Policy in code (part 5)
This commit does the following: - Moves default auth policies into code - Moves default domain_config policies into code - Moves default for_user policies into code - Moves default mapping policies into code - Moves default policy_association policies into code - Moves default protocol policies into code - Moves default revoke_event policies into code - Moves default service_provider policies into code Partially-Implements: blueprint policy-in-code Change-Id: Id6e3c0ac54b21d85e68625a5b52fe2559fb70f24
This commit is contained in:
parent
2edcfb9fe7
commit
62a0d2f295
|
@ -1,48 +1,2 @@
|
||||||
{
|
{
|
||||||
|
|
||||||
"identity:create_protocol": "rule:admin_required",
|
|
||||||
"identity:update_protocol": "rule:admin_required",
|
|
||||||
"identity:get_protocol": "rule:admin_required",
|
|
||||||
"identity:list_protocols": "rule:admin_required",
|
|
||||||
"identity:delete_protocol": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:create_mapping": "rule:admin_required",
|
|
||||||
"identity:get_mapping": "rule:admin_required",
|
|
||||||
"identity:list_mappings": "rule:admin_required",
|
|
||||||
"identity:delete_mapping": "rule:admin_required",
|
|
||||||
"identity:update_mapping": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:create_service_provider": "rule:admin_required",
|
|
||||||
"identity:list_service_providers": "rule:admin_required",
|
|
||||||
"identity:get_service_provider": "rule:admin_required",
|
|
||||||
"identity:update_service_provider": "rule:admin_required",
|
|
||||||
"identity:delete_service_provider": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:get_auth_catalog": "",
|
|
||||||
"identity:get_auth_projects": "",
|
|
||||||
"identity:get_auth_domains": "",
|
|
||||||
|
|
||||||
"identity:list_projects_for_user": "",
|
|
||||||
"identity:list_domains_for_user": "",
|
|
||||||
|
|
||||||
"identity:list_revoke_events": "rule:service_or_admin",
|
|
||||||
|
|
||||||
"identity:create_policy_association_for_endpoint": "rule:admin_required",
|
|
||||||
"identity:check_policy_association_for_endpoint": "rule:admin_required",
|
|
||||||
"identity:delete_policy_association_for_endpoint": "rule:admin_required",
|
|
||||||
"identity:create_policy_association_for_service": "rule:admin_required",
|
|
||||||
"identity:check_policy_association_for_service": "rule:admin_required",
|
|
||||||
"identity:delete_policy_association_for_service": "rule:admin_required",
|
|
||||||
"identity:create_policy_association_for_region_and_service": "rule:admin_required",
|
|
||||||
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
|
|
||||||
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
|
|
||||||
"identity:get_policy_for_endpoint": "rule:admin_required",
|
|
||||||
"identity:list_endpoints_for_policy": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:create_domain_config": "rule:admin_required",
|
|
||||||
"identity:get_domain_config": "rule:admin_required",
|
|
||||||
"identity:get_security_compliance_domain_config": "",
|
|
||||||
"identity:update_domain_config": "rule:admin_required",
|
|
||||||
"identity:delete_domain_config": "rule:admin_required",
|
|
||||||
"identity:get_domain_config_default": "rule:admin_required"
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,24 +13,32 @@
|
||||||
import itertools
|
import itertools
|
||||||
|
|
||||||
from keystone.common.policies import access_token
|
from keystone.common.policies import access_token
|
||||||
|
from keystone.common.policies import auth
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
from keystone.common.policies import consumer
|
from keystone.common.policies import consumer
|
||||||
from keystone.common.policies import credential
|
from keystone.common.policies import credential
|
||||||
from keystone.common.policies import domain
|
from keystone.common.policies import domain
|
||||||
|
from keystone.common.policies import domain_config
|
||||||
from keystone.common.policies import ec2_credential
|
from keystone.common.policies import ec2_credential
|
||||||
from keystone.common.policies import endpoint
|
from keystone.common.policies import endpoint
|
||||||
from keystone.common.policies import endpoint_group
|
from keystone.common.policies import endpoint_group
|
||||||
|
from keystone.common.policies import for_user
|
||||||
from keystone.common.policies import grant
|
from keystone.common.policies import grant
|
||||||
from keystone.common.policies import group
|
from keystone.common.policies import group
|
||||||
from keystone.common.policies import identity_provider
|
from keystone.common.policies import identity_provider
|
||||||
from keystone.common.policies import implied_role
|
from keystone.common.policies import implied_role
|
||||||
|
from keystone.common.policies import mapping
|
||||||
from keystone.common.policies import policy
|
from keystone.common.policies import policy
|
||||||
|
from keystone.common.policies import policy_association
|
||||||
from keystone.common.policies import project
|
from keystone.common.policies import project
|
||||||
from keystone.common.policies import project_endpoint
|
from keystone.common.policies import project_endpoint
|
||||||
|
from keystone.common.policies import protocol
|
||||||
from keystone.common.policies import region
|
from keystone.common.policies import region
|
||||||
|
from keystone.common.policies import revoke_event
|
||||||
from keystone.common.policies import role
|
from keystone.common.policies import role
|
||||||
from keystone.common.policies import role_assignment
|
from keystone.common.policies import role_assignment
|
||||||
from keystone.common.policies import service
|
from keystone.common.policies import service
|
||||||
|
from keystone.common.policies import service_provider
|
||||||
from keystone.common.policies import token_revocation
|
from keystone.common.policies import token_revocation
|
||||||
from keystone.common.policies import trust
|
from keystone.common.policies import trust
|
||||||
from keystone.common.policies import user
|
from keystone.common.policies import user
|
||||||
|
@ -40,23 +48,31 @@ def list_rules():
|
||||||
return itertools.chain(
|
return itertools.chain(
|
||||||
base.list_rules(),
|
base.list_rules(),
|
||||||
access_token.list_rules(),
|
access_token.list_rules(),
|
||||||
|
auth.list_rules(),
|
||||||
consumer.list_rules(),
|
consumer.list_rules(),
|
||||||
credential.list_rules(),
|
credential.list_rules(),
|
||||||
domain.list_rules(),
|
domain.list_rules(),
|
||||||
|
domain_config.list_rules(),
|
||||||
ec2_credential.list_rules(),
|
ec2_credential.list_rules(),
|
||||||
endpoint.list_rules(),
|
endpoint.list_rules(),
|
||||||
endpoint_group.list_rules(),
|
endpoint_group.list_rules(),
|
||||||
|
for_user.list_rules(),
|
||||||
grant.list_rules(),
|
grant.list_rules(),
|
||||||
group.list_rules(),
|
group.list_rules(),
|
||||||
identity_provider.list_rules(),
|
identity_provider.list_rules(),
|
||||||
