keystone  18.0.0
About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Victoria" series (maintained release).
  Fossies Dox: keystone-18.0.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

policy.py
Go to the documentation of this file.
1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
2 # not use this file except in compliance with the License. You may obtain
3 # a copy of the License at
4 #
5 # http://www.apache.org/licenses/LICENSE-2.0
6 #
7 # Unless required by applicable law or agreed to in writing, software
8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10 # License for the specific language governing permissions and limitations
11 # under the License.
12 
13 # This file handles all flask-restful resources for /policy
14 
15 import flask_restful
16 import http.client
17 from oslo_log import versionutils
18 
19 from keystone.api._shared import json_home_relations
20 from keystone.common import json_home
21 from keystone.common import provider_api
22 from keystone.common import rbac_enforcer
23 from keystone.common import validation
24 from keystone.policy import schema
25 from keystone.server import flask as ks_flask
26 
27 ENFORCER = rbac_enforcer.RBACEnforcer
28 PROVIDERS = provider_api.ProviderAPIs
29 
30 _resource_rel_func = json_home_relations.os_endpoint_policy_resource_rel_func
31 
32 
33 class PolicyResource(ks_flask.ResourceBase):
34  collection_key = 'policies'
35  member_key = 'policy'
36 
37  def get(self, policy_id=None):
38  if policy_id:
39  return self._get_policy(policy_id)
40  return self._list_policies()
41 
42  @versionutils.deprecated(
43  as_of=versionutils.deprecated.QUEENS,
44  what='identity:get_policy of the v3 Policy APIs'
45  )
46  def _get_policy(self, policy_id):
47  ENFORCER.enforce_call(action='identity:get_policy')
48  ref = PROVIDERS.policy_api.get_policy(policy_id)
49  return self.wrap_member(ref)
50 
51  @versionutils.deprecated(
52  as_of=versionutils.deprecated.QUEENS,
53  what='identity:list_policies of the v3 Policy APIs'
54  )
55  def _list_policies(self):
56  ENFORCER.enforce_call(action='identity:list_policies')
57  filters = ['type']
58  hints = self.build_driver_hints(filters)
59  refs = PROVIDERS.policy_api.list_policies(hints=hints)
60  return self.wrap_collection(refs, hints=hints)
61 
62  @versionutils.deprecated(
63  as_of=versionutils.deprecated.QUEENS,
64  what='identity:create_policy of the v3 Policy APIs'
65  )
66  def post(self):
67  ENFORCER.enforce_call(action='identity:create_policy')
68  policy_body = self.request_body_json.get('policy', {})
69  validation.lazy_validate(schema.policy_create, policy_body)
70  policy = self._assign_unique_id(self._normalize_dict(policy_body))
71 
72  ref = PROVIDERS.policy_api.create_policy(
73  policy['id'], policy, initiator=self.audit_initiator
74  )
75  return self.wrap_member(ref), http.client.CREATED
76 
77  @versionutils.deprecated(
78  as_of=versionutils.deprecated.QUEENS,
79  what='identity:update_policy of the v3 Policy APIs'
80  )
81  def patch(self, policy_id):
82  ENFORCER.enforce_call(action='identity:update_policy')
83  policy_body = self.request_body_json.get('policy', {})
84  validation.lazy_validate(schema.policy_update, policy_body)
85 
86  ref = PROVIDERS.policy_api.update_policy(
87  policy_id, policy_body, initiator=self.audit_initiator
88  )
89  return self.wrap_member(ref)
90 
91  @versionutils.deprecated(
92  as_of=versionutils.deprecated.QUEENS,
93  what='identity:delete_policy of the v3 Policy APIs'
94  )
95  def delete(self, policy_id):
96  ENFORCER.enforce_call(action='identity:delete_policy')
97  res = PROVIDERS.policy_api.delete_policy(
98  policy_id, initiator=self.audit_initiator
99  )
100  return (res, http.client.NO_CONTENT)
101 
102 
103 class EndpointPolicyResource(flask_restful.Resource):
104 
105  def get(self, policy_id):
106  ENFORCER.enforce_call(action='identity:list_endpoints_for_policy')
107  PROVIDERS.policy_api.get_policy(policy_id)
108  endpoints = PROVIDERS.endpoint_policy_api.list_endpoints_for_policy(
109  policy_id
110  )
111  self._remove_legacy_ids(endpoints)
112  return ks_flask.ResourceBase.wrap_collection(
113  endpoints, collection_name='endpoints'
114  )
115 
116  def _remove_legacy_ids(self, endpoints):
