"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/common/policies/trust.py" (13 May 2020, 6341 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "trust.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 16.0.1_vs_17.0.0.

    1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 # not use this file except in compliance with the License. You may obtain
    3 # a copy of the License at
    4 #
    5 #      http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 # Unless required by applicable law or agreed to in writing, software
    8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 # License for the specific language governing permissions and limitations
   11 # under the License.
   12 
   13 from oslo_log import versionutils
   14 from oslo_policy import policy
   15 
   16 from keystone.common.policies import base
   17 
   18 RULE_TRUSTOR = 'user_id:%(target.trust.trustor_user_id)s'
   19 RULE_TRUSTEE = 'user_id:%(target.trust.trustee_user_id)s'
   20 SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE = (
   21     base.SYSTEM_READER + ' or ' + RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
   22 )
   23 SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR
   24 SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE
   25 SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR
   26 
   27 deprecated_list_trusts = policy.DeprecatedRule(
   28     name=base.IDENTITY % 'list_trusts',
   29     check_str=base.RULE_ADMIN_REQUIRED
   30 )
   31 deprecated_list_roles_for_trust = policy.DeprecatedRule(
   32     name=base.IDENTITY % 'list_roles_for_trust',
   33     check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
   34 )
   35 deprecated_get_role_for_trust = policy.DeprecatedRule(
   36     name=base.IDENTITY % 'get_role_for_trust',
   37     check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
   38 )
   39 deprecated_delete_trust = policy.DeprecatedRule(
   40     name=base.IDENTITY % 'delete_trust',
   41     check_str=RULE_TRUSTOR
   42 )
   43 deprecated_get_trust = policy.DeprecatedRule(
   44     name=base.IDENTITY % 'get_trust',
   45     check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
   46 )
   47 
   48 DEPRECATED_REASON = (
   49     "The trust API is now aware of system scope and default roles."
   50 )
   51 
   52 trust_policies = [
   53     policy.DocumentedRuleDefault(
   54         name=base.IDENTITY % 'create_trust',
   55         check_str=base.RULE_TRUST_OWNER,
   56         # FIXME(lbragstad): Trusts have the ability to optionally include a
   57         # project, but until trusts deal with system scope it's not really
   58         # useful. For now, this should be a project only operation.
   59         scope_types=['project'],
   60         description='Create trust.',
   61         operations=[{'path': '/v3/OS-TRUST/trusts',
   62                      'method': 'POST'}]),
   63     policy.DocumentedRuleDefault(
   64         name=base.IDENTITY % 'list_trusts',
   65         check_str=base.SYSTEM_READER,
   66         scope_types=['system'],
   67         description='List trusts.',
   68         operations=[{'path': '/v3/OS-TRUST/trusts',
   69                      'method': 'GET'},
   70                     {'path': '/v3/OS-TRUST/trusts',
   71                      'method': 'HEAD'}],
   72         deprecated_rule=deprecated_list_trusts,
   73         deprecated_reason=DEPRECATED_REASON,
   74         deprecated_since=versionutils.deprecated.TRAIN),
   75     policy.DocumentedRuleDefault(
   76         name=base.IDENTITY % 'list_trusts_for_trustor',
   77         check_str=SYSTEM_READER_OR_TRUSTOR,
   78         scope_types=['system', 'project'],
   79         description='List trusts for trustor.',
   80         operations=[{'path': '/v3/OS-TRUST/trusts?'
   81                              'trustor_user_id={trustor_user_id}',
   82                      'method': 'GET'},
   83                     {'path': '/v3/OS-TRUST/trusts?'
   84                              'trustor_user_id={trustor_user_id}',
   85                      'method': 'HEAD'}]),
   86     policy.DocumentedRuleDefault(
   87         name=base.IDENTITY % 'list_trusts_for_trustee',
   88         check_str=SYSTEM_READER_OR_TRUSTEE,
   89         scope_types=['system', 'project'],
   90         description='List trusts for trustee.',
   91         operations=[{'path': '/v3/OS-TRUST/trusts?'
   92                              'trustee_user_id={trustee_user_id}',
   93                      'method': 'GET'},
   94                     {'path': '/v3/OS-TRUST/trusts?'
   95                              'trustee_user_id={trustee_user_id}',
   96                      'method': 'HEAD'}]),
   97     policy.DocumentedRuleDefault(
   98         name=base.IDENTITY % 'list_roles_for_trust',
   99         check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
  100         scope_types=['system', 'project'],
  101         description='List roles delegated by a trust.',
  102         operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles',
  103                      'method': 'GET'},
  104                     {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles',
  105                      'method': 'HEAD'}],
  106         deprecated_rule=deprecated_list_roles_for_trust,
  107         deprecated_reason=DEPRECATED_REASON,
  108         deprecated_since=versionutils.deprecated.TRAIN),
  109     policy.DocumentedRuleDefault(
  110         name=base.IDENTITY % 'get_role_for_trust',
  111         check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
  112         scope_types=['system', 'project'],
  113         description='Check if trust delegates a particular role.',
  114         operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',
  115                      'method': 'GET'},
  116                     {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',
  117                      'method': 'HEAD'}],
  118         deprecated_rule=deprecated_get_role_for_trust,
  119         deprecated_reason=DEPRECATED_REASON,
  120         deprecated_since=versionutils.deprecated.TRAIN),
  121     policy.DocumentedRuleDefault(
  122         name=base.IDENTITY % 'delete_trust',
  123         check_str=SYSTEM_ADMIN_OR_TRUSTOR,
  124         scope_types=['system', 'project'],
  125         description='Revoke trust.',
  126         operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
  127                      'method': 'DELETE'}],
  128         deprecated_rule=deprecated_delete_trust,
  129         deprecated_reason=DEPRECATED_REASON,
  130         deprecated_since=versionutils.deprecated.TRAIN),
  131     policy.DocumentedRuleDefault(
  132         name=base.IDENTITY % 'get_trust',
  133         check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
  134         scope_types=['system', 'project'],
  135         description='Get trust.',
  136         operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
  137                      'method': 'GET'},
  138                     {'path': '/v3/OS-TRUST/trusts/{trust_id}',
  139                      'method': 'HEAD'}],
  140         deprecated_rule=deprecated_get_trust,
  141         deprecated_reason=DEPRECATED_REASON,
  142         deprecated_since=versionutils.deprecated.TRAIN)
  143 ]
  144 
  145 
  146 def list_rules():
  147     return trust_policies