Add scope_types to endpoint group policies
This commit adds scope types for all endpoint group policies. Since endpoints are considered a system-level resource, it makes sense to associate system scope to endpoint group policies. From now on, a warning will be logged when a project-scoped token is used to manage endpoint groups. Operators can opt into requiring system-scoped tokens for these policies by enabling oslo.policy's `enforce_scope` configuration option, which will result in an HTTP Forbidden exception when mismatching scope is detected. Change-Id: Icae41a1c5ce88754f0163970431a411529c3b8fe
This commit is contained in:
parent
c59c660a10
commit
d38343aee0
|
@ -18,18 +18,21 @@ group_endpoint_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_endpoint_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Create endpoint group.',
|
||||
operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
|
||||
'method': 'POST'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_endpoint_groups',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='List endpoint groups.',
|
||||
operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
|
||||
'method': 'GET'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'get_endpoint_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Get endpoint group.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||
'{endpoint_group_id}'),
|
||||
|
@ -40,6 +43,7 @@ group_endpoint_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'update_endpoint_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Update endpoint group.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||
'{endpoint_group_id}'),
|
||||
|
@ -47,6 +51,7 @@ group_endpoint_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'delete_endpoint_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Delete endpoint group.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||
'{endpoint_group_id}'),
|
||||
|
@ -54,6 +59,7 @@ group_endpoint_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description=('List all projects associated with a specific endpoint '
|
||||
'group.'),
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||
|
@ -62,6 +68,7 @@ group_endpoint_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='List all endpoints associated with an endpoint group.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||
'{endpoint_group_id}/endpoints'),
|
||||
|
@ -69,6 +76,7 @@ group_endpoint_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'get_endpoint_group_in_project',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description=('Check if an endpoint group is associated with a '
|
||||
'project.'),
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||
|
@ -80,6 +88,7 @@ group_endpoint_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_endpoint_groups_for_project',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='List endpoint groups associated with a specific project.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
|
||||
'endpoint_groups'),
|
||||
|
@ -87,6 +96,7 @@ group_endpoint_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'add_endpoint_group_to_project',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Allow a project to access an endpoint group.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||
'{endpoint_group_id}/projects/{project_id}'),
|
||||
|
@ -94,6 +104,7 @@ group_endpoint_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'remove_endpoint_group_from_project',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Remove endpoint group from project.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||
'{endpoint_group_id}/projects/{project_id}'),
|
||||
|
|
Loading…
Reference in New Issue