117  for endpoint in endpoints:
118  endpoint.pop('legacy_endpoint_id', None)
119 
120 
121 class EndpointPolicyAssociations(flask_restful.Resource):
122 
123  def get(self, policy_id, endpoint_id):
124  action = 'identity:check_policy_association_for_endpoint'
125  ENFORCER.enforce_call(action=action)
126  PROVIDERS.policy_api.get_policy(policy_id)
127  PROVIDERS.catalog_api.get_endpoint(endpoint_id)
128  PROVIDERS.endpoint_policy_api.check_policy_association(
129  policy_id, endpoint_id=endpoint_id
130  )
131  return None, http.client.NO_CONTENT
132 
133  def put(self, policy_id, endpoint_id):
134  action = 'identity:create_policy_association_for_endpoint'
135  ENFORCER.enforce_call(action=action)
136  PROVIDERS.policy_api.get_policy(policy_id)
137  PROVIDERS.catalog_api.get_endpoint(endpoint_id)
138  PROVIDERS.endpoint_policy_api.create_policy_association(
139  policy_id, endpoint_id=endpoint_id
140  )
141  return None, http.client.NO_CONTENT
142 
143  def delete(self, policy_id, endpoint_id):
144  action = 'identity:delete_policy_association_for_endpoint'
145  ENFORCER.enforce_call(action=action)
146  PROVIDERS.policy_api.get_policy(policy_id)
147  PROVIDERS.catalog_api.get_endpoint(endpoint_id)
148  PROVIDERS.endpoint_policy_api.delete_policy_association(
149  policy_id, endpoint_id=endpoint_id
150  )
151  return None, http.client.NO_CONTENT
152 
153 
154 class ServicePolicyAssociations(flask_restful.Resource):
155 
156  def get(self, policy_id, service_id):
157  action = 'identity:check_policy_association_for_service'
158  ENFORCER.enforce_call(action=action)
159  PROVIDERS.policy_api.get_policy(policy_id)
160  PROVIDERS.catalog_api.get_service(service_id)
161  PROVIDERS.endpoint_policy_api.check_policy_association(
162  policy_id, service_id=service_id
163  )
164  return None, http.client.NO_CONTENT
165 
166  def put(self, policy_id, service_id):
167  action = 'identity:create_policy_association_for_service'
168  ENFORCER.enforce_call(action=action)
169  PROVIDERS.policy_api.get_policy(policy_id)
170  PROVIDERS.catalog_api.get_service(service_id)
171  PROVIDERS.endpoint_policy_api.create_policy_association(
172  policy_id, service_id=service_id
173  )
174  return None, http.client.NO_CONTENT
175 
176  def delete(self, policy_id, service_id):
177  action = 'identity:delete_policy_association_for_service'
178  ENFORCER.enforce_call(action=action)
179  PROVIDERS.policy_api.get_policy(policy_id)
180  PROVIDERS.catalog_api.get_service(service_id)
181  PROVIDERS.endpoint_policy_api.delete_policy_association(
182  policy_id, service_id=service_id
183  )
184  return None, http.client.NO_CONTENT
185 
186 
187 class ServiceRegionPolicyAssociations(flask_restful.Resource):
188 
189  def get(self, policy_id, service_id, region_id):
190  action = 'identity:check_policy_association_for_region_and_service'
191  ENFORCER.enforce_call(action=action)
192  PROVIDERS.policy_api.get_policy(policy_id)
193  PROVIDERS.catalog_api.get_service(service_id)
194  PROVIDERS.catalog_api.get_region(region_id)
195  PROVIDERS.endpoint_policy_api.check_policy_association(
196  policy_id, service_id=service_id, region_id=region_id
197  )
198  return None, http.client.NO_CONTENT
199 
200  def put(self, policy_id, service_id, region_id):
201  action = 'identity:create_policy_association_for_region_and_service'
202  ENFORCER.enforce_call(action=action)
203  PROVIDERS.policy_api.get_policy(policy_id)
204  PROVIDERS.catalog_api.get_service(service_id)
205  PROVIDERS.catalog_api.get_region(region_id)
206  PROVIDERS.endpoint_policy_api.create_policy_association(
207  policy_id, service_id=service_id, region_id=region_id
208  )
209  return None, http.client.NO_CONTENT
210 
211  def delete(self, policy_id, service_id, region_id):
212  action = 'identity:delete_policy_association_for_region_and_service'
213  ENFORCER.enforce_call(action=action)
214  PROVIDERS.policy_api.get_policy(policy_id)
215  PROVIDERS.catalog_api.get_service(service_id)
216  PROVIDERS.catalog_api.get_region(region_id)
217  PROVIDERS.endpoint_policy_api.delete_policy_association(
218  policy_id, service_id=service_id, region_id=region_id
219  )
220  return None, http.client.NO_CONTENT
221 
222 
223 class PolicyAPI(ks_flask.APIBase):
224  _name = 'policy'
