"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "barbican/common/policies/acls.py" between
barbican-11.0.0.tar.gz and barbican-12.0.0.tar.gz

About: OpenStack Barbican is the OpenStack Key Manager service. It provides secure storage, provisioning and management of secret data.
The "Wallaby" series (latest release).

acls.py  (barbican-11.0.0):acls.py  (barbican-12.0.0)
skipping to change at line 19 skipping to change at line 19
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from oslo_policy import policy from oslo_policy import policy
# FIXME(hrybacki): Repetitive check strings: Port to simpler checks # FIXME(hrybacki): Repetitive check strings: Port to simpler checks
# - secret_acls:delete, secret_acls:put_patch # - secret_acls:delete, secret_acls:put_patch
# - container_acls:delete container_acls:put_patch # - container_acls:delete container_acls:put_patch
_MEMBER = 'role:member'
_ADMIN = 'role:admin'
_SECRET_MEMBER = f"{_MEMBER} and project_id:%(target.secret.project_id)s"
_SECRET_ADMIN = f"{_ADMIN} and project_id:%(target.secret.project_id)s"
_SECRET_CREATOR = "user_id:%(target.secret.creator_id)s"
_SECRET_IS_NOT_PRIVATE = "True:%(target.secret.read_project_access)s"
_CONTAINER_MEMBER = f"{_MEMBER} and project_id:%(target.container.project_id)s"
_CONTAINER_ADMIN = f"{_ADMIN} and project_id:%(target.container.project_id)s"
_CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
_CONTAINER_IS_NOT_PRIVATE = "True:%(target.container.read_project_access)s"
rules = [ rules = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='secret_acls:get', name='secret_acls:get',
check_str='rule:all_but_audit and rule:secret_project_match', check_str='(rule:all_but_audit and rule:secret_project_match) or ' +
scope_types=[], f"({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
scope_types=['project'],
description='Retrieve the ACL settings for a given secret.' description='Retrieve the ACL settings for a given secret.'
'If no ACL is defined for that secret, then Default ACL ' 'If no ACL is defined for that secret, then Default ACL '
'is returned.', 'is returned.',
operations=[ operations=[
{ {
'path': '/v1/secrets/{secret-id}/acl', 'path': '/v1/secrets/{secret-id}/acl',
'method': 'GET' 'method': 'GET'
}, },
] ]
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='secret_acls:delete', name='secret_acls:delete',
check_str='rule:secret_project_admin or rule:secret_project_creator', check_str='rule:secret_project_admin or rule:secret_project_creator' +
scope_types=[], f" or ({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
scope_types=['project'],
description='Delete the ACL settings for a given secret.', description='Delete the ACL settings for a given secret.',
operations=[ operations=[
{ {
'path': '/v1/secrets/{secret-id}/acl', 'path': '/v1/secrets/{secret-id}/acl',
'method': 'DELETE' 'method': 'DELETE'
}, },
] ]
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='secret_acls:put_patch', name='secret_acls:put_patch',
check_str='rule:secret_project_admin or rule:secret_project_creator', check_str='rule:secret_project_admin or rule:secret_project_creator' +
scope_types=[], f" or ({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
scope_types=['project'],
description='Create new, replaces, or updates existing ACL for a ' + description='Create new, replaces, or updates existing ACL for a ' +
'given secret.', 'given secret.',
operations=[ operations=[
{ {
'path': '/v1/secrets/{secret-id}/acl', 'path': '/v1/secrets/{secret-id}/acl',
'method': 'PUT' 'method': 'PUT'
}, },
{ {
'path': '/v1/secrets/{secret-id}/acl', 'path': '/v1/secrets/{secret-id}/acl',
'method': 'PATCH' 'method': 'PATCH'
}, },
] ]
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='container_acls:get', name='container_acls:get',
check_str='rule:all_but_audit and rule:container_project_match', check_str='(rule:all_but_audit and rule:container_project_match) or ' +
scope_types=[], f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
scope_types=['project'],
description='Retrieve the ACL settings for a given container.', description='Retrieve the ACL settings for a given container.',
operations=[ operations=[
{ {
'path': '/v1/containers/{container-id}/acl', 'path': '/v1/containers/{container-id}/acl',
'method': 'GET' 'method': 'GET'
} }
] ]
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='container_acls:delete', name='container_acls:delete',
check_str='rule:container_project_admin or ' + check_str='rule:container_project_admin or ' +
'rule:container_project_creator', 'rule:container_project_creator or ' +
scope_types=[], f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
scope_types=['project'],
description='Delete ACL for a given container. No content is returned ' description='Delete ACL for a given container. No content is returned '
'in the case of successful deletion.', 'in the case of successful deletion.',
operations=[ operations=[
{ {
'path': '/v1/containers/{container-id}/acl', 'path': '/v1/containers/{container-id}/acl',
'method': 'DELETE' 'method': 'DELETE'
} }
] ]
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='container_acls:put_patch', name='container_acls:put_patch',
check_str='rule:container_project_admin or ' + check_str='rule:container_project_admin or ' +
'rule:container_project_creator', 'rule:container_project_creator or ' +
scope_types=[], f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
scope_types=['project'],
description='Create new or replaces existing ACL for a given ' description='Create new or replaces existing ACL for a given '
'container.', 'container.',
operations=[ operations=[
{ {
'path': '/v1/containers/{container-id}/acl', 'path': '/v1/containers/{container-id}/acl',
'method': 'PUT' 'method': 'PUT'
}, },
{ {
'path': '/v1/containers/{container-id}/acl', 'path': '/v1/containers/{container-id}/acl',
'method': 'PATCH' 'method': 'PATCH'
 End of changes. 7 change blocks. 
12 lines changed or deleted 35 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)