY % 'create_user',
        check_str=base.RULE_ADMIN_REQUIRED),
--- a/releasenotes/notes/bp-policy-in-code-722372a27291b9cd.yaml
+++ b/releasenotes/notes/bp-policy-in-code-722372a27291b9cd.yaml
@ -0,0 +1,26 @@
+---
+features:
+  - >
+    `[`blueprint policy-in-code <https://blueprints.launchpad.net/keystone/+spec/policy-in-code>`_]
+    Keystone now supports the ability to register default policies in code.
+    This makes policy file maintenance easier by allowing duplicated default
+    policies to be removed from the policy file. The only policies that should
+    exist within a deployments policy file after Pike should be policy
+    overrides. To generate sample policy files from default values, prune
+    default policies from existing policy files, or familiarize yourself with
+    general policy usage, please see the `usage documentation
+    <https://docs.openstack.org/developer/oslo.policy/usage.html>`_
+    provided in oslo.policy.
+
+upgrade:
+  - >
+    `[`blueprint policy-in-code <https://blueprints.launchpad.net/keystone/+spec/policy-in-code>`_]
+    Keystone now supports the ability to register default policies in code.
+    This makes policy file maintenance easier by allowing duplicated default
+    policies to be removed from the policy file. The only policies that should
+    exist within a deployments policy file after Pike should be policy
+    overrides. To generate sample policy files from default values, prune
+    default policies from existing policy files, or familiarize yourself with
+    general policy usage, please see the `usage documentation
+    <https://docs.openstack.org/developer/oslo.policy/usage.html>`_
+    provided in oslo.policy.