225  _import_name = __name__
226  resources = [PolicyResource]
227  resource_mapping = [
228  ks_flask.construct_resource_map(
229  resource=EndpointPolicyResource,
230  url='/policies/<string:policy_id>/OS-ENDPOINT-POLICY/endpoints',
231  resource_kwargs={},
232  rel='policy_endpoints',
233  path_vars={'policy_id': json_home.Parameters.POLICY_ID},
234  resource_relation_func=_resource_rel_func
235  ),
236  ks_flask.construct_resource_map(
237  resource=EndpointPolicyAssociations,
238  url=('/policies/<string:policy_id>/OS-ENDPOINT-POLICY/'
239  'endpoints/<string:endpoint_id>'),
240  resource_kwargs={},
241  rel='endpoint_policy_association',
242  path_vars={
243  'policy_id': json_home.Parameters.POLICY_ID,
244  'endpoint_id': json_home.Parameters.ENDPOINT_ID
245  },
246  resource_relation_func=_resource_rel_func
247  ),
248  ks_flask.construct_resource_map(
249  resource=ServicePolicyAssociations,
250  url=('/policies/<string:policy_id>/OS-ENDPOINT-POLICY/'
251  'services/<string:service_id>'),
252  resource_kwargs={},
253  rel='service_policy_association',
254  path_vars={
255  'policy_id': json_home.Parameters.POLICY_ID,
256  'service_id': json_home.Parameters.SERVICE_ID
257  },
258  resource_relation_func=_resource_rel_func
259  ),
260  ks_flask.construct_resource_map(
261  resource=ServiceRegionPolicyAssociations,
262  url=('/policies/<string:policy_id>/OS-ENDPOINT-POLICY/'
263  'services/<string:service_id>/regions/<string:region_id>'),
264  resource_kwargs={},
265  rel='region_and_service_policy_association',
266  path_vars={
267  'policy_id': json_home.Parameters.POLICY_ID,
268  'service_id': json_home.Parameters.SERVICE_ID,
269  'region_id': json_home.Parameters.REGION_ID
270  },
271  resource_relation_func=_resource_rel_func
272  )
273  ]
274 
275 
276 APIs = (PolicyAPI,)
keystone.api.policy.ServiceRegionPolicyAssociations.put
def put(self, policy_id, service_id, region_id)
Definition: policy.py:200
keystone.api.policy.PolicyResource.delete
def delete(self, policy_id)
Definition: policy.py:95
keystone.api.policy.EndpointPolicyResource._remove_legacy_ids
def _remove_legacy_ids(self, endpoints)
Definition: policy.py:116
keystone.api.policy.ServicePolicyAssociations
Definition: policy.py:154
keystone.policy
Definition: __init__.py:1
keystone.api.policy.PolicyResource._get_policy
def _get_policy(self, policy_id)
Definition: policy.py:46
keystone.api.policy.EndpointPolicyAssociations.delete
def delete(self, policy_id, endpoint_id)
Definition: policy.py:143
keystone.api.policy.EndpointPolicyAssociations.get
def get(self, policy_id, endpoint_id)
Definition: policy.py:123
keystone.api.policy.EndpointPolicyResource.get
def get(self, policy_id)
Definition: policy.py:105
keystone.api.policy.PolicyResource._list_policies
def _list_policies(self)
Definition: policy.py:55
keystone.api.policy.ServicePolicyAssociations.delete
def delete(self, policy_id, service_id)
Definition: policy.py:176
keystone.api.policy.PolicyResource.patch
def patch(self, policy_id)
Definition: policy.py:81
keystone.server
Definition: __init__.py:1
keystone.api.policy.PolicyResource.get
def get(self, policy_id=None)
Definition: policy.py:37
keystone.api.policy.EndpointPolicyAssociations.put
def put(self, policy_id, endpoint_id)
Definition: policy.py:133
keystone.api.policy.ServiceRegionPolicyAssociations.get
def get(self, policy_id, service_id, region_id)
Definition: policy.py:189
keystone.api.policy.PolicyResource
Definition: policy.py:33
keystone.api.policy.ServicePolicyAssociations.put
def put(self, policy_id, service_id)
Definition: policy.py:166
keystone.api.policy.ServiceRegionPolicyAssociations.delete
def delete(self, policy_id, service_id, region_id)
Definition: policy.py:211
keystone.common
Definition: __init__.py:1
keystone.api._shared
Definition: __init__.py:1
keystone.api.policy.PolicyAPI
Definition: policy.py:223
keystone.api.policy.PolicyResource.post
def post(self)
Definition: policy.py:66
keystone.api.policy.ServicePolicyAssociations.get
def get(self, policy_id, service_id)
Definition: policy.py:156
keystone.api.policy.ServiceRegionPolicyAssociations
Definition: policy.py:187
keystone.api.policy.EndpointPolicyResource
Definition: policy.py:103
keystone.api.policy.EndpointPolicyAssociations
Definition: policy.py:121