"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/common/policies/grant.py" (13 May 2020, 14154 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "grant.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 16.0.1_vs_17.0.0.

    1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 # not use this file except in compliance with the License. You may obtain
    3 # a copy of the License at
    4 #
    5 #      http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 # Unless required by applicable law or agreed to in writing, software
    8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 # License for the specific language governing permissions and limitations
   11 # under the License.
   12 
   13 from oslo_log import versionutils
   14 from oslo_policy import policy
   15 
   16 from keystone.common.policies import base
   17 
   18 # Two of the three portions of this check string are specific to domain
   19 # readers. The first catches domain readers who are checking or listing grants
   20 # for users. The second does the same for groups. We have to overload the check
   21 # string to handle both cases because `identity:check_grant` is used to protect
   22 # both user and group grant APIs. If the `identity:check_grant` policy is every
   23 # broken apart, we can write specific check strings that are tailored to either
   24 # users or groups (e.g., `identity:check_group_grant` or
   25 # `identity:check_user_grant`) and prevent overloading like this.
   26 DOMAIN_MATCHES_USER_DOMAIN = 'domain_id:%(target.user.domain_id)s'
   27 DOMAIN_MATCHES_GROUP_DOMAIN = 'domain_id:%(target.group.domain_id)s'
   28 DOMAIN_MATCHES_PROJECT_DOMAIN = 'domain_id:%(target.project.domain_id)s'
   29 DOMAIN_MATCHES_TARGET_DOMAIN = 'domain_id:%(target.domain.id)s'
   30 DOMAIN_MATCHES_ROLE = (
   31     'domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s'
   32 )
   33 GRANTS_DOMAIN_READER = (
   34     '(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
   35     ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
   36     '(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
   37     ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or '
   38     '(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
   39     ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
   40     '(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
   41     ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
   42 )
   43 SYSTEM_READER_OR_DOMAIN_READER = (
   44     '(' + base.SYSTEM_READER + ') or '
   45     '(' + GRANTS_DOMAIN_READER + ') and '
   46     '(' + DOMAIN_MATCHES_ROLE + ')'
   47 )
   48 
   49 SYSTEM_READER_OR_DOMAIN_READER_LIST = (
   50     '(' + base.SYSTEM_READER + ') or ' + GRANTS_DOMAIN_READER
   51 )
   52 
   53 GRANTS_DOMAIN_ADMIN = (
   54     '(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
   55     ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
   56     '(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
   57     ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or '
   58     '(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
   59     ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
   60     '(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
   61     ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
   62 )
   63 SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
   64     '(' + base.SYSTEM_ADMIN + ') or '
   65     '(' + GRANTS_DOMAIN_ADMIN + ') and '
   66     '(' + DOMAIN_MATCHES_ROLE + ')'
   67 )
   68 
   69 deprecated_check_system_grant_for_user = policy.DeprecatedRule(
   70     name=base.IDENTITY % 'check_system_grant_for_user',
   71     check_str=base.RULE_ADMIN_REQUIRED
   72 )
   73 deprecated_list_system_grants_for_user = policy.DeprecatedRule(
   74     name=base.IDENTITY % 'list_system_grants_for_user',
   75     check_str=base.RULE_ADMIN_REQUIRED
   76 )
   77 deprecated_create_system_grant_for_user = policy.DeprecatedRule(
   78     name=base.IDENTITY % 'create_system_grant_for_user',
   79     check_str=base.RULE_ADMIN_REQUIRED
   80 )
   81 deprecated_revoke_system_grant_for_user = policy.DeprecatedRule(
   82     name=base.IDENTITY % 'revoke_system_grant_for_user',
   83     check_str=base.RULE_ADMIN_REQUIRED
   84 )
   85 deprecated_check_system_grant_for_group = policy.DeprecatedRule(
   86     name=base.IDENTITY % 'check_system_grant_for_group',
   87     check_str=base.RULE_ADMIN_REQUIRED
   88 )
   89 deprecated_list_system_grants_for_group = policy.DeprecatedRule(
   90     name=base.IDENTITY % 'list_system_grants_for_group',
   91     check_str=base.RULE_ADMIN_REQUIRED
   92 )
   93 deprecated_create_system_grant_for_group = policy.DeprecatedRule(
   94     name=base.IDENTITY % 'create_system_grant_for_group',
   95     check_str=base.RULE_ADMIN_REQUIRED
   96 )
   97 deprecated_revoke_system_grant_for_group = policy.DeprecatedRule(
   98     name=base.IDENTITY % 'revoke_system_grant_for_group',
   99     check_str=base.RULE_ADMIN_REQUIRED
  100 )
  101 deprecated_list_grants = policy.DeprecatedRule(
  102     name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED
  103 )
  104 deprecated_check_grant = policy.DeprecatedRule(
  105     name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED
  106 )
  107 deprecated_create_grant = policy.DeprecatedRule(
  108     name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED
  109 )
  110 deprecated_revoke_grant = policy.DeprecatedRule(
  111     name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED
  112 )
  113 
  114 DEPRECATED_REASON = (
  115     "The assignment API is now aware of system scope and default roles."
