diff options
author | Ghanshyam Mann <gmann@ghanshyammann.com> | 2021-07-04 17:52:39 -0500 |
---|---|---|
committer | Ghanshyam Mann <gmann@ghanshyammann.com> | 2021-08-20 14:30:23 -0500 |
commit | e057378b82efe27c2ac9dd277ead587836c759b5 (patch) | |
tree | c2aece873e2c666205ee82af023c922049045e7d | |
parent | 50f0a50cf4d52d3f61b64713bd4faa7a4626ae53 (diff) | |
download | keystone-e057378b82efe27c2ac9dd277ead587836c759b5.tar.gz |
Fix oslo policy DeprecatedRule warnings
Since 3.7.0, oslo policy started the DeprecationWarning[1] if
deprecated_reason and deprecated_since param are not passed
in DeprecatedRule or they are passed in RuleDefault object.
These warnings are logged for every test which increase the
log size and sometime can full the log buffer and fail the
job.
[1] https://github.com/openstack/oslo.policy/blob/3.7.0/oslo_policy/policy.py#L1538
Change-Id: Id9d89a04b480cbdcefead93ce55a1f174f948f5d
28 files changed, 651 insertions, 639 deletions
diff --git a/keystone/common/policies/application_credential.py b/keystone/common/policies/application_credential.py index cebb85b02..f944a6906 100644 --- a/keystone/common/policies/application_credential.py +++ b/keystone/common/policies/application_credential.py @@ -18,23 +18,30 @@ from keystone.common.policies import base collection_path = '/v3/users/{user_id}/application_credentials' resource_path = collection_path + '/{application_credential_id}' +DEPRECATED_REASON = ( + "The application credential API is now aware of system scope and default " + "roles." +) + deprecated_list_application_credentials_for_user = policy.DeprecatedRule( name=base.IDENTITY % 'list_application_credentials', - check_str=base.RULE_ADMIN_OR_OWNER + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_application_credentials_for_user = policy.DeprecatedRule( name=base.IDENTITY % 'get_application_credentials', - check_str=base.RULE_ADMIN_OR_OWNER + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_application_credentials_for_user = policy.DeprecatedRule( name=base.IDENTITY % 'delete_application_credentials', - check_str=base.RULE_ADMIN_OR_OWNER + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) -DEPRECATED_REASON = ( - "The application credential API is now aware of system scope and default " - "roles." -) application_credential_policies = [ policy.DocumentedRuleDefault( @@ -46,9 +53,7 @@ application_credential_policies = [ 'method': 'GET'}, {'path': resource_path, 'method': 'HEAD'}], - deprecated_rule=deprecated_get_application_credentials_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_application_credentials_for_user), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_application_credentials', check_str=base.RULE_SYSTEM_READER_OR_OWNER, @@ -58,9 +63,7 @@ application_credential_policies = [ 'method': 'GET'}, {'path': collection_path, 'method': 'HEAD'}], - deprecated_rule=deprecated_list_application_credentials_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_application_credentials_for_user), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_application_credential', check_str=base.RULE_OWNER, @@ -75,9 +78,7 @@ application_credential_policies = [ description='Delete an application credential.', operations=[{'path': resource_path, 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_application_credentials_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_delete_application_credentials_for_user) ] diff --git a/keystone/common/policies/consumer.py b/keystone/common/policies/consumer.py index bf9a6bdd7..7931bf05b 100644 --- a/keystone/common/policies/consumer.py +++ b/keystone/common/policies/consumer.py @@ -15,30 +15,41 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The OAUTH1 consumer API is now aware of system scope and default roles." +) + deprecated_get_consumer = policy.DeprecatedRule( name=base.IDENTITY % 'get_consumer', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_consumers = policy.DeprecatedRule( name=base.IDENTITY % 'list_consumers', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_consumer = policy.DeprecatedRule( name=base.IDENTITY % 'create_consumer', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_update_consumer = policy.DeprecatedRule( name=base.IDENTITY % 'update_consumer', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_consumer = policy.DeprecatedRule( name=base.IDENTITY % 'delete_consumer', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) -DEPRECATED_REASON = ( - "The OAUTH1 consumer API is now aware of system scope and default roles." -) consumer_policies = [ policy.DocumentedRuleDefault( @@ -48,9 +59,7 @@ consumer_policies = [ description='Show OAUTH1 consumer details.', operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_consumer, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_consumer), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_consumers', check_str=base.SYSTEM_READER, @@ -58,9 +67,7 @@ consumer_policies = [ description='List OAUTH1 consumers.', operations=[{'path': '/v3/OS-OAUTH1/consumers', 'method': 'GET'}], - deprecated_rule=deprecated_list_consumers, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_consumers), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_consumer', check_str=base.SYSTEM_ADMIN, @@ -68,9 +75,7 @@ consumer_policies = [ description='Create OAUTH1 consumer.', operations=[{'path': '/v3/OS-OAUTH1/consumers', 'method': 'POST'}], - deprecated_rule=deprecated_create_consumer, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_consumer), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_consumer', check_str=base.SYSTEM_ADMIN, @@ -78,9 +83,7 @@ consumer_policies = [ description='Update OAUTH1 consumer.', operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_consumer, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_update_consumer), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_consumer', check_str=base.SYSTEM_ADMIN, @@ -88,9 +91,7 @@ consumer_policies = [ description='Delete OAUTH1 consumer.', operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_consumer, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_consumer), ] diff --git a/keystone/common/policies/credential.py b/keystone/common/policies/credential.py index 52a9fa808..675e31875 100644 --- a/keystone/common/policies/credential.py +++ b/keystone/common/policies/credential.py @@ -21,23 +21,33 @@ DEPRECATED_REASON = ( deprecated_get_credential = policy.DeprecatedRule( name=base.IDENTITY % 'get_credential', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_credentials = policy.DeprecatedRule( name=base.IDENTITY % 'list_credentials', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_credential = policy.DeprecatedRule( name=base.IDENTITY % 'create_credential', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_credential = policy.DeprecatedRule( name=base.IDENTITY % 'update_credential', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_credential = policy.DeprecatedRule( name=base.IDENTITY % 'delete_credential', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) @@ -50,8 +60,6 @@ credential_policies = [ operations=[{'path': '/v3/credentials/{credential_id}', 'method': 'GET'}], deprecated_rule=deprecated_get_credential, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_credentials', @@ -61,8 +69,6 @@ credential_policies = [ operations=[{'path': '/v3/credentials', 'method': 'GET'}], deprecated_rule=deprecated_list_credentials, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_credential', @@ -72,8 +78,6 @@ credential_policies = [ operations=[{'path': '/v3/credentials', 'method': 'POST'}], deprecated_rule=deprecated_create_credential, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_credential', @@ -83,8 +87,6 @@ credential_policies = [ operations=[{'path': '/v3/credentials/{credential_id}', 'method': 'PATCH'}], deprecated_rule=deprecated_update_credential, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_credential', @@ -94,8 +96,6 @@ credential_policies = [ operations=[{'path': '/v3/credentials/{credential_id}', 'method': 'DELETE'}], deprecated_rule=deprecated_delete_credential, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ) ] diff --git a/keystone/common/policies/domain.py b/keystone/common/policies/domain.py index 7d3e3d788..cd743ee90 100644 --- a/keystone/common/policies/domain.py +++ b/keystone/common/policies/domain.py @@ -21,23 +21,33 @@ DEPRECATED_REASON = ( deprecated_list_domains = policy.DeprecatedRule( name=base.IDENTITY % 'list_domains', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_get_domain = policy.DeprecatedRule( name=base.IDENTITY % 'get_domain', - check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN + check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_domain = policy.DeprecatedRule( name=base.IDENTITY % 'update_domain', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_domain = policy.DeprecatedRule( name=base.IDENTITY % 'create_domain', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_domain = policy.DeprecatedRule( name=base.IDENTITY % 'delete_domain', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER = ( '(role:reader and system_scope:all) or ' @@ -56,9 +66,7 @@ domain_policies = [ description='Show domain details.', operations=[{'path': '/v3/domains/{domain_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_domain, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_domain), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_domains', check_str=base.SYSTEM_READER, @@ -66,9 +74,7 @@ domain_policies = [ description='List domains.', operations=[{'path': '/v3/domains', 'method': 'GET'}], - deprecated_rule=deprecated_list_domains, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_domains), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_domain', check_str=base.SYSTEM_ADMIN, @@ -76,9 +82,7 @@ domain_policies = [ description='Create domain.', operations=[{'path': '/v3/domains', 'method': 'POST'}], - deprecated_rule=deprecated_create_domain, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_domain), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_domain', check_str=base.SYSTEM_ADMIN, @@ -86,9 +90,7 @@ domain_policies = [ description='Update