"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/common/policies/policy_association.py" (13 May 2020, 10245 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "policy_association.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 16.0.1_vs_17.0.0.

    1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 # not use this file except in compliance with the License. You may obtain
    3 # a copy of the License at
    4 #
    5 #      http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 # Unless required by applicable law or agreed to in writing, software
    8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 # License for the specific language governing permissions and limitations
   11 # under the License.
   12 
   13 from oslo_log import versionutils
   14 from oslo_policy import policy
   15 
   16 from keystone.common.policies import base
   17 
   18 # NOTE(lbragstad): Both endpoints and services are system-level resources.
   19 # System-scoped tokens should be required to manage policy associations to
   20 # existing system-level resources.
   21 
   22 deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule(
   23     name=base.IDENTITY % 'check_policy_association_for_endpoint',
   24     check_str=base.RULE_ADMIN_REQUIRED,
   25 )
   26 
   27 deprecated_check_policy_assoc_for_service = policy.DeprecatedRule(
   28     name=base.IDENTITY % 'check_policy_association_for_service',
   29     check_str=base.RULE_ADMIN_REQUIRED,
   30 )
   31 
   32 deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule(
   33     name=base.IDENTITY % 'check_policy_association_for_region_and_service',
   34     check_str=base.RULE_ADMIN_REQUIRED,
   35 )
   36 
   37 deprecated_get_policy_for_endpoint = policy.DeprecatedRule(
   38     name=base.IDENTITY % 'get_policy_for_endpoint',
   39     check_str=base.RULE_ADMIN_REQUIRED,
   40 )
   41 
   42 deprecated_list_endpoints_for_policy = policy.DeprecatedRule(
   43     name=base.IDENTITY % 'list_endpoints_for_policy',
   44     check_str=base.RULE_ADMIN_REQUIRED,
   45 )
   46 
   47 deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule(
   48     name=base.IDENTITY % 'create_policy_association_for_endpoint',
   49     check_str=base.RULE_ADMIN_REQUIRED,
   50 )
   51 
   52 deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule(
   53     name=base.IDENTITY % 'delete_policy_association_for_endpoint',
   54     check_str=base.RULE_ADMIN_REQUIRED,
   55 )
   56 
   57 deprecated_create_policy_assoc_for_service = policy.DeprecatedRule(
   58     name=base.IDENTITY % 'create_policy_association_for_service',
   59     check_str=base.RULE_ADMIN_REQUIRED,
   60 )
   61 
   62 deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule(
   63     name=base.IDENTITY % 'delete_policy_association_for_service',
   64     check_str=base.RULE_ADMIN_REQUIRED,
   65 )
   66 
   67 deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule(
   68     name=base.IDENTITY % 'create_policy_association_for_region_and_service',
   69     check_str=base.RULE_ADMIN_REQUIRED,
   70 )
   71 
   72 deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule(
   73     name=base.IDENTITY % 'delete_policy_association_for_region_and_service',
   74     check_str=base.RULE_ADMIN_REQUIRED,
   75 )
   76 
   77 DEPRECATED_REASON = (
   78     "The policy association API is now aware of system scope and default "
   79     "roles."
   80 )
   81 
   82 policy_association_policies = [
   83     policy.DocumentedRuleDefault(
   84         name=base.IDENTITY % 'create_policy_association_for_endpoint',
   85         check_str=base.SYSTEM_ADMIN,
   86         scope_types=['system'],
   87         description='Associate a policy to a specific endpoint.',
   88         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
   89                               'endpoints/{endpoint_id}'),
   90                      'method': 'PUT'}],
   91         deprecated_rule=deprecated_create_policy_assoc_for_endpoint,
   92         deprecated_reason=DEPRECATED_REASON,
   93         deprecated_since=versionutils.deprecated.TRAIN),
   94     policy.DocumentedRuleDefault(
   95         name=base.IDENTITY % 'check_policy_association_for_endpoint',
   96         check_str=base.SYSTEM_READER,
   97         scope_types=['system'],
   98         description='Check policy association for endpoint.',
   99         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
  100                               'endpoints/{endpoint_id}'),
  101                      'method': 'GET'},
  102                     {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
  103                               'endpoints/{endpoint_id}'),
  104                      'method': 'HEAD'}],
  105         deprecated_rule=deprecated_check_policy_assoc_for_endpoint,
  106         deprecated_reason=DEPRECATED_REASON,
  107         deprecated_since=versionutils.deprecated.TRAIN),
  108     policy.DocumentedRuleDefault(
  109         name=base.IDENTITY % 'delete_policy_association_for_endpoint',
  110         check_str=base.SYSTEM_ADMIN,
  111         scope_types=['system'],
  112         description='Delete policy association for endpoint.',
  113         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
  114                               'endpoints/{endpoint_id}'),
  115                      'method': 'DELETE'}],
  116         deprecated_rule=deprecated_delete_policy_assoc_for_endpoint,
  117         deprecated_reason=DEPRECATED_REASON,
  118         deprecated_since=versionutils.deprecated.TRAIN),
  119     policy.DocumentedRuleDefault(
  120         name=base.IDENTITY % 'create_policy_association_for_service',
  121         check_str=base.SYSTEM_ADMIN,