  116 )
  117 
  118 resource_paths = [
  119     '/projects/{project_id}/users/{user_id}/roles/{role_id}',
  120     '/projects/{project_id}/groups/{group_id}/roles/{role_id}',
  121     '/domains/{domain_id}/users/{user_id}/roles/{role_id}',
  122     '/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
  123 ]
  124 
  125 
  126 resource_paths += ['/OS-INHERIT' + path + '/inherited_to_projects'
  127                    for path in resource_paths]
  128 
  129 
  130 collection_paths = [
  131     '/projects/{project_id}/users/{user_id}/roles',
  132     '/projects/{project_id}/groups/{group_id}/roles',
  133     '/domains/{domain_id}/users/{user_id}/roles',
  134     '/domains/{domain_id}/groups/{group_id}/roles'
  135 ]
  136 
  137 
  138 inherited_collection_paths = [
  139     ('/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/'
  140      'inherited_to_projects'),
  141     ('/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/'
  142      'inherited_to_projects')
  143 ]
  144 
  145 
  146 def list_operations(paths, methods):
  147     return [{'path': '/v3' + path, 'method': method}
  148             for path in paths for method in methods]
  149 
  150 
  151 # NOTE(samueldmq): Unlike individual resource paths, collection
  152 # paths for the inherited grants do not contain a HEAD API
  153 list_grants_operations = (
  154     list_operations(collection_paths, ['GET', 'HEAD']) +
  155     list_operations(inherited_collection_paths, ['GET']))
  156 
  157 
  158 grant_policies = [
  159     policy.DocumentedRuleDefault(
  160         name=base.IDENTITY % 'check_grant',
  161         check_str=SYSTEM_READER_OR_DOMAIN_READER,
  162         scope_types=['system', 'domain'],
  163         description=('Check a role grant between a target and an actor. A '
  164                      'target can be either a domain or a project. An actor '
  165                      'can be either a user or a group. These terms also apply '
  166                      'to the OS-INHERIT APIs, where grants on the target '
  167                      'are inherited to all projects in the subtree, if '
  168                      'applicable.'),
  169         operations=list_operations(resource_paths, ['HEAD', 'GET']),
  170         deprecated_rule=deprecated_check_grant,
  171         deprecated_reason=DEPRECATED_REASON,
  172         deprecated_since=versionutils.deprecated.STEIN),
  173     policy.DocumentedRuleDefault(
  174         name=base.IDENTITY % 'list_grants',
  175         check_str=SYSTEM_READER_OR_DOMAIN_READER_LIST,
  176         scope_types=['system', 'domain'],
  177         description=('List roles granted to an actor on a target. A target '
  178                      'can be either a domain or a project. An actor can be '
  179                      'either a user or a group. For the OS-INHERIT APIs, it '
  180                      'is possible to list inherited role grants for actors on '
  181                      'domains, where grants are inherited to all projects '
  182                      'in the specified domain.'),
  183         operations=list_grants_operations,
  184         deprecated_rule=deprecated_list_grants,
  185         deprecated_reason=DEPRECATED_REASON,
  186         deprecated_since=versionutils.deprecated.STEIN),
  187     policy.DocumentedRuleDefault(
  188         name=base.IDENTITY % 'create_grant',
  189         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
  190         scope_types=['system', 'domain'],
  191         description=('Create a role grant between a target and an actor. A '
  192                      'target can be either a domain or a project. An actor '
  193                      'can be either a user or a group. These terms also apply '
  194                      'to the OS-INHERIT APIs, where grants on the target '
  195                      'are inherited to all projects in the subtree, if '
  196                      'applicable.'),
  197         operations=list_operations(resource_paths, ['PUT']),
  198         deprecated_rule=deprecated_create_grant,
  199         deprecated_reason=DEPRECATED_REASON,
  200         deprecated_since=versionutils.deprecated.STEIN),
  201     policy.DocumentedRuleDefault(
  202         name=base.IDENTITY % 'revoke_grant',
  203         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
  204         scope_types=['system', 'domain'],
  205         description=('Revoke a role grant between a target and an actor. A '
  206                      'target can be either a domain or a project. An actor '
  207                      'can be either a user or a group. These terms also apply '
  208                      'to the OS-INHERIT APIs, where grants on the target '
  209                      'are inherited to all projects in the subtree, if '
  210                      'applicable. In that case, revoking the role grant in '
  211                      'the target would remove the logical effect of '
  212                      'inheriting it to the target\'s projects subtree.'),
  213         operations=list_operations(resource_paths, ['DELETE']),
  214         deprecated_rule=deprecated_revoke_grant,
  215         deprecated_reason=DEPRECATED_REASON,
  216         deprecated_since=versionutils.deprecated.STEIN),
  217     policy.DocumentedRuleDefault(