domain.', operations=[{'path': '/v3/domains/{domain_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_domain, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_domain), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_domain', check_str=base.SYSTEM_ADMIN, @@ -96,9 +98,7 @@ domain_policies = [ description='Delete domain.', operations=[{'path': '/v3/domains/{domain_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_domain, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_domain), ] diff --git a/keystone/common/policies/domain_config.py b/keystone/common/policies/domain_config.py index f18616bec..b1c8fdab5 100644 --- a/keystone/common/policies/domain_config.py +++ b/keystone/common/policies/domain_config.py @@ -15,36 +15,46 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The domain config API is now aware of system scope and default roles." +) + deprecated_get_domain_config = policy.DeprecatedRule( name=base.IDENTITY % 'get_domain_config', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_domain_config_default = policy.DeprecatedRule( name=base.IDENTITY % 'get_domain_config_default', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_domain_config = policy.DeprecatedRule( name=base.IDENTITY % 'create_domain_config', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_update_domain_config = policy.DeprecatedRule( name=base.IDENTITY % 'update_domain_config', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_domain_config = policy.DeprecatedRule( name=base.IDENTITY % 'delete_domain_config', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) -DEPRECATED_REASON = ( - "The domain config API is now aware of system scope and default roles." -) - domain_config_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_domain_config', @@ -65,9 +75,7 @@ domain_config_policies = [ 'method': 'PUT' } ], - deprecated_rule=deprecated_create_domain_config, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN + deprecated_rule=deprecated_create_domain_config ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_domain_config', @@ -103,8 +111,6 @@ domain_config_policies = [ } ], deprecated_rule=deprecated_get_domain_config, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_security_compliance_domain_config', @@ -156,8 +162,6 @@ domain_config_policies = [ } ], deprecated_rule=deprecated_update_domain_config, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_domain_config', @@ -180,8 +184,6 @@ domain_config_policies = [ } ], deprecated_rule=deprecated_delete_domain_config, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_domain_config_default', @@ -216,8 +218,6 @@ domain_config_policies = [ } ], deprecated_rule=deprecated_get_domain_config_default, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ) ] diff --git a/keystone/common/policies/ec2_credential.py b/keystone/common/policies/ec2_credential.py index 25e65b532..a210ee917 100644 --- a/keystone/common/policies/ec2_credential.py +++ b/keystone/common/policies/ec2_credential.py @@ -15,26 +15,35 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The EC2 credential API is now aware of system scope and default roles." +) + deprecated_ec2_get_credential = policy.DeprecatedRule( name=base.IDENTITY % 'ec2_get_credential', - check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER + check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_ec2_list_credentials = policy.DeprecatedRule( name=base.IDENTITY % 'ec2_list_credentials', - check_str=base.RULE_ADMIN_OR_OWNER + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_ec2_create_credentials = policy.DeprecatedRule( name=base.IDENTITY % 'ec2_create_credentials', - check_str=base.RULE_ADMIN_OR_OWNER + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_ec2_delete_credentials = policy.DeprecatedRule( name=base.IDENTITY % 'ec2_delete_credentials', - check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER + check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) -DEPRECATED_REASON = ( - "The EC2 credential API is now aware of system scope and default roles." -) ec2_credential_policies = [ policy.DocumentedRuleDefault( @@ -45,9 +54,7 @@ ec2_credential_policies = [ operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/' '{credential_id}'), 'method': 'GET'}], - deprecated_rule=deprecated_ec2_get_credential, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN + deprecated_rule=deprecated_ec2_get_credential ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'ec2_list_credentials', @@ -57,8 +64,6 @@ ec2_credential_policies = [ operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2', 'method': 'GET'}], deprecated_rule=deprecated_ec2_list_credentials, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'ec2_create_credential', @@ -68,8 +73,6 @@ ec2_credential_policies = [ operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2', 'method': 'POST'}], deprecated_rule=deprecated_ec2_create_credentials, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'ec2_delete_credential', @@ -80,8 +83,6 @@ ec2_credential_policies = [ '{credential_id}'), 'method': 'DELETE'}], deprecated_rule=deprecated_ec2_delete_credentials, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN ) ] diff --git a/keystone/common/policies/endpoint.py b/keystone/common/policies/endpoint.py index b99a40e24..78582496f 100644 --- a/keystone/common/policies/endpoint.py +++ b/keystone/common/policies/endpoint.py @@ -15,24 +15,34 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The endpoint API is now aware of system scope and default roles." +) + deprecated_get_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'get_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_endpoints = policy.DeprecatedRule( name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED, -) - -DEPRECATED_REASON = ( - "The endpoint API is now aware of system scope and default roles." + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) @@ -44,9 +54,7 @@ endpoint_policies = [ description='Show endpoint details.', operations=[{'path': '/v3/endpoints/{endpoint_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoints', check_str=base.SYSTEM_READER, @@ -54,9 +62,7 @@ endpoint_policies = [ description='List endpoints.', operations=[{'path': '/v3/endpoints', 'method': 'GET'}], - deprecated_rule=deprecated_list_endpoints, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_endpoints), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_endpoint', check_str=base.SYSTEM_ADMIN, @@ -64,9 +70,7 @@ endpoint_policies = [ description='Create endpoint.', operations=[{'path': '/v3/endpoints', 'method': 'POST'}], - deprecated_rule=deprecated_create_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_endpoint', check_str=base.SYSTEM_ADMIN, @@ -74,9 +78,7 @@ endpoint_policies = [ description='Update endpoint.', operations=[{'path': '/v3/endpoints/{endpoint_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_endpoint', check_str=base.SYSTEM_ADMIN, @@ -84,9 +86,7 @@ endpoint_policies = [ description='Delete endpoint.', operations=[{'path': '/v3/endpoints/{endpoint_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_delete_endpoint) ] diff --git a/keystone/common/policies/endpoint_group.py b/keystone/common/policies/endpoint_group.py index 691a6fe28..741e0b7ca 100644 --- a/keystone/common/policies/endpoint_group.py +++ b/keystone/common/policies/endpoint_group.py @@ -15,64 +15,85 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The endpoint groups API is now aware of system scope and default roles." +) + deprecated_list_endpoint_groups = policy.DeprecatedRule( name=base.IDENTITY % 'list_endpoint_groups', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'get_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_endpoint_group_in_project = policy.DeprecatedRule( name=base.IDENTITY % 'get_endpoint_group_in_project', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule( name=base.IDENTITY % 'list_endpoint_groups_for_project', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'create_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_update_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'update_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'delete_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_add_endpoint_group_to_project = policy.DeprecatedRule( name=base.IDENTITY % 'add_endpoint_group_to_project', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule( name=base.IDENTITY % 'remove_endpoint_group_from_project', check_str=base.RULE_ADMIN_REQUIRED, -) - - -DEPRECATED_REASON = ( - "The endpoint groups API is now aware of system scope and default roles." + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) @@ -84,9 +105,7 @@ group_endpoint_policies = [ description='Create endpoint group.', operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups', 'method': 'POST'}], - deprecated_rule=deprecated_create_endpoint_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_endpoint_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoint_groups', check_str=base.SYSTEM_READER, @@ -94,9 +113,7 @@ group_endpoint_policies = [ description='List endpoint groups.', operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups', 'method': 'GET'}], - deprecated_rule=deprecated_list_endpoint_groups, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_endpoint_groups), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_endpoint_group', check_str=base.SYSTEM_READER, @@ -108,9 +125,7 @@ group_endpoint_policies = [ {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_get_endpoint_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_endpoint_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_endpoint_group', check_str=base.SYSTEM_ADMIN, @@ -119,9 +134,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}'), 'method': 'PATCH'}], - deprecated_rule=deprecated_update_endpoint_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_update_endpoint_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_endpoint_group', check_str=base.SYSTEM_ADMIN, @@ -130,9 +143,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_endpoint_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_endpoint_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', check_str=base.SYSTEM_READER, @@ -142,9 +153,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/projects'), 'method': 'GET'}], - deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', check_str=base.SYSTEM_READER, @@ -153,9 +162,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/endpoints'), 'method': 'GET'}], - deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_endpoint_group_in_project', check_str=base.SYSTEM_READER, @@ -168,9 +175,7 @@ group_endpoint_policies = [ {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/projects/{project_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_get_endpoint_group_in_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_endpoint_group_in_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoint_groups_for_project', check_str=base.SYSTEM_READER, @@ -179,9 +184,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' 'endpoint_groups'), 'method': 'GET'}], - deprecated_rule=deprecated_list_endpoint_groups_for_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_endpoint_groups_for_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'add_endpoint_group_to_project', check_str=base.SYSTEM_ADMIN, @@ -190,9 +193,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/projects/{project_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_add_endpoint_group_to_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_add_endpoint_group_to_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'remove_endpoint_group_from_project', check_str=base.SYSTEM_ADMIN, @@ -201,9 +202,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/projects/{project_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_remove_endpoint_group_from_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_remove_endpoint_group_from_project) ] diff --git a/keystone/common/policies/grant.py b/keystone/common/policies/grant.py index 09ef1c983..0e1b92876 100644 --- a/keystone/common/policies/grant.py +++ b/keystone/common/policies/grant.py @@ -66,54 +66,79 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = ( '(' + DOMAIN_MATCHES_ROLE + ')' ) +DEPRECATED_REASON = ( + "The assignment API is now aware of system scope and default roles." +) + deprecated_check_system_grant_for_user = policy.DeprecatedRule( name=base.IDENTITY % 'check_system_grant_for_user', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_system_grants_for_user = policy.DeprecatedRule( name=base.IDENTITY % 'list_system_grants_for_user', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_system_grant_for_user = policy.DeprecatedRule( name=base.IDENTITY % 'create_system_grant_for_user', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_revoke_system_grant_for_user = policy.DeprecatedRule( name=base.IDENTITY % 'revoke_system_grant_for_user', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_check_system_grant_for_group = policy.DeprecatedRule( name=base.IDENTITY % 'check_system_grant_for_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_system_grants_for_group = policy.DeprecatedRule( name=base.IDENTITY % 'list_system_grants_for_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_system_grant_for_group = policy.DeprecatedRule( name=base.IDENTITY % 'create_system_grant_for_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_revoke_system_grant_for_group = policy.DeprecatedRule( name=base.IDENTITY % 'revoke_system_grant_for_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_grants = policy.DeprecatedRule( - name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED + name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_check_grant = policy.DeprecatedRule( - name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED + name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_grant = policy.DeprecatedRule( - name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED + name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_revoke_grant = policy.DeprecatedRule( - name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED + name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) -DEPRECATED_REASON = ( - "The assignment API is now aware of system scope and default roles." -) resource_paths = [ '/projects/{project_id}/users/{user_id}/roles/{role_id}', @@ -167,9 +192,7 @@ grant_policies = [ 'are inherited to all projects in the subtree, if ' 'applicable.'), operations=list_operations(resource_paths, ['HEAD', 'GET']), - deprecated_rule=deprecated_check_grant, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_check_grant), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_grants', check_str=SYSTEM_READER_OR_DOMAIN_READER_LIST, @@ -181,9 +204,7 @@ grant_policies = [ 'domains, where grants are inherited to all projects ' 'in the specified domain.'), operations=list_grants_operations, - deprecated_rule=deprecated_list_grants, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_grants), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_grant', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -195,9 +216,7 @@ grant_policies = [ 'are inherited to all projects in the subtree, if ' 'applicable.'), operations=list_operations(resource_paths, ['PUT']), - deprecated_rule=deprecated_create_grant, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_grant), policy.DocumentedRuleDefault( name=base.IDENTITY % 'revoke_grant', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -211,9 +230,7 @@ grant_policies = [ 'the target would remove the logical effect of ' 'inheriting it to the target\'s projects subtree.'), operations=list_operations(resource_paths, ['DELETE']), - deprecated_rule=deprecated_revoke_grant, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_revoke_grant), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_system_grants_for_user', check_str=base.SYSTEM_READER, @@ -226,8 +243,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_list_system_grants_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_system_grant_for_user', @@ -241,8 +256,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_check_system_grant_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_system_grant_for_user', @@ -256,8 +269,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_create_system_grant_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'revoke_system_grant_for_user', @@ -271,8 +282,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_revoke_system_grant_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_system_grants_for_group', @@ -286,8 +295,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_list_system_grants_for_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_system_grant_for_group', @@ -301,8 +308,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_check_system_grant_for_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_system_grant_for_group', @@ -316,8 +321,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_create_system_grant_for_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'revoke_system_grant_for_group', @@ -331,8 +334,6 @@ grant_policies = [ } ], deprecated_rule=deprecated_revoke_system_grant_for_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ) ] diff --git a/keystone/common/policies/group.py b/keystone/common/policies/group.py index d33da9289..0106bad6f 100644 --- a/keystone/common/policies/group.py +++ b/keystone/common/policies/group.py @@ -51,43 +51,63 @@ DEPRECATED_REASON = ( deprecated_get_group = policy.DeprecatedRule( name=base.IDENTITY % 'get_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_groups = policy.DeprecatedRule( name=base.IDENTITY % 'list_groups', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_groups_for_user = policy.DeprecatedRule( name=base.IDENTITY % 'list_groups_for_user', - check_str=base.RULE_ADMIN_OR_OWNER + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_users_in_group = policy.DeprecatedRule( name=base.IDENTITY % 'list_users_in_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_check_user_in_group = policy.DeprecatedRule( name=base.IDENTITY % 'check_user_in_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_group = policy.DeprecatedRule( name=base.IDENTITY % 'create_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_group = policy.DeprecatedRule( name=base.IDENTITY % 'update_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_group = policy.DeprecatedRule( name=base.IDENTITY % 'delete_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_remove_user_from_group = policy.DeprecatedRule( name=base.IDENTITY % 'remove_user_from_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_add_user_to_group = policy.DeprecatedRule( name=base.IDENTITY % 'add_user_to_group', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) group_policies = [ @@ -100,9 +120,7 @@ group_policies = [ 'method': 'GET'}, {'path': '/v3/groups/{group_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_groups', check_str=SYSTEM_READER_OR_DOMAIN_READER, @@ -112,9 +130,7 @@ group_policies = [ 'method': 'GET'}, {'path': '/v3/groups', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_groups, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_groups), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_groups_for_user', check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER, @@ -124,9 +140,7 @@ group_policies = [ 'method': 'GET'}, {'path': '/v3/users/{user_id}/groups', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_groups_for_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_groups_for_user), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_group', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -134,9 +148,7 @@ group_policies = [ description='Create group.', operations=[{'path': '/v3/groups', 'method': 'POST'}], - deprecated_rule=deprecated_create_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_group', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -144,9 +156,7 @@ group_policies = [ description='Update group.', operations=[{'path': '/v3/groups/{group_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_group', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -154,9 +164,7 @@ group_policies = [ description='Delete group.', operations=[{'path': '/v3/groups/{group_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_users_in_group', check_str=SYSTEM_READER_OR_DOMAIN_READER, @@ -166,9 +174,7 @@ group_policies = [ 'method': 'GET'}, {'path': '/v3/groups/{group_id}/users', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_users_in_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_users_in_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'remove_user_from_group', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER, @@ -176,9 +182,7 @@ group_policies = [ description='Remove user from group.', operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_remove_user_from_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_remove_user_from_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_user_in_group', check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER, @@ -188,9 +192,7 @@ group_policies = [ 'method': 'HEAD'}, {'path': '/v3/groups/{group_id}/users/{user_id}', 'method': 'GET'}], - deprecated_rule=deprecated_check_user_in_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_check_user_in_group), policy.DocumentedRuleDefault( name=base.IDENTITY % 'add_user_to_group', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER, @@ -198,9 +200,7 @@ group_policies = [ description='Add user to group.', operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', 'method': 'PUT'}], - deprecated_rule=deprecated_add_user_to_group, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_add_user_to_group) ] diff --git a/keystone/common/policies/identity_provider.py b/keystone/common/policies/identity_provider.py index 2236d2aea..c53d2a3af 100644 --- a/keystone/common/policies/identity_provider.py +++ b/keystone/common/policies/identity_provider.py @@ -15,30 +15,41 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The identity provider API is now aware of system scope and default roles." +) + deprecated_get_idp = policy.DeprecatedRule( name=base.IDENTITY % 'get_identity_providers', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_idp = policy.DeprecatedRule( name=base.IDENTITY % 'list_identity_providers', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_idp = policy.DeprecatedRule( name=base.IDENTITY % 'update_identity_providers', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_idp = policy.DeprecatedRule( name=base.IDENTITY % 'create_identity_providers', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_idp = policy.DeprecatedRule( name=base.IDENTITY % 'delete_identity_providers', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) -DEPRECATED_REASON = ( - "The identity provider API is now aware of system scope and default roles." -) identity_provider_policies = [ policy.DocumentedRuleDefault( @@ -54,9 +65,7 @@ identity_provider_policies = [ description='Create identity provider.', operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', 'method': 'PUT'}], - deprecated_rule=deprecated_create_idp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_idp), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_identity_providers', check_str=base.SYSTEM_READER, @@ -73,8 +82,6 @@ identity_provider_policies = [ } ], deprecated_rule=deprecated_list_idp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_identity_provider', @@ -92,8 +99,6 @@ identity_provider_policies = [ } ], deprecated_rule=deprecated_get_idp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_identity_provider', @@ -102,9 +107,7 @@ identity_provider_policies = [ description='Update identity provider.', operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_idp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_idp), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_identity_provider', check_str=base.SYSTEM_ADMIN, @@ -112,9 +115,7 @@ identity_provider_policies = [ description='Delete identity provider.', operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_idp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_idp), ] diff --git a/keystone/common/policies/implied_role.py b/keystone/common/policies/implied_role.py index 6d164b035..01bcc009b 100644 --- a/keystone/common/policies/implied_role.py +++ b/keystone/common/policies/implied_role.py @@ -15,33 +15,45 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The implied role API is now aware of system scope and default roles." +) + deprecated_get_implied_role = policy.DeprecatedRule( name=base.IDENTITY % 'get_implied_role', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_implied_roles = policy.DeprecatedRule( name=base.IDENTITY % 'list_implied_roles', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_role_inference_rules = policy.DeprecatedRule( name=base.IDENTITY % 'list_role_inference_rules', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_check_implied_role = policy.DeprecatedRule( name=base.IDENTITY % 'check_implied_role', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_implied_role = policy.DeprecatedRule( name=base.IDENTITY % 'create_implied_role', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_implied_role = policy.DeprecatedRule( name=base.IDENTITY % 'delete_implied_role', check_str=base.RULE_ADMIN_REQUIRED, -) - -DEPRECATED_REASON = ( - "The implied role API is now aware of system scope and default roles." + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) @@ -61,9 +73,7 @@ implied_role_policies = [ operations=[ {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_implied_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_implied_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_implied_roles', check_str=base.SYSTEM_READER, @@ -77,9 +87,7 @@ implied_role_policies = [ operations=[ {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'GET'}, {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_implied_roles, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_implied_roles), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_implied_role', check_str=base.SYSTEM_ADMIN, @@ -91,9 +99,7 @@ implied_role_policies = [ operations=[ {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', 'method': 'PUT'}], - deprecated_rule=deprecated_create_implied_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_implied_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_implied_role', check_str=base.SYSTEM_ADMIN, @@ -106,9 +112,7 @@ implied_role_policies = [ operations=[ {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_implied_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_implied_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_role_inference_rules', check_str=base.SYSTEM_READER, @@ -120,9 +124,7 @@ implied_role_policies = [ operations=[ {'path': '/v3/role_inferences', 'method': 'GET'}, {'path': '/v3/role_inferences', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_role_inference_rules, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_role_inference_rules), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_implied_role', check_str=base.SYSTEM_READER, @@ -134,9 +136,7 @@ implied_role_policies = [ operations=[ {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_check_implied_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_check_implied_role), ] diff --git a/keystone/common/policies/mapping.py b/keystone/common/policies/mapping.py index 498bc7c84..6c4f0de67 100644 --- a/keystone/common/policies/mapping.py +++ b/keystone/common/policies/mapping.py @@ -15,30 +15,41 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The federated mapping API is now aware of system scope and default roles." +) + deprecated_get_mapping = policy.DeprecatedRule( name=base.IDENTITY % 'get_mapping', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_mappings = policy.DeprecatedRule( name=base.IDENTITY % 'list_mappings', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_mapping = policy.DeprecatedRule( name=base.IDENTITY % 'update_mapping', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_mapping = policy.DeprecatedRule( name=base.IDENTITY % 'create_mapping', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_mapping = policy.DeprecatedRule( name=base.IDENTITY % 'delete_mapping', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) -DEPRECATED_REASON = ( - "The federated mapping API is now aware of system scope and default roles." -) mapping_policies = [ policy.DocumentedRuleDefault( @@ -55,9 +66,7 @@ mapping_policies = [ 'more sets of rules.'), operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', 'method': 'PUT'}], - deprecated_rule=deprecated_create_mapping, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_mapping), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_mapping', check_str=base.SYSTEM_READER, @@ -73,9 +82,7 @@ mapping_policies = [ 'method': 'HEAD' } ], - deprecated_rule=deprecated_get_mapping, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN + deprecated_rule=deprecated_get_mapping ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_mappings', @@ -93,8 +100,6 @@ mapping_policies = [ } ], deprecated_rule=deprecated_list_mappings, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_mapping', @@ -103,9 +108,7 @@ mapping_policies = [ description='Delete a federated mapping.', operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_mapping, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_mapping), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_mapping', check_str=base.SYSTEM_ADMIN, @@ -113,9 +116,7 @@ mapping_policies = [ description='Update a federated mapping.', operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_mapping, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_update_mapping) ] diff --git a/keystone/common/policies/policy.py b/keystone/common/policies/policy.py index 4c912f33c..502fa9de0 100644 --- a/keystone/common/policies/policy.py +++ b/keystone/common/policies/policy.py @@ -15,33 +15,43 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The policy API is now aware of system scope and default roles." +) + deprecated_get_policy = policy.DeprecatedRule( name=base.IDENTITY % 'get_policy', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_policies = policy.DeprecatedRule( name=base.IDENTITY % 'list_policies', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_update_policy = policy.DeprecatedRule( name=base.IDENTITY % 'update_policy', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_policy = policy.DeprecatedRule( name=base.IDENTITY % 'create_policy', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_policy = policy.DeprecatedRule( name=base.IDENTITY % 'delete_policy', check_str=base.RULE_ADMIN_REQUIRED, -) - -DEPRECATED_REASON = ( - "The policy API is now aware of system scope and default