diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst index 6fdc9089d8..fd3a0dd1bb 100644 --- a/doc/source/getting-started/policy_mapping.rst +++ b/doc/source/getting-started/policy_mapping.rst @@ -112,6 +112,7 @@ identity:list_trusts GET /v3/OS-TRUST/trus identity:list_roles_for_trust GET /v3/OS-TRUST/trusts/{trust_id}/roles identity:get_role_for_trust GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} identity:delete_trust DELETE /v3/OS-TRUST/trusts/{trust_id} +identity:get_trust GET /v3/OS-TRUST/trusts/{trust_id} identity:create_consumer POST /v3/OS-OAUTH1/consumers identity:get_consumer GET /v3/OS-OAUTH1/consumers/{consumer_id} diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 6c5bc0b1c0..e1731c004d 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -140,6 +140,7 @@ "identity:list_roles_for_trust": "", "identity:get_role_for_trust": "", "identity:delete_trust": "", + "identity:get_trust": "", "identity:create_consumer": "rule:admin_required", "identity:get_consumer": "rule:admin_required", diff --git a/keystone/common/policies/trust.py b/keystone/common/policies/trust.py index ff047e3324..71e0835a23 100644 --- a/keystone/common/policies/trust.py +++ b/keystone/common/policies/trust.py @@ -15,21 +15,50 @@ from oslo_policy import policy from keystone.common.policies import base trust_policies = [ - policy.RuleDefault( + policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_trust', - check_str=base.RULE_TRUST_OWNER), - policy.RuleDefault( + check_str=base.RULE_TRUST_OWNER, + description='Create trust.', + operations=[{'path': '/v3/OS-TRUST/trusts', + 'method': 'POST'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_trusts', - check_str=''), - policy.RuleDefault( + check_str='', + description='List trusts.', + operations=[{'path': '/v3/OS-TRUST/trusts', + 'method': 'GET'}, + {'path': '/v3/OS-TRUST/trusts', + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_roles_for_trust', - check_str=''), - policy.RuleDefault( + check_str='', + description='List roles delegated by a trust.', + operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles', + 'method': 'GET'}, + {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles', + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_role_for_trust', - check_str=''), - policy.RuleDefault( + check_str='', + description='Check if trust delegates a particular role.', + operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}', + 'method': 'GET'}, + {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}', + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_trust', - check_str=''), + check_str='', + description='Revoke trust.', + operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}', + 'method': 'DELETE'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'get_trust', + check_str='', + description='Get trust.', + operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}', + 'method': 'GET'}, + {'path': '/v3/OS-TRUST/trusts/{trust_id}', + 'method': 'HEAD'}]) ]