"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "barbican/common/policies/containers.py" between
barbican-11.0.0.tar.gz and barbican-12.0.0.tar.gz

About: OpenStack Barbican is the OpenStack Key Manager service. It provides secure storage, provisioning and management of secret data.
The "Wallaby" series (latest release).

containers.py  (barbican-11.0.0):containers.py  (barbican-12.0.0)
skipping to change at line 15 skipping to change at line 15
# http://www.apache.org/licenses/LICENSE-2.0 # http://www.apache.org/licenses/LICENSE-2.0
# #
# Unless required by applicable law or agreed to in writing, software # Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from oslo_policy import policy from oslo_policy import policy
_READER = "role:reader"
_MEMBER = "role:member"
_ADMIN = "role:admin"
_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.container.project_id)s"
_PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.container.project_id)s"
_CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
_CONTAINER_IS_NOT_PRIVATE = "True:%(target.container.read_project_access)s"
rules = [ rules = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='containers:post', name='containers:post',
check_str='rule:admin_or_creator', check_str=f"rule:admin_or_creator or {_MEMBER}",
scope_types=[], scope_types=['project'],
description='Creates a container.', description='Creates a container.',
operations=[ operations=[
{ {
'path': '/v1/containers', 'path': '/v1/containers',
'method': 'POST' 'method': 'POST'
} }
] ]
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='containers:get', name='containers:get',
check_str='rule:all_but_audit', check_str=f"rule:all_but_audit or {_MEMBER}",
scope_types=[], scope_types=['project'],
description='Lists a projects containers.', description='Lists a projects containers.',
operations=[ operations=[
{ {
'path': '/v1/containers', 'path': '/v1/containers',
'method': 'GET' 'method': 'GET'
} }
] ]
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='container:get', name='container:get',
check_str='rule:container_non_private_read or ' + check_str='rule:container_non_private_read or ' +
'rule:container_project_creator or ' + 'rule:container_project_creator or ' +
'rule:container_project_admin or ' + 'rule:container_project_admin or ' +
'rule:container_acl_read', 'rule:container_acl_read or ' +
scope_types=[], f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'],
description='Retrieves a single container.', description='Retrieves a single container.',
operations=[ operations=[
{ {
'path': '/v1/containers/{container-id}', 'path': '/v1/containers/{container-id}',
'method': 'GET' 'method': 'GET'
} }
] ]
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='container:delete', name='container:delete',
check_str='rule:container_project_admin or ' + check_str='rule:container_project_admin or ' +
'rule:container_project_creator', 'rule:container_project_creator or ' +
scope_types=[], f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'],
description='Deletes a container.', description='Deletes a container.',
operations=[ operations=[
{ {
'path': '/v1/containers/{uuid}', 'path': '/v1/containers/{uuid}',
'method': 'DELETE' 'method': 'DELETE'
} }
] ]
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='container_secret:post', name='container_secret:post',
check_str='rule:admin', check_str='rule:admin or ' +
scope_types=[], f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'],
description='Add a secret to an existing container.', description='Add a secret to an existing container.',
operations=[ operations=[
{ {
'path': '/v1/containers/{container-id}/secrets', 'path': '/v1/containers/{container-id}/secrets',
'method': 'POST' 'method': 'POST'
} }
] ]
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='container_secret:delete', name='container_secret:delete',
check_str='rule:admin', check_str='rule:admin or ' +
scope_types=[], f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'],
description='Remove a secret from a container.', description='Remove a secret from a container.',
operations=[ operations=[
{ {
'path': '/v1/containers/{container-id}/secrets/{secret-id}', 'path': '/v1/containers/{container-id}/secrets/{secret-id}',
'method': 'DELETE' 'method': 'DELETE'
} }
] ]
), ),
] ]
 End of changes. 7 change blocks. 
12 lines changed or deleted 28 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)