Merge "Move trust to DocumentedRuleDefault"

2017-07-13 01:15:17 +00:00 · 2017-07-13 01:15:17 +00:00 · a43d5a6893
parent 7e6eca7929 8f09c9cf0b
commit a43d5a6893
3 changed files with 41 additions and 10 deletions
--- a/doc/source/getting-started/policy_mapping.rst
+++ b/doc/source/getting-started/policy_mapping.rst
@ -112,6 +112,7 @@ identity:list_trusts                                       GET /v3/OS-TRUST/trus
 identity:list_roles_for_trust                              GET /v3/OS-TRUST/trusts/{trust_id}/roles
 identity:get_role_for_trust                                GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
 identity:delete_trust                                      DELETE /v3/OS-TRUST/trusts/{trust_id}
+identity:get_trust                                         GET /v3/OS-TRUST/trusts/{trust_id}

 identity:create_consumer                                   POST /v3/OS-OAUTH1/consumers
 identity:get_consumer                                      GET /v3/OS-OAUTH1/consumers/{consumer_id}
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -140,6 +140,7 @@
    "identity:list_roles_for_trust": "",
    "identity:get_role_for_trust": "",
    "identity:delete_trust": "",
+    "identity:get_trust": "",

    "identity:create_consumer": "rule:admin_required",
    "identity:get_consumer": "rule:admin_required",
--- a/keystone/common/policies/trust.py
+++ b/keystone/common/policies/trust.py
@ -15,21 +15,50 @@ from oslo_policy import policy
 from keystone.common.policies import base

 trust_policies = [
-    policy.RuleDefault(
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_trust',
-        check_str=base.RULE_TRUST_OWNER),
-    policy.RuleDefault(
+        check_str=base.RULE_TRUST_OWNER,
+        description='Create trust.',
+        operations=[{'path': '/v3/OS-TRUST/trusts',
+                     'method': 'POST'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_trusts',
-        check_str=''),
-    policy.RuleDefault(
+        check_str='',
+        description='List trusts.',
+        operations=[{'path': '/v3/OS-TRUST/trusts',
+                     'method': 'GET'},
+                    {'path': '/v3/OS-TRUST/trusts',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_roles_for_trust',
-        check_str=''),
-    policy.RuleDefault(
+        check_str='',
+        description='List roles delegated by a trust.',
+        operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles',
+                     'method': 'GET'},
+                    {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_role_for_trust',
-        check_str=''),
-    policy.RuleDefault(
+        check_str='',
+        description='Check if trust delegates a particular role.',
+        operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',
+                     'method': 'GET'},
+                    {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_trust',
-        check_str=''),
+        check_str='',
+        description='Revoke trust.',
+        operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
+                     'method': 'DELETE'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'get_trust',
+        check_str='',
+        description='Get trust.',
+        operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
+                     'method': 'GET'},
+                    {'path': '/v3/OS-TRUST/trusts/{trust_id}',
+                     'method': 'HEAD'}])
 ]