diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst index 582a8a4b64..511c0a84b7 100644 --- a/doc/source/getting-started/policy_mapping.rst +++ b/doc/source/getting-started/policy_mapping.rst @@ -25,6 +25,18 @@ identity:create_endpoint POST /v3/endpoints identity:update_endpoint PATCH /v3/endpoints/{endpoint_id} identity:delete_endpoint DELETE /v3/endpoints/{endpoint_id} +identity:get_registered_limit GET /v3/registered_limits/{registered_limit_id} +identity:list_registered_limits GET /v3/registered_limits +identity:create_registered_limits POST /v3/registered_limits +identity:update_registered_limits PUT /v3/registered_limits +identity:delete_registered_limit DELETE /v3/registered_limits/{registered_limit_id} + +identity:get_limit GET /v3/limits/{limit_id} +identity:list_limits GET /v3/limits +identity:create_limits POST /v3/limits +identity:update_limits PUT /v3/limits +identity:delete_limit DELETE /v3/limits/{limit_id} + identity:get_domain GET /v3/domains/{domain_id} identity:list_domains GET /v3/domains identity:create_domain POST /v3/domains diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index f2a84cab83..d26fc5a9ce 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -28,6 +28,18 @@ "identity:update_endpoint": "rule:cloud_admin", "identity:delete_endpoint": "rule:cloud_admin", + "identity:get_registered_limit": "", + "identity:list_registered_limits": "", + "identity:create_registered_limits": "rule:admin_required", + "identity:update_registered_limits": "rule:admin_required", + "identity:delete_registered_limit": "rule:admin_required", + + "identity:get_limit": "", + "identity:list_limits": "", + "identity:create_limits": "rule:admin_required", + "identity:update_limits": "rule:admin_required", + "identity:delete_limit": "rule:admin_required", + "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s", "identity:list_domains": "rule:cloud_admin", "identity:create_domain": "rule:cloud_admin", diff --git a/keystone/common/policies/__init__.py b/keystone/common/policies/__init__.py index 454467b2d5..4a93a7d145 100644 --- a/keystone/common/policies/__init__.py +++ b/keystone/common/policies/__init__.py @@ -26,6 +26,7 @@ from keystone.common.policies import grant from keystone.common.policies import group from keystone.common.policies import identity_provider from keystone.common.policies import implied_role +from keystone.common.policies import limit from keystone.common.policies import mapping from keystone.common.policies import policy from keystone.common.policies import policy_association @@ -33,6 +34,7 @@ from keystone.common.policies import project from keystone.common.policies import project_endpoint from keystone.common.policies import protocol from keystone.common.policies import region +from keystone.common.policies import registered_limit from keystone.common.policies import revoke_event from keystone.common.policies import role from keystone.common.policies import role_assignment @@ -60,6 +62,7 @@ def list_rules(): group.list_rules(), identity_provider.list_rules(), implied_role.list_rules(), + limit.list_rules(), mapping.list_rules(), policy.list_rules(), policy_association.list_rules(), @@ -67,6 +70,7 @@ def list_rules(): project_endpoint.list_rules(), protocol.list_rules(), region.list_rules(), + registered_limit.list_rules(), revoke_event.list_rules(), role.list_rules(), role_assignment.list_rules(), diff --git a/keystone/common/policies/limit.py b/keystone/common/policies/limit.py new file mode 100644 index 0000000000..1aea9aa387 --- /dev/null +++ b/keystone/common/policies/limit.py @@ -0,0 +1,67 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from keystone.common.policies import base + +limit_policies = [ + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'get_limit', + check_str='', + # Getting a single limit or listing all limits should be information + # accessible to everyone. By setting scope_types=['system', 'project'] + # we're making it so that anyone with a role on the system or a project + # can obtain this information. Making changes to a limit should be + # considered a protected system-level API, as noted below with + # scope_types=['system']. + scope_types=['system', 'project'], + description='Show limit details.', + operations=[{'path': '/v3/limits/{limit_id}', + 'method': 'GET'}, + {'path': '/v3/limits/{limit_id}', + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'list_limits', + check_str='', + scope_types=['system', 'project'], + description='List limits.', + operations=[{'path': '/v3/limits', + 'method': 'GET'}, + {'path': '/v3/limits', + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'create_limits', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='Create limits.', + operations=[{'path': '/v3/limits', + 'method': 'POST'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'update_limits', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='Update limits.', + operations=[{'path': '/v3/limits/{limit_id}', + 'method': 'PUT'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'delete_limit', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='Delete limit.', + operations=[{'path': '/v3/limits/{limit_id}', + 'method': 'DELETE'}]) +] + + +def list_rules(): + return limit_policies diff --git a/keystone/common/policies/registered_limit.py b/keystone/common/policies/registered_limit.py new file mode 100644 index 0000000000..71e0717205 --- /dev/null +++ b/keystone/common/policies/registered_limit.py @@ -0,0 +1,67 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from keystone.common.policies import base + +registered_limit_policies = [ + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'get_registered_limit', + check_str='', + # Getting a single registered limit or listing all registered limits + # should be information accessible to everyone. By setting + # scope_types=['system', 'project'] we're making it so that anyone with + # a role on the system or a project can obtain this information. + # Making changes to a registered limit should be considered a protected + # system-level API, as noted below with scope_types=['system']. + scope_types=['system', 'project'], + description='Show registered limit details.', + operations=[{'path': '/v3/registered_limits/{registered_limit_id}', + 'method': 'GET'}, + {'path': '/v3/registered_limits/{registered_limit_id}', + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'list_registered_limits', + check_str='', + scope_types=['system', 'project'], + description='List registered limits.', + operations=[{'path': '/v3/registered_limits', + 'method': 'GET'}, + {'path': '/v3/registered_limits', + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'create_registered_limits', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='Create registered limits.', + operations=[{'path': '/v3/registered_limits', + 'method': 'POST'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'update_registered_limits', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='Update registered limits.', + operations=[{'path': '/v3/registered_limits/{registered_limit_id}', + 'method': 'PUT'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'delete_registered_limit', + check_str=base.RULE_ADMIN_REQUIRED, + scope_types=['system'], + description='Delete registered limit.', + operations=[{'path': '/v3/registered_limits/{registered_limit_id}', + 'method': 'DELETE'}]) +] + + +def list_rules(): + return registered_limit_policies