Add scope_types to implied role policies
Today, keystone doesn't support the ability to create roles and immediately start using them without modifying policy files across multiple services. Since role management is technically considered a system-level resource because of this reason, it makes sense to have implied role policies system-level as well. From now on, a warning will be logged when a project-scoped token is used to imply roles. Operators will be able to opt into requiring system-scoped tokens for these policies by enabling oslo.policy's `enforce_scope` configuration option, which will result in an HTTP Forbidden exception when mismatching scope is used. Change-Id: I9ec3bf02904dfe3773164e410db822a81ff213e2
This commit is contained in:
parent
2178447a6d
commit
cfb0d593e1
|
@ -18,6 +18,11 @@ implied_role_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'get_implied_role',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
# FIXME(lbragstad) The management of implied roles currently makes
|
||||
# sense as a system-only resource. Once keystone has the ability to
|
||||
# support RBAC solely over the API without having to customize policy
|
||||
# files, scope_types should include 'project'.
|
||||
scope_types=['system'],
|
||||
description='Get information about an association between two roles. '
|
||||
'When a relationship exists between a prior role and an '
|
||||
'implied role and the prior role is assigned to a user, '
|
||||
|
@ -28,6 +33,7 @@ implied_role_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_implied_roles',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='List associations between two roles. When a relationship '
|
||||
'exists between a prior role and an implied role and the '
|
||||
'prior role is assigned to a user, the user also assumes '
|
||||
|
@ -40,6 +46,7 @@ implied_role_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_implied_role',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Create an association between two roles. When a '
|
||||
'relationship exists between a prior role and an implied '
|
||||
'role and the prior role is assigned to a user, the user '
|
||||
|
@ -50,6 +57,7 @@ implied_role_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'delete_implied_role',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Delete the association between two roles. When a '
|
||||
'relationship exists between a prior role and an implied '
|
||||
'role and the prior role is assigned to a user, the user '
|
||||
|
@ -61,6 +69,7 @@ implied_role_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_role_inference_rules',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='List all associations between two roles in the system. '
|
||||
'When a relationship exists between a prior role and an '
|
||||
'implied role and the prior role is assigned to a user, '
|
||||
|
@ -71,6 +80,7 @@ implied_role_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'check_implied_role',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Check an association between two roles. When a '
|
||||
'relationship exists between a prior role and an implied '
|
||||
'role and the prior role is assigned to a user, the user '
|
||||
|
|
Loading…
Reference in New Issue