roles." + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) @@ -55,9 +65,7 @@ policy_policies = [ description='Show policy details.', operations=[{'path': '/v3/policies/{policy_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_policy, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_policy), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_policies', check_str=base.SYSTEM_READER, @@ -65,9 +73,7 @@ policy_policies = [ description='List policies.', operations=[{'path': '/v3/policies', 'method': 'GET'}], - deprecated_rule=deprecated_list_policies, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_policies), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_policy', check_str=base.SYSTEM_ADMIN, @@ -75,9 +81,7 @@ policy_policies = [ description='Create policy.', operations=[{'path': '/v3/policies', 'method': 'POST'}], - deprecated_rule=deprecated_create_policy, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_policy), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_policy', check_str=base.SYSTEM_ADMIN, @@ -85,9 +89,7 @@ policy_policies = [ description='Update policy.', operations=[{'path': '/v3/policies/{policy_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_policy, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_update_policy), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_policy', check_str=base.SYSTEM_ADMIN, @@ -95,9 +97,7 @@ policy_policies = [ description='Delete policy.', operations=[{'path': '/v3/policies/{policy_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_policy, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_delete_policy) ] diff --git a/keystone/common/policies/policy_association.py b/keystone/common/policies/policy_association.py index af5790058..1cf6f86ec 100644 --- a/keystone/common/policies/policy_association.py +++ b/keystone/common/policies/policy_association.py @@ -19,65 +19,88 @@ from keystone.common.policies import base # System-scoped tokens should be required to manage policy associations to # existing system-level resources. +DEPRECATED_REASON = ( + "The policy association API is now aware of system scope and default " + "roles." +) + deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'check_policy_association_for_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_check_policy_assoc_for_service = policy.DeprecatedRule( name=base.IDENTITY % 'check_policy_association_for_service', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule( name=base.IDENTITY % 'check_policy_association_for_region_and_service', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_policy_for_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'get_policy_for_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_endpoints_for_policy = policy.DeprecatedRule( name=base.IDENTITY % 'list_endpoints_for_policy', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'create_policy_association_for_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'delete_policy_association_for_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_policy_assoc_for_service = policy.DeprecatedRule( name=base.IDENTITY % 'create_policy_association_for_service', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule( name=base.IDENTITY % 'delete_policy_association_for_service', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule( name=base.IDENTITY % 'create_policy_association_for_region_and_service', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule( name=base.IDENTITY % 'delete_policy_association_for_region_and_service', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) -DEPRECATED_REASON = ( - "The policy association API is now aware of system scope and default " - "roles." -) policy_association_policies = [ policy.DocumentedRuleDefault( @@ -88,9 +111,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'endpoints/{endpoint_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_create_policy_assoc_for_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_policy_assoc_for_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_policy_association_for_endpoint', check_str=base.SYSTEM_READER, @@ -102,9 +123,7 @@ policy_association_policies = [ {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'endpoints/{endpoint_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_check_policy_assoc_for_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_check_policy_assoc_for_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_policy_association_for_endpoint', check_str=base.SYSTEM_ADMIN, @@ -113,9 +132,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'endpoints/{endpoint_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_policy_assoc_for_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_policy_assoc_for_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_policy_association_for_service', check_str=base.SYSTEM_ADMIN, @@ -124,9 +141,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_create_policy_assoc_for_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_policy_assoc_for_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_policy_association_for_service', check_str=base.SYSTEM_READER, @@ -138,9 +153,7 @@ policy_association_policies = [ {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_check_policy_assoc_for_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_check_policy_assoc_for_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_policy_association_for_service', check_str=base.SYSTEM_ADMIN, @@ -149,9 +162,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_policy_assoc_for_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_policy_assoc_for_service), policy.DocumentedRuleDefault( name=base.IDENTITY % ( 'create_policy_association_for_region_and_service'), @@ -162,9 +173,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}/regions/{region_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_create_policy_assoc_for_region_and_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_policy_assoc_for_region_and_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_policy_association_for_region_and_service', check_str=base.SYSTEM_READER, @@ -176,9 +185,7 @@ policy_association_policies = [ {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}/regions/{region_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_check_policy_assoc_for_region_and_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_check_policy_assoc_for_region_and_service), policy.DocumentedRuleDefault( name=base.IDENTITY % ( 'delete_policy_association_for_region_and_service'), @@ -188,9 +195,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}/regions/{region_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_policy_for_endpoint', check_str=base.SYSTEM_READER, @@ -202,9 +207,7 @@ policy_association_policies = [ {'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/' 'policy'), 'method': 'HEAD'}], - deprecated_rule=deprecated_get_policy_for_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_policy_for_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoints_for_policy', check_str=base.SYSTEM_READER, @@ -213,9 +216,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'endpoints'), 'method': 'GET'}], - deprecated_rule=deprecated_list_endpoints_for_policy, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_list_endpoints_for_policy) ] diff --git a/keystone/common/policies/project.py b/keystone/common/policies/project.py index c7b7c0a9d..db7cdee9f 100644 --- a/keystone/common/policies/project.py +++ b/keystone/common/policies/project.py @@ -52,60 +52,84 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = ( '(role:admin and domain_id:%(target.project.domain_id)s)' ) +DEPRECATED_REASON = ( + "The project API is now aware of system scope and default roles." +) + deprecated_list_projects = policy.DeprecatedRule( name=base.IDENTITY % 'list_projects', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_get_project = policy.DeprecatedRule( name=base.IDENTITY % 'get_project', - check_str=base.RULE_ADMIN_OR_TARGET_PROJECT + check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_user_projects = policy.DeprecatedRule( name=base.IDENTITY % 'list_user_projects', - check_str=base.RULE_ADMIN_OR_OWNER + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_project = policy.DeprecatedRule( name=base.IDENTITY % 'create_project', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_project = policy.DeprecatedRule( name=base.IDENTITY % 'update_project', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_project = policy.DeprecatedRule( name=base.IDENTITY % 'delete_project', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_project_tags = policy.DeprecatedRule( name=base.IDENTITY % 'list_project_tags', - check_str=base.RULE_ADMIN_OR_TARGET_PROJECT + check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_project_tag = policy.DeprecatedRule( name=base.IDENTITY % 'get_project_tag', - check_str=base.RULE_ADMIN_OR_TARGET_PROJECT + check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_update_project_tag = policy.DeprecatedRule( name=base.IDENTITY % 'update_project_tags', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_project_tag = policy.DeprecatedRule( name=base.IDENTITY % 'create_project_tag', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_project_tag = policy.DeprecatedRule( name=base.IDENTITY % 'delete_project_tag', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_project_tags = policy.DeprecatedRule( name=base.IDENTITY % 'delete_project_tags', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) -DEPRECATED_REASON = ( - "The project API is now aware of system scope and default roles." -) - TAGS_DEPRECATED_REASON = """ As of the Train release, the project tags API understands how to handle system-scoped tokens in addition to project and domain tokens, making the API @@ -122,9 +146,7 @@ project_policies = [ description='Show project details.', operations=[{'path': '/v3/projects/{project_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_projects', check_str=SYSTEM_READER_OR_DOMAIN_READER, @@ -136,9 +158,7 @@ project_policies = [ description='List projects.', operations=[{'path': '/v3/projects', 'method': 'GET'}], - deprecated_rule=deprecated_list_projects, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_projects), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_user_projects', check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER, @@ -146,9 +166,7 @@ project_policies = [ description='List projects for user.', operations=[{'path': '/v3/users/{user_id}/projects', 'method': 'GET'}], - deprecated_rule=deprecated_list_user_projects, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_user_projects), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_project', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -156,9 +174,7 @@ project_policies = [ description='Create project.', operations=[{'path': '/v3/projects', 'method': 'POST'}], - deprecated_rule=deprecated_create_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_project', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -166,9 +182,7 @@ project_policies = [ description='Update project.', operations=[{'path': '/v3/projects/{project_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_project', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -176,9 +190,7 @@ project_policies = [ description='Delete project.', operations=[{'path': '/v3/projects/{project_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_project_tags', check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER, @@ -188,9 +200,7 @@ project_policies = [ 'method': 'GET'}, {'path': '/v3/projects/{project_id}/tags', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_project_tags, - deprecated_reason=TAGS_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_project_tags), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_project_tag', check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER, @@ -200,9 +210,7 @@ project_policies = [ 'method': 'GET'}, {'path': '/v3/projects/{project_id}/tags/{value}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_project_tag, - deprecated_reason=TAGS_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_project_tag), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_project_tags', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, @@ -210,9 +218,7 @@ project_policies = [ description='Replace all tags on a project with the new set of tags.', operations=[{'path': '/v3/projects/{project_id}/tags', 'method': 'PUT'}], - deprecated_rule=deprecated_update_project_tag, - deprecated_reason=TAGS_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_update_project_tag), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_project_tag', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, @@ -220,9 +226,7 @@ project_policies = [ description='Add a single tag to a project.', operations=[{'path': '/v3/projects/{project_id}/tags/{value}', 'method': 'PUT'}], - deprecated_rule=deprecated_create_project_tag, - deprecated_reason=TAGS_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_project_tag), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_project_tags', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, @@ -230,9 +234,7 @@ project_policies = [ description='Remove all tags from a project.', operations=[{'path': '/v3/projects/{project_id}/tags', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_project_tags, - deprecated_reason=TAGS_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_project_tags), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_project_tag', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, @@ -240,9 +242,7 @@ project_policies = [ description='Delete a specified tag from project.', operations=[{'path': '/v3/projects/{project_id}/tags/{value}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_project_tag, - deprecated_reason=TAGS_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_delete_project_tag) ] diff --git a/keystone/common/policies/project_endpoint.py b/keystone/common/policies/project_endpoint.py index c04cddd4d..86a020e02 100644 --- a/keystone/common/policies/project_endpoint.py +++ b/keystone/common/policies/project_endpoint.py @@ -15,39 +15,49 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = """ +As of the Train release, the project endpoint API now understands default +roles and system-scoped tokens, making the API more granular by default without +compromising security. The new policy defaults account for these changes +automatically. Be sure to take these new defaults into consideration if you are +relying on overrides in your deployment for the project endpoint API. +""" + deprecated_list_projects_for_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'list_projects_for_endpoint', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_add_endpoint_to_project = policy.DeprecatedRule( name=base.IDENTITY % 'add_endpoint_to_project', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_check_endpoint_in_project = policy.DeprecatedRule( name=base.IDENTITY % 'check_endpoint_in_project', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_endpoints_for_project = policy.DeprecatedRule( name=base.IDENTITY % 'list_endpoints_for_project', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_remove_endpoint_from_project = policy.DeprecatedRule( name=base.IDENTITY % 'remove_endpoint_from_project', check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) -DEPRECATED_REASON = """ -As of the Train release, the project endpoint API now understands default -roles and system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the project endpoint API. -""" - project_endpoint_policies = [ @@ -63,9 +73,7 @@ project_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/' 'projects'), 'method': 'GET'}], - deprecated_rule=deprecated_list_projects_for_endpoint, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_projects_for_endpoint), policy.DocumentedRuleDefault( name=base.IDENTITY % 'add_endpoint_to_project', check_str=base.SYSTEM_ADMIN, @@ -74,9 +82,7 @@ project_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' 'endpoints/{endpoint_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_add_endpoint_to_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_add_endpoint_to_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_endpoint_in_project', check_str=base.SYSTEM_READER, @@ -88,9 +94,7 @@ project_endpoint_policies = [ {'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' 'endpoints/{endpoint_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_check_endpoint_in_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_check_endpoint_in_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_endpoints_for_project', check_str=base.SYSTEM_READER, @@ -99,9 +103,7 @@ project_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' 'endpoints'), 'method': 'GET'}], - deprecated_rule=deprecated_list_endpoints_for_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_endpoints_for_project), policy.DocumentedRuleDefault( name=base.IDENTITY % 'remove_endpoint_from_project', check_str=base.SYSTEM_ADMIN, @@ -111,9 +113,7 @@ project_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' 'endpoints/{endpoint_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_remove_endpoint_from_project, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_remove_endpoint_from_project), ] diff --git a/keystone/common/policies/protocol.py b/keystone/common/policies/protocol.py index de2a7299e..887fc70df 100644 --- a/keystone/common/policies/protocol.py +++ b/keystone/common/policies/protocol.py @@ -15,31 +15,42 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The federated protocol API is now aware of system scope and default " + "roles." +) + deprecated_get_protocol = policy.DeprecatedRule( name=base.IDENTITY % 'get_protocol', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_protocols = policy.DeprecatedRule( name=base.IDENTITY % 'list_protocols', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_protocol = policy.DeprecatedRule( name=base.IDENTITY % 'update_protocol', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_protocol = policy.DeprecatedRule( name=base.IDENTITY % 'create_protocol', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_protocol = policy.DeprecatedRule( name=base.IDENTITY % 'delete_protocol', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) -DEPRECATED_REASON = ( - "The federated protocol API is now aware of system scope and default " - "roles." -) protocol_policies = [ policy.DocumentedRuleDefault( @@ -53,9 +64,7 @@ protocol_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' 'protocols/{protocol_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_create_protocol, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_protocol), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_protocol', check_str=base.SYSTEM_ADMIN, @@ -64,9 +73,7 @@ protocol_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' 'protocols/{protocol_id}'), 'method': 'PATCH'}], - deprecated_rule=deprecated_update_protocol, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_protocol), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_protocol', check_str=base.SYSTEM_READER, @@ -75,9 +82,7 @@ protocol_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' 'protocols/{protocol_id}'), 'method': 'GET'}], - deprecated_rule=deprecated_get_protocol, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_protocol), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_protocols', check_str=base.SYSTEM_READER, @@ -86,9 +91,7 @@ protocol_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' 'protocols'), 'method': 'GET'}], - deprecated_rule=deprecated_list_protocols, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_protocols), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_protocol', check_str=base.SYSTEM_ADMIN, @@ -97,9 +100,7 @@ protocol_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' 'protocols/{protocol_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_protocol, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_delete_protocol) ] diff --git a/keystone/common/policies/region.py b/keystone/common/policies/region.py index bf60f8ff9..f13299dd2 100644 --- a/keystone/common/policies/region.py +++ b/keystone/common/policies/region.py @@ -15,22 +15,29 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The region API is now aware of system scope and default roles." +) + deprecated_create_region = policy.DeprecatedRule( name=base.IDENTITY % 'create_region', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_region = policy.DeprecatedRule( name=base.IDENTITY % 'update_region', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_region = policy.DeprecatedRule( name=base.IDENTITY % 'delete_region', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) -DEPRECATED_REASON = ( - "The region API is now aware of system scope and default roles." -) region_policies = [ policy.DocumentedRuleDefault( @@ -66,9 +73,7 @@ region_policies = [ 'method': 'POST'}, {'path': '/v3/regions/{region_id}', 'method': 'PUT'}], - deprecated_rule=deprecated_create_region, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_region), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_region', check_str=base.SYSTEM_ADMIN, @@ -76,9 +81,7 @@ region_policies = [ description='Update region.', operations=[{'path': '/v3/regions/{region_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_region, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_region), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_region', check_str=base.SYSTEM_ADMIN, @@ -86,9 +89,7 @@ region_policies = [ description='Delete region.', operations=[{'path': '/v3/regions/{region_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_region, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_region), ] diff --git a/keystone/common/policies/role.py b/keystone/common/policies/role.py index 7d6a38e46..b372efbba 100644 --- a/keystone/common/policies/role.py +++ b/keystone/common/policies/role.py @@ -15,50 +15,71 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The role API is now aware of system scope and default roles." +) + deprecated_get_role = policy.DeprecatedRule( name=base.IDENTITY % 'get_role', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_role = policy.DeprecatedRule( name=base.IDENTITY % 'list_roles', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_role = policy.DeprecatedRule( name=base.IDENTITY % 'update_role', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_role = policy.DeprecatedRule( name=base.IDENTITY % 'create_role', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_role = policy.DeprecatedRule( name=base.IDENTITY % 'delete_role', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_get_domain_role = policy.DeprecatedRule( name=base.IDENTITY % 'get_domain_role', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_domain_roles = policy.DeprecatedRule( name=base.IDENTITY % 'list_domain_roles', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_update_domain_role = policy.DeprecatedRule( name=base.IDENTITY % 'update_domain_role', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_create_domain_role = policy.DeprecatedRule( name=base.IDENTITY % 'create_domain_role', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_domain_role = policy.DeprecatedRule( name=base.IDENTITY % 'delete_domain_role', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) -DEPRECATED_REASON = ( - "The role API is now aware of system scope and default roles." -) role_policies = [ policy.DocumentedRuleDefault( @@ -75,9 +96,7 @@ role_policies = [ 'method': 'GET'}, {'path': '/v3/roles/{role_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_roles', check_str=base.SYSTEM_READER, @@ -87,9 +106,7 @@ role_policies = [ 'method': 'GET'}, {'path': '/v3/roles', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_role', check_str=base.SYSTEM_ADMIN, @@ -97,9 +114,7 @@ role_policies = [ description='Create role.', operations=[{'path': '/v3/roles', 'method': 'POST'}], - deprecated_rule=deprecated_create_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_role', check_str=base.SYSTEM_ADMIN, @@ -107,9 +122,7 @@ role_policies = [ description='Update role.', operations=[{'path': '/v3/roles/{role_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_role', check_str=base.SYSTEM_ADMIN, @@ -117,9 +130,7 @@ role_policies = [ description='Delete role.', operations=[{'path': '/v3/roles/{role_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_delete_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_domain_role', check_str=base.SYSTEM_READER, @@ -134,9 +145,7 @@ role_policies = [ 'method': 'GET'}, {'path': '/v3/roles/{role_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_domain_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_domain_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_domain_roles', check_str=base.SYSTEM_READER, @@ -146,9 +155,7 @@ role_policies = [ 'method': 'GET'}, {'path': '/v3/roles?domain_id={domain_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_domain_roles, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_domain_roles), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_domain_role', check_str=base.SYSTEM_ADMIN, @@ -156,9 +163,7 @@ role_policies = [ scope_types=['system'], operations=[{'path': '/v3/roles', 'method': 'POST'}], - deprecated_rule=deprecated_create_domain_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_create_domain_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_domain_role', check_str=base.SYSTEM_ADMIN, @@ -166,9 +171,7 @@ role_policies = [ scope_types=['system'], operations=[{'path': '/v3/roles/{role_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_domain_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_update_domain_role), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_domain_role', check_str=base.SYSTEM_ADMIN, @@ -176,9 +179,7 @@ role_policies = [ scope_types=['system'], operations=[{'path': '/v3/roles/{role_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_domain_role, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_delete_domain_role) ] diff --git a/keystone/common/policies/role_assignment.py b/keystone/common/policies/role_assignment.py index c70f292f3..5dea3dc2f 100644 --- a/keystone/common/policies/role_assignment.py +++ b/keystone/common/policies/role_assignment.py @@ -25,18 +25,23 @@ SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN = ( '(role:admin and project_id:%(target.project.id)s)' ) +DEPRECATED_REASON = ( + "The assignment API is now aware of system scope and default roles." +) + deprecated_list_role_assignments = policy.DeprecatedRule( name=base.IDENTITY % 'list_role_assignments', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_role_assignments_for_tree = policy.DeprecatedRule( name=base.IDENTITY % 'list_role_assignments_for_tree', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) -DEPRECATED_REASON = ( - "The assignment API is now aware of system scope and default roles." -) role_assignment_policies = [ policy.DocumentedRuleDefault( @@ -48,9 +53,7 @@ role_assignment_policies = [ 'method': 'GET'}, {'path': '/v3/role_assignments', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_role_assignments, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_role_assignments), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_role_assignments_for_tree', check_str=SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN, @@ -61,9 +64,7 @@ role_assignment_policies = [ 'method': 'GET'}, {'path': '/v3/role_assignments?include_subtree', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_role_assignments_for_tree, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_role_assignments_for_tree), ] diff --git a/keystone/common/policies/service.py b/keystone/common/policies/service.py index 66d3aaa72..028707631 100644 --- a/keystone/common/policies/service.py +++ b/keystone/common/policies/service.py @@ -15,30 +15,41 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The service API is now aware of system scope and default roles." +) + deprecated_get_service = policy.DeprecatedRule( name=base.IDENTITY % 'get_service', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_service = policy.DeprecatedRule( name=base.IDENTITY % 'list_services', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_service = policy.DeprecatedRule( name=base.IDENTITY % 'update_service', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_service = policy.DeprecatedRule( name=base.IDENTITY % 'create_service', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_service = policy.DeprecatedRule( name=base.IDENTITY % 'delete_service', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) -DEPRECATED_REASON = ( - "The service API is now aware of system scope and default roles." -) service_policies = [ policy.DocumentedRuleDefault( @@ -48,9 +59,7 @@ service_policies = [ description='Show service details.', operations=[{'path': '/v3/services/{service_id}', 'method': 'GET'}], - deprecated_rule=deprecated_get_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_services', check_str=base.SYSTEM_READER, @@ -58,9 +67,7 @@ service_policies = [ description='List services.', operations=[{'path': '/v3/services', 'method': 'GET'}], - deprecated_rule=deprecated_list_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_service', check_str=base.SYSTEM_ADMIN, @@ -68,9 +75,7 @@ service_policies = [ description='Create service.', operations=[{'path': '/v3/services', 'method': 'POST'}], - deprecated_rule=deprecated_create_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_service', check_str=base.SYSTEM_ADMIN, @@ -78,9 +83,7 @@ service_policies = [ description='Update service.', operations=[{'path': '/v3/services/{service_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_service), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_service', check_str=base.SYSTEM_ADMIN, @@ -88,9 +91,7 @@ service_policies = [ description='Delete service.', operations=[{'path': '/v3/services/{service_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_service, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_delete_service) ] diff --git a/keystone/common/policies/service_provider.py b/keystone/common/policies/service_provider.py index 4d0e3cb90..657368aea 100644 --- a/keystone/common/policies/service_provider.py +++ b/keystone/common/policies/service_provider.py @@ -15,30 +15,41 @@ from oslo_policy import policy from keystone.common.policies import base +DEPRECATED_REASON = ( + "The service provider API is now aware of system scope and default roles." +) + deprecated_get_sp = policy.DeprecatedRule( name=base.IDENTITY % 'get_service_provider', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_sp = policy.DeprecatedRule( name=base.IDENTITY % 'list_service_providers', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_sp = policy.DeprecatedRule( name=base.IDENTITY % 'update_service_provider', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_sp = policy.DeprecatedRule( name=base.IDENTITY % 'create_service_provider', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_sp = policy.DeprecatedRule( name=base.IDENTITY % 'delete_service_provider', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) -DEPRECATED_REASON = ( - "The service provider API is now aware of system scope and default roles." -) service_provider_policies = [ policy.DocumentedRuleDefault( @@ -55,9 +66,7 @@ service_provider_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' '{service_provider_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_create_sp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_sp), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_service_providers', check_str=base.SYSTEM_READER, @@ -73,9 +82,7 @@ service_provider_policies = [ 'method': 'HEAD' } ], - deprecated_rule=deprecated_list_sp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN + deprecated_rule=deprecated_list_sp ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_service_provider', @@ -94,9 +101,7 @@ service_provider_policies = [ 'method': 'HEAD' } ], - deprecated_rule=deprecated_get_sp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN + deprecated_rule=deprecated_get_sp ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_service_provider', @@ -106,9 +111,7 @@ service_provider_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' '{service_provider_id}'), 'method': 'PATCH'}], - deprecated_rule=deprecated_update_sp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_sp), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_service_provider', check_str=base.SYSTEM_ADMIN, @@ -117,9 +120,7 @@ service_provider_policies = [ operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' '{service_provider_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_sp, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_delete_sp) ] diff --git a/keystone/common/policies/token.py b/keystone/common/policies/token.py index 9fa3c52f1..cb321b059 100644 --- a/keystone/common/policies/token.py +++ b/keystone/common/policies/token.py @@ -21,15 +21,21 @@ DEPRECATED_REASON = ( deprecated_check_token = policy.DeprecatedRule( name=base.IDENTITY % 'check_token', - check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT + check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_validate_token = policy.DeprecatedRule( name=base.IDENTITY % 'validate_token', - check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT + check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_revoke_token = policy.DeprecatedRule( name=base.IDENTITY % 'revoke_token', - check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT + check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) SYSTEM_ADMIN_OR_TOKEN_SUBJECT = ( @@ -52,9 +58,7 @@ token_policies = [ description='Check a token.', operations=[{'path': '/v3/auth/tokens', 'method': 'HEAD'}], - deprecated_rule=deprecated_check_token, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_check_token), policy.DocumentedRuleDefault( name=base.IDENTITY % 'validate_token', check_str=SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT, @@ -62,9 +66,7 @@ token_policies = [ description='Validate a token.', operations=[{'path': '/v3/auth/tokens', 'method': 'GET'}], - deprecated_rule=deprecated_validate_token, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_validate_token), policy.DocumentedRuleDefault( name=base.IDENTITY % 'revoke_token', check_str=SYSTEM_ADMIN_OR_TOKEN_SUBJECT, @@ -72,9 +74,7 @@ token_policies = [ description='Revoke a token.', operations=[{'path': '/v3/auth/tokens', 'method': 'DELETE'}], - deprecated_rule=deprecated_revoke_token, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_revoke_token) ] diff --git a/keystone/common/policies/trust.py b/keystone/common/policies/trust.py index 82acb0a93..7678106a8 100644 --- a/keystone/common/policies/trust.py +++ b/keystone/common/policies/trust.py @@ -24,29 +24,39 @@ SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR +DEPRECATED_REASON = ( + "The trust API is now aware of system scope and default roles." +) + deprecated_list_trusts = policy.DeprecatedRule( name=base.IDENTITY % 'list_trusts', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_list_roles_for_trust = policy.DeprecatedRule( name=base.IDENTITY % 'list_roles_for_trust', - check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE + check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_role_for_trust = policy.DeprecatedRule( name=base.IDENTITY % 'get_role_for_trust', - check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE + check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_delete_trust = policy.DeprecatedRule( name=base.IDENTITY % 'delete_trust', - check_str=RULE_TRUSTOR + check_str=RULE_TRUSTOR, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) deprecated_get_trust = policy.DeprecatedRule( name=base.IDENTITY % 'get_trust', - check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE -) - -DEPRECATED_REASON = ( - "The trust API is now aware of system scope and default roles." + check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN ) trust_policies = [ @@ -69,9 +79,7 @@ trust_policies = [ 'method': 'GET'}, {'path': '/v3/OS-TRUST/trusts', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_trusts, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_trusts), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_trusts_for_trustor', check_str=SYSTEM_READER_OR_TRUSTOR, @@ -103,9 +111,7 @@ trust_policies = [ 'method': 'GET'}, {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_roles_for_trust, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_list_roles_for_trust), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_role_for_trust', check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE, @@ -115,9 +121,7 @@ trust_policies = [ 'method': 'GET'}, {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_role_for_trust, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_get_role_for_trust), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_trust', check_str=SYSTEM_ADMIN_OR_TRUSTOR, @@ -125,9 +129,7 @@ trust_policies = [ description='Revoke trust.', operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_trust, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN), + deprecated_rule=deprecated_delete_trust), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_trust', check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE, @@ -137,9 +139,7 @@ trust_policies = [ 'method': 'GET'}, {'path': '/v3/OS-TRUST/trusts/{trust_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_trust, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.TRAIN) + deprecated_rule=deprecated_get_trust) ] diff --git a/keystone/common/policies/user.py b/keystone/common/policies/user.py index 75a0062cf..0534f70f6 100644 --- a/keystone/common/policies/user.py +++ b/keystone/common/policies/user.py @@ -36,23 +36,33 @@ DEPRECATED_REASON = ( deprecated_get_user = policy.DeprecatedRule( name=base.IDENTITY % 'get_user', - check_str=base.RULE_ADMIN_OR_OWNER + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_list_users = policy.DeprecatedRule( name=base.IDENTITY % 'list_users', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_create_user = policy.DeprecatedRule( name=base.IDENTITY % 'create_user', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_update_user = policy.DeprecatedRule( name=base.IDENTITY % 'update_user', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) deprecated_delete_user = policy.DeprecatedRule( name=base.IDENTITY % 'delete_user', - check_str=base.RULE_ADMIN_REQUIRED + check_str=base.RULE_ADMIN_REQUIRED, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN ) user_policies = [ @@ -65,9 +75,7 @@ user_policies = [ 'method': 'GET'}, {'path': '/v3/users/{user_id}', 'method': 'HEAD'}], - deprecated_rule=deprecated_get_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_get_user), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_users', check_str=SYSTEM_READER_OR_DOMAIN_READER, @@ -77,9 +85,7 @@ user_policies = [ 'method': 'GET'}, {'path': '/v3/users', 'method': 'HEAD'}], - deprecated_rule=deprecated_list_users, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_list_users), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_projects_for_user', check_str='', @@ -111,9 +117,7 @@ user_policies = [ description='Create a user.', operations=[{'path': '/v3/users', 'method': 'POST'}], - deprecated_rule=deprecated_create_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_create_user), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_user', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -121,9 +125,7 @@ user_policies = [ description='Update a user, including administrative password resets.', operations=[{'path': '/v3/users/{user_id}', 'method': 'PATCH'}], - deprecated_rule=deprecated_update_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN), + deprecated_rule=deprecated_update_user), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_user', check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, @@ -131,9 +133,7 @@ user_policies = [ description='Delete a user.', operations=[{'path': '/v3/users/{user_id}', 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_user, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.STEIN) + deprecated_rule=deprecated_delete_user) ] diff --git a/lower-constraints.txt b/lower-constraints.txt index 431589d02..3ceae8a1d 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -32,7 +32,7 @@ oslo.i18n==3.15.3 oslo.log==3.44.0 oslo.messaging==5.29.0 oslo.middleware==3.31.0 -oslo.policy==3.6.0 +oslo.policy==3.7.0 oslo.serialization==2.18.0 oslo.upgradecheck==1.3.0 oslo.utils==3.33.0 diff --git a/requirements.txt b/requirements.txt index 3464fb3fc..f77c24665 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ oslo.db>=6.0.0 # Apache-2.0 oslo.i18n>=3.15.3 # Apache-2.0 oslo.log>=3.44.0 # Apache-2.0 oslo.middleware>=3.31.0 # Apache-2.0 -oslo.policy>=3.6.0 # Apache-2.0 +oslo.policy>=3.7.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.upgradecheck>=1.3.0 # Apache-2.0 oslo.utils>=3.33.0 # Apache-2.0 |