  218         name=base.IDENTITY % 'list_system_grants_for_user',
  219         check_str=base.SYSTEM_READER,
  220         scope_types=['system'],
  221         description='List all grants a specific user has on the system.',
  222         operations=[
  223             {
  224                 'path': '/v3/system/users/{user_id}/roles',
  225                 'method': ['HEAD', 'GET']
  226             }
  227         ],
  228         deprecated_rule=deprecated_list_system_grants_for_user,
  229         deprecated_reason=DEPRECATED_REASON,
  230         deprecated_since=versionutils.deprecated.STEIN
  231     ),
  232     policy.DocumentedRuleDefault(
  233         name=base.IDENTITY % 'check_system_grant_for_user',
  234         check_str=base.SYSTEM_READER,
  235         scope_types=['system'],
  236         description='Check if a user has a role on the system.',
  237         operations=[
  238             {
  239                 'path': '/v3/system/users/{user_id}/roles/{role_id}',
  240                 'method': ['HEAD', 'GET']
  241             }
  242         ],
  243         deprecated_rule=deprecated_check_system_grant_for_user,
  244         deprecated_reason=DEPRECATED_REASON,
  245         deprecated_since=versionutils.deprecated.STEIN
  246     ),
  247     policy.DocumentedRuleDefault(
  248         name=base.IDENTITY % 'create_system_grant_for_user',
  249         check_str=base.SYSTEM_ADMIN,
  250         scope_types=['system'],
  251         description='Grant a user a role on the system.',
  252         operations=[
  253             {
  254                 'path': '/v3/system/users/{user_id}/roles/{role_id}',
  255                 'method': ['PUT']
  256             }
  257         ],
  258         deprecated_rule=deprecated_create_system_grant_for_user,
  259         deprecated_reason=DEPRECATED_REASON,
  260         deprecated_since=versionutils.deprecated.STEIN
  261     ),
  262     policy.DocumentedRuleDefault(
  263         name=base.IDENTITY % 'revoke_system_grant_for_user',
  264         check_str=base.SYSTEM_ADMIN,
  265         scope_types=['system'],
  266         description='Remove a role from a user on the system.',
  267         operations=[
  268             {
  269                 'path': '/v3/system/users/{user_id}/roles/{role_id}',
  270                 'method': ['DELETE']
  271             }
  272         ],
  273         deprecated_rule=deprecated_revoke_system_grant_for_user,
  274         deprecated_reason=DEPRECATED_REASON,
  275         deprecated_since=versionutils.deprecated.STEIN
  276     ),
  277     policy.DocumentedRuleDefault(
  278         name=base.IDENTITY % 'list_system_grants_for_group',
  279         check_str=base.SYSTEM_READER,
  280         scope_types=['system'],
  281         description='List all grants a specific group has on the system.',
  282         operations=[
  283             {
  284                 'path': '/v3/system/groups/{group_id}/roles',
  285                 'method': ['HEAD', 'GET']
  286             }
  287         ],
  288         deprecated_rule=deprecated_list_system_grants_for_group,
  289         deprecated_reason=DEPRECATED_REASON,
  290         deprecated_since=versionutils.deprecated.STEIN
  291     ),
  292     policy.DocumentedRuleDefault(
  293         name=base.IDENTITY % 'check_system_grant_for_group',
  294         check_str=base.SYSTEM_READER,
  295         scope_types=['system'],
  296         description='Check if a group has a role on the system.',
  297         operations=[
  298             {
  299                 'path': '/v3/system/groups/{group_id}/roles/{role_id}',
  300                 'method': ['HEAD', 'GET']
  301             }
  302         ],
  303         deprecated_rule=deprecated_check_system_grant_for_group,
  304         deprecated_reason=DEPRECATED_REASON,
  305         deprecated_since=versionutils.deprecated.STEIN
  306     ),
  307     policy.DocumentedRuleDefault(
  308         name=base.IDENTITY % 'create_system_grant_for_group',
  309         check_str=base.SYSTEM_ADMIN,
  310         scope_types=['system'],
  311         description='Grant a group a role on the system.',
  312         operations=[
  313             {
  314                 'path': '/v3/system/groups/{group_id}/roles/{role_id}',
  315                 'method': ['PUT']
  316             }
  317         ],
  318         deprecated_rule=deprecated_create_system_grant_for_group,
  319         deprecated_reason=DEPRECATED_REASON,
  320         deprecated_since=versionutils.deprecated.STEIN
  321     ),
  322     policy.DocumentedRuleDefault(
  323         name=base.IDENTITY % 'revoke_system_grant_for_group',
  324         check_str=base.SYSTEM_ADMIN,
  325         scope_types=['system'],
  326         description='Remove a role from a group on the system.',
  327         operations=[
  328             {
  329                 'path': '/v3/system/groups/{group_id}/roles/{role_id}',
  330                 'method': ['DELETE']
  331             }
  332         ],
  333         deprecated_rule=deprecated_revoke_system_grant_for_group,
  334         deprecated_reason=DEPRECATED_REASON,
  335         deprecated_since=versionutils.deprecated.STEIN
  336     )
  337 ]
  338 
  339 
  340 def list_rules():
  341     return grant_policies