implied_role.list_rules(),
|
implied_role.list_rules(),
|
||||||
|
mapping.list_rules(),
|
||||||
policy.list_rules(),
|
policy.list_rules(),
|
||||||
|
policy_association.list_rules(),
|
||||||
project.list_rules(),
|
project.list_rules(),
|
||||||
project_endpoint.list_rules(),
|
project_endpoint.list_rules(),
|
||||||
|
protocol.list_rules(),
|
||||||
region.list_rules(),
|
region.list_rules(),
|
||||||
|
revoke_event.list_rules(),
|
||||||
role.list_rules(),
|
role.list_rules(),
|
||||||
role_assignment.list_rules(),
|
role_assignment.list_rules(),
|
||||||
service.list_rules(),
|
service.list_rules(),
|
||||||
|
service_provider.list_rules(),
|
||||||
token_revocation.list_rules(),
|
token_revocation.list_rules(),
|
||||||
trust.list_rules(),
|
trust.list_rules(),
|
||||||
user.list_rules(),
|
user.list_rules(),
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
auth_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_auth_catalog',
|
||||||
|
check_str=''),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_auth_projects',
|
||||||
|
check_str=''),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_auth_domains',
|
||||||
|
check_str=''),
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return auth_policies
|
|
@ -13,16 +13,19 @@
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
|
|
||||||
IDENTITY = 'identity:%s'
|
IDENTITY = 'identity:%s'
|
||||||
RULE_ADMIN_REQUIRED = 'rule:admin_required'
|
|
||||||
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
|
||||||
RULE_ADMIN_OR_CREDENTIAL_OWNER = (
|
RULE_ADMIN_OR_CREDENTIAL_OWNER = (
|
||||||
'rule:admin_required or '
|
'rule:admin_required or '
|
||||||
'(rule:owner and user_id:%(target.credential.user_id)s)')
|
'(rule:owner and user_id:%(target.credential.user_id)s)')
|
||||||
RULE_ADMIN_OR_TARGET_DOMAIN = ('rule:admin_required or '
|
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||||
'token.project.domain.id:%(target.domain.id)s')
|
RULE_ADMIN_OR_TARGET_DOMAIN = (
|
||||||
RULE_ADMIN_OR_TARGET_PROJECT = ('rule:admin_required or '
|
'rule:admin_required or '
|
||||||
'project_id:%(target.project.id)s')
|
'token.project.domain.id:%(target.domain.id)s')
|
||||||
|
RULE_ADMIN_OR_TARGET_PROJECT = (
|
||||||
|
'rule:admin_required or '
|
||||||
|
'project_id:%(target.project.id)s')
|
||||||
RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
|
RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
|
||||||
|
RULE_ADMIN_REQUIRED = 'rule:admin_required'
|
||||||
|
RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
|
||||||
RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
|
RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
|
||||||
RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
|
RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
|
||||||
RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'
|
RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
domain_config_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'create_domain_config',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_domain_config',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_security_compliance_domain_config',
|
||||||
|
check_str=''),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'update_domain_config',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'delete_domain_config',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_domain_config_default',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return domain_config_policies
|
|
@ -0,0 +1,28 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
service_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_projects_for_user',
|
||||||
|
check_str=''),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_domains_for_user',
|
||||||
|
check_str=''),
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return service_policies
|
|
@ -0,0 +1,37 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
mapping_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'create_mapping',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_mapping',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_mappings',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'delete_mapping',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'update_mapping',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return mapping_policies
|
|
@ -0,0 +1,57 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
policy_association_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'create_policy_association_for_endpoint',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'check_policy_association_for_endpoint',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'delete_policy_association_for_endpoint',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'create_policy_association_for_service',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'check_policy_association_for_service',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'delete_policy_association_for_service',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % (
|
||||||
|
'create_policy_association_for_region_and_service'),
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'check_policy_association_for_region_and_service',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % (
|
||||||
|
'delete_policy_association_for_region_and_service'),
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_policy_for_endpoint',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_endpoints_for_policy',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return policy_association_policies
|
|
@ -0,0 +1,37 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
protocol_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'create_protocol',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'update_protocol',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_protocol',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_protocols',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'delete_protocol',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return protocol_policies
|
|
@ -0,0 +1,25 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
revoke_event_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_revoke_events',
|
||||||
|
check_str=base.RULE_SERVICE_OR_ADMIN)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return revoke_event_policies
|
|
@ -0,0 +1,37 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
service_provider_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'create_service_provider',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'list_service_providers',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'get_service_provider',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'update_service_provider',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=base.IDENTITY % 'delete_service_provider',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return service_provider_policies
|
Loading…
Reference in New Issue