Address comments from Policy in Code 5
This patch addresses a few minor comments from review [1]. [1]: https://review.openstack.org/#/c/435757/ Implements blueprint policy-in-code Change-Id: Ia826d97eaf5d38353254c21999f5acf8f1e35ad8
This commit is contained in:
parent
2dbd5d99bb
commit
08feb508a8
|
@ -22,7 +22,6 @@ from keystone.common.policies import domain_config
|
|||
from keystone.common.policies import ec2_credential
|
||||
from keystone.common.policies import endpoint
|
||||
from keystone.common.policies import endpoint_group
|
||||
from keystone.common.policies import for_user
|
||||
from keystone.common.policies import grant
|
||||
from keystone.common.policies import group
|
||||
from keystone.common.policies import identity_provider
|
||||
|
@ -56,7 +55,6 @@ def list_rules():
|
|||
ec2_credential.list_rules(),
|
||||
endpoint.list_rules(),
|
||||
endpoint_group.list_rules(),
|
||||
for_user.list_rules(),
|
||||
grant.list_rules(),
|
||||
group.list_rules(),
|
||||
identity_provider.list_rules(),
|
||||
|
|
|
@ -13,10 +13,11 @@
|
|||
from oslo_policy import policy
|
||||
|
||||
IDENTITY = 'identity:%s'
|
||||
RULE_ADMIN_REQUIRED = 'rule:admin_required'
|
||||
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||
RULE_ADMIN_OR_CREDENTIAL_OWNER = (
|
||||
'rule:admin_required or '
|
||||
'(rule:owner and user_id:%(target.credential.user_id)s)')
|
||||
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||
RULE_ADMIN_OR_TARGET_DOMAIN = (
|
||||
'rule:admin_required or '
|
||||
'token.project.domain.id:%(target.domain.id)s')
|
||||
|
@ -24,7 +25,6 @@ RULE_ADMIN_OR_TARGET_PROJECT = (
|
|||
'rule:admin_required or '
|
||||
'project_id:%(target.project.id)s')
|
||||
RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
|
||||
RULE_ADMIN_REQUIRED = 'rule:admin_required'
|
||||
RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
|
||||
RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
|
||||
RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
|
||||
|
|
|
@ -1,28 +0,0 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from keystone.common.policies import base
|
||||
|
||||
service_policies = [
|
||||
policy.RuleDefault(
|
||||
name=base.IDENTITY % 'list_projects_for_user',
|
||||
check_str=''),
|
||||
policy.RuleDefault(
|
||||
name=base.IDENTITY % 'list_domains_for_user',
|
||||
check_str=''),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return service_policies
|
|
@ -21,6 +21,12 @@ user_policies = [
|
|||
policy.RuleDefault(
|
||||
name=base.IDENTITY % 'list_users',
|
||||
check_str=base.RULE_ADMIN_REQUIRED),
|
||||
policy.RuleDefault(
|
||||
name=base.IDENTITY % 'list_projects_for_user',
|
||||
check_str=''),
|
||||
policy.RuleDefault(
|
||||
name=base.IDENTITY % 'list_domains_for_user',
|
||||
check_str=''),
|
||||
policy.RuleDefault(
|
||||
name=base.IDENTITY % 'create_user',
|
||||
check_str=base.RULE_ADMIN_REQUIRED),
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
features:
|
||||
- >
|
||||
`[`blueprint policy-in-code <https://blueprints.launchpad.net/keystone/+spec/policy-in-code>`_]
|
||||
Keystone now supports the ability to register default policies in code.
|
||||
This makes policy file maintenance easier by allowing duplicated default
|
||||
policies to be removed from the policy file. The only policies that should
|
||||
exist within a deployments policy file after Pike should be policy
|
||||
overrides. To generate sample policy files from default values, prune
|
||||
default policies from existing policy files, or familiarize yourself with
|
||||
general policy usage, please see the `usage documentation
|
||||
<https://docs.openstack.org/developer/oslo.policy/usage.html>`_
|
||||
provided in oslo.policy.
|
||||
|
||||
upgrade:
|
||||
- >
|
||||
`[`blueprint policy-in-code <https://blueprints.launchpad.net/keystone/+spec/policy-in-code>`_]
|
||||
Keystone now supports the ability to register default policies in code.
|
||||
This makes policy file maintenance easier by allowing duplicated default
|
||||
policies to be removed from the policy file. The only policies that should
|
||||
exist within a deployments policy file after Pike should be policy
|
||||
overrides. To generate sample policy files from default values, prune
|
||||
default policies from existing policy files, or familiarize yourself with
|
||||
general policy usage, please see the `usage documentation
|
||||
<https://docs.openstack.org/developer/oslo.policy/usage.html>`_
|
||||
provided in oslo.policy.
|
Loading…
Reference in New Issue