Add scope_types to endpoint group policies

This commit adds scope types for all endpoint group policies. Since endpoints are considered a system-level resource, it makes sense to associate system scope to endpoint group policies. From now on, a warning will be logged when a project-scoped token is used to manage endpoint groups. Operators can opt into requiring system-scoped tokens for these policies by enabling oslo.policy's `enforce_scope` configuration option, which will result in an HTTP Forbidden exception when mismatching scope is detected. Change-Id: Icae41a1c5ce88754f0163970431a411529c3b8fe
2017-12-05 17:12:04 +00:00 · 2017-12-05 17:12:04 +00:00 · d38343aee0
parent c59c660a10
commit d38343aee0
1 changed files with 11 additions and 0 deletions
--- a/keystone/common/policies/endpoint_group.py
+++ b/keystone/common/policies/endpoint_group.py
@ -18,18 +18,21 @@ group_endpoint_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_endpoint_group',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description='Create endpoint group.',
        operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
                     'method': 'POST'}]),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_endpoint_groups',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description='List endpoint groups.',
        operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
                     'method': 'GET'}]),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_endpoint_group',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description='Get endpoint group.',
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                              '{endpoint_group_id}'),
@ -40,6 +43,7 @@ group_endpoint_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'update_endpoint_group',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description='Update endpoint group.',
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                              '{endpoint_group_id}'),
@ -47,6 +51,7 @@ group_endpoint_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_endpoint_group',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description='Delete endpoint group.',
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                              '{endpoint_group_id}'),
@ -54,6 +59,7 @@ group_endpoint_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description=('List all projects associated with a specific endpoint '
                     'group.'),
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
@ -62,6 +68,7 @@ group_endpoint_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description='List all endpoints associated with an endpoint group.',
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                              '{endpoint_group_id}/endpoints'),
@ -69,6 +76,7 @@ group_endpoint_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_endpoint_group_in_project',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description=('Check if an endpoint group is associated with a '
                     'project.'),
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
@ -80,6 +88,7 @@ group_endpoint_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_endpoint_groups_for_project',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description='List endpoint groups associated with a specific project.',
        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
                              'endpoint_groups'),
@ -87,6 +96,7 @@ group_endpoint_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'add_endpoint_group_to_project',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description='Allow a project to access an endpoint group.',
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                              '{endpoint_group_id}/projects/{project_id}'),
@ -94,6 +104,7 @@ group_endpoint_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'remove_endpoint_group_from_project',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description='Remove endpoint group from project.',
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                              '{endpoint_group_id}/projects/{project_id}'),