Add scope_types for policy policies
This commit adds `system` to the list of scope types for all policy policies. Policies aren't really used and should be considered system-level until authorization can be done without having to modify service policy files. From now on, a warning will be logged when a project-scoped token is used for policy management. Operators can opt into requiring system-scoped tokens for these policies by enabling oslo.policy's `enforce_scope` configuration option. Change-Id: I1542a78f66817ac9b36ec26c308aca08e3c23af7
This commit is contained in:
parent
c59c660a10
commit
d7ccb81b3e
|
@ -18,30 +18,37 @@ policy_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'get_policy',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
# This API isn't really exposed to usable, it's actually deprecated.
|
||||
# More-or-less adding scope_types to be consistent with other policies.
|
||||
scope_types=['system'],
|
||||
description='Show policy details.',
|
||||
operations=[{'path': '/v3/policy/{policy_id}',
|
||||
'method': 'GET'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_policies',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='List policies.',
|
||||
operations=[{'path': '/v3/policies',
|
||||
'method': 'GET'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_policy',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Create policy.',
|
||||
operations=[{'path': '/v3/policies',
|
||||
'method': 'POST'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'update_policy',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Update policy.',
|
||||
operations=[{'path': '/v3/policies/{policy_id}',
|
||||
'method': 'PATCH'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'delete_policy',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Delete policy.',
|
||||
operations=[{'path': '/v3/policies/{policy_id}',
|
||||
'method': 'DELETE'}])
|
||||
|
|
Loading…
Reference in New Issue