Add scope_types for policy policies

This commit adds `system` to the list of scope types for all policy policies. Policies aren't really used and should be considered system-level until authorization can be done without having to modify service policy files. From now on, a warning will be logged when a project-scoped token is used for policy management. Operators can opt into requiring system-scoped tokens for these policies by enabling oslo.policy's `enforce_scope` configuration option. Change-Id: I1542a78f66817ac9b36ec26c308aca08e3c23af7
2017-12-06 21:08:36 +00:00 · 2017-12-06 21:08:36 +00:00 · d7ccb81b3e
parent c59c660a10
commit d7ccb81b3e
1 changed files with 7 additions and 0 deletions
--- a/keystone/common/policies/policy.py
+++ b/keystone/common/policies/policy.py
@ -18,30 +18,37 @@ policy_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_policy',
        check_str=base.RULE_ADMIN_REQUIRED,
+        # This API isn't really exposed to usable, it's actually deprecated.
+        # More-or-less adding scope_types to be consistent with other policies.
+        scope_types=['system'],
        description='Show policy details.',
        operations=[{'path': '/v3/policy/{policy_id}',
                     'method': 'GET'}]),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_policies',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description='List policies.',
        operations=[{'path': '/v3/policies',
                     'method': 'GET'}]),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_policy',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description='Create policy.',
        operations=[{'path': '/v3/policies',
                     'method': 'POST'}]),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'update_policy',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description='Update policy.',
        operations=[{'path': '/v3/policies/{policy_id}',
                     'method': 'PATCH'}]),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_policy',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description='Delete policy.',
        operations=[{'path': '/v3/policies/{policy_id}',
                     'method': 'DELETE'}])