  122         scope_types=['system'],
  123         description='Associate a policy to a specific service.',
  124         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
  125                               'services/{service_id}'),
  126                      'method': 'PUT'}],
  127         deprecated_rule=deprecated_create_policy_assoc_for_service,
  128         deprecated_reason=DEPRECATED_REASON,
  129         deprecated_since=versionutils.deprecated.TRAIN),
  130     policy.DocumentedRuleDefault(
  131         name=base.IDENTITY % 'check_policy_association_for_service',
  132         check_str=base.SYSTEM_READER,
  133         scope_types=['system'],
  134         description='Check policy association for service.',
  135         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
  136                               'services/{service_id}'),
  137                      'method': 'GET'},
  138                     {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
  139                               'services/{service_id}'),
  140                      'method': 'HEAD'}],
  141         deprecated_rule=deprecated_check_policy_assoc_for_service,
  142         deprecated_reason=DEPRECATED_REASON,
  143         deprecated_since=versionutils.deprecated.TRAIN),
  144     policy.DocumentedRuleDefault(
  145         name=base.IDENTITY % 'delete_policy_association_for_service',
  146         check_str=base.SYSTEM_ADMIN,
  147         scope_types=['system'],
  148         description='Delete policy association for service.',
  149         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
  150                               'services/{service_id}'),
  151                      'method': 'DELETE'}],
  152         deprecated_rule=deprecated_delete_policy_assoc_for_service,
  153         deprecated_reason=DEPRECATED_REASON,
  154         deprecated_since=versionutils.deprecated.TRAIN),
  155     policy.DocumentedRuleDefault(
  156         name=base.IDENTITY % (
  157             'create_policy_association_for_region_and_service'),
  158         check_str=base.SYSTEM_ADMIN,
  159         scope_types=['system'],
  160         description=('Associate a policy to a specific region and service '
  161                      'combination.'),
  162         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
  163                               'services/{service_id}/regions/{region_id}'),
  164                      'method': 'PUT'}],
  165         deprecated_rule=deprecated_create_policy_assoc_for_region_and_service,
  166         deprecated_reason=DEPRECATED_REASON,
  167         deprecated_since=versionutils.deprecated.TRAIN),
  168     policy.DocumentedRuleDefault(
  169         name=base.IDENTITY % 'check_policy_association_for_region_and_service',
  170         check_str=base.SYSTEM_READER,
  171         scope_types=['system'],
  172         description='Check policy association for region and service.',
  173         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
  174                               'services/{service_id}/regions/{region_id}'),
  175                      'method': 'GET'},
  176                     {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
  177                               'services/{service_id}/regions/{region_id}'),
  178                      'method': 'HEAD'}],
  179         deprecated_rule=deprecated_check_policy_assoc_for_region_and_service,
  180         deprecated_reason=DEPRECATED_REASON,
  181         deprecated_since=versionutils.deprecated.TRAIN),
  182     policy.DocumentedRuleDefault(
  183         name=base.IDENTITY % (
  184             'delete_policy_association_for_region_and_service'),
  185         check_str=base.SYSTEM_ADMIN,
  186         scope_types=['system'],
  187         description='Delete policy association for region and service.',
  188         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
  189                               'services/{service_id}/regions/{region_id}'),
  190                      'method': 'DELETE'}],
  191         deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service,
  192         deprecated_reason=DEPRECATED_REASON,
  193         deprecated_since=versionutils.deprecated.TRAIN),
  194     policy.DocumentedRuleDefault(
  195         name=base.IDENTITY % 'get_policy_for_endpoint',
  196         check_str=base.SYSTEM_READER,
  197         scope_types=['system'],
  198         description='Get policy for endpoint.',
  199         operations=[{'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/'
  200                               'policy'),
  201                      'method': 'GET'},
  202                     {'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/'
  203                               'policy'),
  204                      'method': 'HEAD'}],
  205         deprecated_rule=deprecated_get_policy_for_endpoint,
  206         deprecated_reason=DEPRECATED_REASON,
  207         deprecated_since=versionutils.deprecated.TRAIN),
  208     policy.DocumentedRuleDefault(
  209         name=base.IDENTITY % 'list_endpoints_for_policy',
  210         check_str=base.SYSTEM_READER,
  211         scope_types=['system'],
  212         description='List endpoints for policy.',
  213         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
  214                               'endpoints'),
  215                      'method': 'GET'}],
  216         deprecated_rule=deprecated_list_endpoints_for_policy,
  217         deprecated_reason=DEPRECATED_REASON,
  218         deprecated_since=versionutils.deprecated.TRAIN)
  219 ]
  220 
  221 
  222 def list_rules():
  223     return policy_association_policies