openstack
/
keystone
Code Issues Proposed changes
keystone/keystone/common/policies
History
Colleen Murphy b100825a03 Move list_roles_for_trust enforcement to policies 
Without this change, policy enforcement for the GET
/OS-TRUST/trusts/{trust_id}/roles API is hardcoded in the flask
dispatcher code. This is a problem because this enforcement can't be
controlled by the operator, as is the norm. Moreover, it makes the
transition to system-scope and default-roles-aware policies more
difficult because there's no sensible migration from "" to a logical
role-based check string.

This converts the hardcoded enforcement to enforcement via default
policies for GET /OS-TRUST/trusts/{trust_id}/roles. The API specifically
blocks the is_admin user from using it, and since policies aren't loaded
for the is_admin user we need to continue explicitly blocking it.

This change does not use the formal oslo.policy deprecation system
because "" OR'd with the new default is entirely useless as a policy.

Change-Id: Ib339852c9d619b8cbf7a00d45da461377991ba6f
Partial-bug: #1818850
Partial-bug: #1818846
 		2019-08-16 15:20:15 -07:00
..
__init__.py Add Application Credentials controller 2018-01-27 11:55:05 +01:00
access_token.py Add scope_types to oauth policies 2018-01-05 22:25:05 +00:00
application_credential.py Clean up irrelevant comment 2019-08-06 14:31:37 -07:00
auth.py Implement GET /v3/auth/system 2018-01-24 01:09:16 +00:00
base.py implement system scope for application credential 2019-07-19 17:53:16 -07:00
consumer.py Add scope_types to oauth policies 2018-01-05 22:25:05 +00:00
credential.py Make system members the same as system readers for credentials 2019-03-05 21:25:16 +00:00
domain.py Allow project users to retrieve domains 2019-01-21 20:46:05 +00:00
domain_config.py Add scope_types to domain config policies 2018-01-19 20:17:30 +00:00
ec2_credential.py Document scope_types for ec2 policies 2018-01-19 22:30:35 +00:00
endpoint.py Update endpoint policies for system admin 2019-01-08 22:32:20 +00:00
endpoint_group.py Add scope_types to endpoint group policies 2018-01-05 21:47:10 +00:00
grant.py Make system admin policies consistent for grants 2019-03-25 19:30:03 +00:00
group.py Add domain scope support for group policies 2019-03-27 17:15:00 +01:00
identity_provider.py Update idp policies for system admin 2019-01-08 22:15:32 +00:00
implied_role.py Add scope_types to implied role policies 2018-01-04 21:32:18 +00:00
limit.py Add domain level limit support - API 2019-02-19 11:09:13 +08:00
mapping.py Fix list_mappings deprecation warning message 2019-08-06 14:27:39 -07:00
policy.py Add scope_types for policy policies 2018-01-05 22:25:55 +00:00
policy_association.py Add scope_types to policy association policies 2018-01-04 20:37:30 +00:00
project.py Implement domain admin functionality for projects 2019-03-20 20:21:33 +00:00
project_endpoint.py Add scope_types to project endpoint policies 2018-01-04 21:04:09 +00:00
protocol.py Implement system admin role in protocol API 2019-01-08 20:39:34 +00:00
region.py Add tests for domain users interacting with regions 2019-02-11 17:51:10 +00:00
registered_limit.py Allow domain users to access the registered limits API 2019-01-08 18:16:07 +00:00
revoke_event.py Add scope_types for revoke event policies 2018-01-04 21:14:16 +00:00
role.py Update role policies for system admin 2019-01-08 20:48:28 +00:00
role_assignment.py Add role assignment testing for project users 2019-03-25 18:01:42 +00:00
service.py Update service policies for system admin 2019-02-22 16:53:52 +00:00
service_provider.py Update service provider policies for system admin 2019-01-04 17:58:31 +00:00
token.py Implement system scope and default roles for token API 2019-06-17 15:57:51 +00:00
token_revocation.py Deprecate identity:revocation_list policy for removal 2019-07-23 17:21:19 +00:00
trust.py Move list_roles_for_trust enforcement to policies 2019-08-16 15:20:15 -07:00
user.py Implement domain admin functionality for user API 2019-03-19 22:34:15 +00:00