"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "keystone/common/policies/grant.py" between
keystone-16.0.1.tar.gz and keystone-17.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Ussuri" series (latest release).

grant.py  (keystone-16.0.1):grant.py  (keystone-17.0.0)
skipping to change at line 30 skipping to change at line 30
# for users. The second does the same for groups. We have to overload the check # for users. The second does the same for groups. We have to overload the check
# string to handle both cases because `identity:check_grant` is used to protect # string to handle both cases because `identity:check_grant` is used to protect
# both user and group grant APIs. If the `identity:check_grant` policy is every # both user and group grant APIs. If the `identity:check_grant` policy is every
# broken apart, we can write specific check strings that are tailored to either # broken apart, we can write specific check strings that are tailored to either
# users or groups (e.g., `identity:check_group_grant` or # users or groups (e.g., `identity:check_group_grant` or
# `identity:check_user_grant`) and prevent overloading like this. # `identity:check_user_grant`) and prevent overloading like this.
DOMAIN_MATCHES_USER_DOMAIN = 'domain_id:%(target.user.domain_id)s' DOMAIN_MATCHES_USER_DOMAIN = 'domain_id:%(target.user.domain_id)s'
DOMAIN_MATCHES_GROUP_DOMAIN = 'domain_id:%(target.group.domain_id)s' DOMAIN_MATCHES_GROUP_DOMAIN = 'domain_id:%(target.group.domain_id)s'
DOMAIN_MATCHES_PROJECT_DOMAIN = 'domain_id:%(target.project.domain_id)s' DOMAIN_MATCHES_PROJECT_DOMAIN = 'domain_id:%(target.project.domain_id)s'
DOMAIN_MATCHES_TARGET_DOMAIN = 'domain_id:%(target.domain.id)s' DOMAIN_MATCHES_TARGET_DOMAIN = 'domain_id:%(target.domain.id)s'
DOMAIN_MATCHES_ROLE = 'domain_id:%(target.role.domain_id)s or None:%(target.role DOMAIN_MATCHES_ROLE = (
.domain_id)s' 'domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s'
)
GRANTS_DOMAIN_READER = ( GRANTS_DOMAIN_READER = (
'(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_ '(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
PROJECT_DOMAIN + ') or ' ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_ '(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
TARGET_DOMAIN + ') or ' ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or '
'(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES '(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
_PROJECT_DOMAIN + ') or ' ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES '(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
_TARGET_DOMAIN + ')' ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
) )
SYSTEM_READER_OR_DOMAIN_READER = ( SYSTEM_READER_OR_DOMAIN_READER = (
'(' + base.SYSTEM_READER + ') or ' '(' + base.SYSTEM_READER + ') or '
'(' + GRANTS_DOMAIN_READER + ') and ' '(' + GRANTS_DOMAIN_READER + ') and '
'(' + DOMAIN_MATCHES_ROLE + ')' '(' + DOMAIN_MATCHES_ROLE + ')'
) )
SYSTEM_READER_OR_DOMAIN_READER_LIST = ( SYSTEM_READER_OR_DOMAIN_READER_LIST = (
'(' + base.SYSTEM_READER + ') or ' + GRANTS_DOMAIN_READER '(' + base.SYSTEM_READER + ') or ' + GRANTS_DOMAIN_READER
) )
GRANTS_DOMAIN_ADMIN = ( GRANTS_DOMAIN_ADMIN = (
'(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_P '(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
ROJECT_DOMAIN + ') or ' ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_T '(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
ARGET_DOMAIN + ') or ' ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or '
'(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_ '(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
PROJECT_DOMAIN + ') or ' ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_ '(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
TARGET_DOMAIN + ')' ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
) )
SYSTEM_ADMIN_OR_DOMAIN_ADMIN = ( SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
'(' + base.SYSTEM_ADMIN + ') or ' '(' + base.SYSTEM_ADMIN + ') or '
'(' + GRANTS_DOMAIN_ADMIN + ') and ' '(' + GRANTS_DOMAIN_ADMIN + ') and '
'(' + DOMAIN_MATCHES_ROLE + ')' '(' + DOMAIN_MATCHES_ROLE + ')'
) )
deprecated_check_system_grant_for_user = policy.DeprecatedRule( deprecated_check_system_grant_for_user = policy.DeprecatedRule(
name=base.IDENTITY % 'check_system_grant_for_user', name=base.IDENTITY % 'check_system_grant_for_user',
check_str=base.RULE_ADMIN_REQUIRED check_str=base.RULE_ADMIN_REQUIRED
 End of changes. 3 change blocks. 
18 lines changed or deleted 19 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)