"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "barbican/common/policies/consumers.py" between
barbican-11.0.0.tar.gz and barbican-12.0.0.tar.gz

About: OpenStack Barbican is the OpenStack Key Manager service. It provides secure storage, provisioning and management of secret data.
The "Wallaby" series (latest release).

consumers.py  (barbican-11.0.0):consumers.py  (barbican-12.0.0)
skipping to change at line 19 skipping to change at line 19
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from oslo_policy import policy from oslo_policy import policy
# FIXME(hrybacki): Note that the GET rules have the same check strings. # FIXME(hrybacki): Note that the GET rules have the same check strings.
# The POST/DELETE rules also share the check stirngs. # The POST/DELETE rules also share the check stirngs.
# These can probably be turned into constants in base # These can probably be turned into constants in base
_READER = "role:reader"
_MEMBER = "role:member"
_ADMIN = "role:admin"
_SYSTEM_ADMIN = "role:admin and system_scope:all"
_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.container.project_id)s"
_PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.container.project_id)s"
_CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
_CONTAINER_IS_NOT_PRIVATE = "True:%(target.container.read_project_access)s"
rules = [ rules = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='consumer:get', name='consumer:get',
check_str='rule:admin or rule:observer or rule:creator or ' + check_str='rule:admin or rule:observer or rule:creator or ' +
'rule:audit or rule:container_non_private_read or ' + 'rule:audit or rule:container_non_private_read or ' +
'rule:container_project_creator or ' + 'rule:container_project_creator or ' +
'rule:container_project_admin or rule:container_acl_read', 'rule:container_project_admin or rule:container_acl_read' +
scope_types=[], f" or ({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN} or " +
f"{_SYSTEM_ADMIN}",
scope_types=['project', 'system'],
description='List a specific consumer for a given container.', description='List a specific consumer for a given container.',
operations=[ operations=[
{ {
'path': '/v1/containers/{container-id}/consumers/' + 'path': '/v1/containers/{container-id}/consumers/' +
'{consumer-id}', '{consumer-id}',
'method': 'GET' 'method': 'GET'
} }
] ]
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='consumers:get', name='consumers:get',
check_str='rule:admin or rule:observer or rule:creator or ' + check_str='rule:admin or rule:observer or rule:creator or ' +
'rule:audit or rule:container_non_private_read or ' + 'rule:audit or rule:container_non_private_read or ' +
'rule:container_project_creator or ' + 'rule:container_project_creator or ' +
'rule:container_project_admin or rule:container_acl_read', 'rule:container_project_admin or rule:container_acl_read' +
scope_types=[], f" or ({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN} or " +
f"{_SYSTEM_ADMIN}",
scope_types=['project', 'system'],
description='List a containers consumers.', description='List a containers consumers.',
operations=[ operations=[
{ {
'path': '/v1/containers/{container-id}/consumers', 'path': '/v1/containers/{container-id}/consumers',
'method': 'GET' 'method': 'GET'
} }
] ]
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='consumers:post', name='consumers:post',
check_str='rule:admin or rule:container_non_private_read or ' + check_str='rule:admin or rule:container_non_private_read or ' +
'rule:container_project_creator or ' + 'rule:container_project_creator or ' +
'rule:container_project_admin or rule:container_acl_read', 'rule:container_project_admin or rule:container_acl_read' +
scope_types=[], f" or ({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN} or " +
f"{_SYSTEM_ADMIN}",
scope_types=['project', 'system'],
description='Creates a consumer.', description='Creates a consumer.',
operations=[ operations=[
{ {
'path': '/v1/containers/{container-id}/consumers', 'path': '/v1/containers/{container-id}/consumers',
'method': 'POST' 'method': 'POST'
} }
] ]
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='consumers:delete', name='consumers:delete',
check_str='rule:admin or rule:container_non_private_read or ' + check_str='rule:admin or rule:container_non_private_read or ' +
'rule:container_project_creator or ' + 'rule:container_project_creator or ' +
'rule:container_project_admin or rule:container_acl_read', 'rule:container_project_admin or rule:container_acl_read' +
scope_types=[], f" or ({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN} or " +
f"{_SYSTEM_ADMIN}",
scope_types=['project', 'system'],
description='Deletes a consumer.', description='Deletes a consumer.',
operations=[ operations=[
{ {
'path': '/v1/containers/{container-id}/consumers/' + 'path': '/v1/containers/{container-id}/consumers/' +
'{consumer-id}', '{consumer-id}',
'method': 'DELETE' 'method': 'DELETE'
} }
] ]
), ),
] ]
 End of changes. 5 change blocks. 
8 lines changed or deleted 29 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)