diff options
| author | Gage Hugo <gagehugo@gmail.com> | 2017-07-24 16:21:55 -0500 |
|---|---|---|
| committer | Gage Hugo <gagehugo@gmail.com> | 2017-10-17 10:15:19 -0500 |
| commit | bd452fb9d9f6b4b1aba3ba9690b0e729264bba29 (patch) | |
| tree | b18e308a2f5cc19df40a0643f1de4726a7058d54 | |
| parent | 53290711743e8c35297543afa38a51ccaa2843e8 (diff) | |
| download | keystone-bd452fb9d9f6b4b1aba3ba9690b0e729264bba29.tar.gz | |
Add policy for project tags
This change adds policy rules for project tags. The default
rules for both project updating and project tags will share
the same admin_required rule since tags are an attribute
of project.
Depends-On: Ibcf158f1b8082fbffeb48fa48c6592c87e056d01
Change-Id: Ieb68bd2c9c216b25ad74d320a1c9a297d2b251e7
Partially-Implements: bp project-tags
| -rw-r--r-- | doc/source/getting-started/policy_mapping.rst | 9 | ||||
| -rw-r--r-- | etc/policy.v3cloudsample.json | 6 | ||||
| -rw-r--r-- | keystone/common/policies/project.py | 40 |
3 files changed, 55 insertions, 0 deletions
diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst index e766f63a4..da1d2095a 100644 --- a/doc/source/getting-started/policy_mapping.rst +++ b/doc/source/getting-started/policy_mapping.rst @@ -38,6 +38,15 @@ identity:create_project POST /v3/projects identity:update_project PATCH /v3/projects/{project_id} identity:delete_project DELETE /v3/projects/{project_id} +identity:get_project_tag GET /v3/projects/{project_id}/tags/{tag_name} + HEAD /v3/projects/{project_id}/tags/{tag_name} +identity:list_project_tags GET /v3/projects/{project_id}/tags + HEAD /v3/projects/{project_id}/tags +identity:create_project_tag PUT /v3/projects/{project_id}/tags/{tag_name} +identity:update_project_tags PUT /v3/projects/{project_id}/tags +identity:delete_project_tag DELETE /v3/projects/{project_id}/tags/{tag_name} +identity:delete_project_tags DELETE /v3/projects/{project_id}/tags + identity:get_user GET /v3/users/{user_id} identity:list_users GET /v3/users identity:create_user POST /v3/users diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 5dbcb7dbb..1d9dda829 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -42,6 +42,12 @@ "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id", "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id", "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id", + "identity:create_project_tag": "rule:admin_required", + "identity:delete_project_tag": "rule:admin_required", + "identity:get_project_tag": "rule:admin_required", + "identity:list_project_tags": "rule:admin_required", + "identity:delete_project_tags": "rule:admin_required", + "identity:update_project_tags": "rule:admin_required", "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s", "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s", diff --git a/keystone/common/policies/project.py b/keystone/common/policies/project.py index 433c31d38..9b82bfd45 100644 --- a/keystone/common/policies/project.py +++ b/keystone/common/policies/project.py @@ -50,6 +50,46 @@ project_policies = [ check_str=base.RULE_ADMIN_REQUIRED, description='Delete project.', operations=[{'path': '/v3/projects/{project_id}', + 'method': 'DELETE'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'list_project_tags', + check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, + description='List tags for a project.', + operations=[{'path': '/v3/projects/{project_id}/tags', + 'method': 'GET'}, + {'path': '/v3/projects/{project_id}/tags', + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'get_project_tag', + check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, + description='Check if project contains a tag.', + operations=[{'path': '/v3/projects/{project_id}/tags/{value}', + 'method': 'GET'}, + {'path': '/v3/projects/{project_id}/tags/{value}', + 'method': 'HEAD'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'update_project_tags', + check_str=base.RULE_ADMIN_REQUIRED, + description='Replace all tags on a project with the new set of tags.', + operations=[{'path': '/v3/projects/{project_id}/tags', + 'method': 'PUT'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'create_project_tag', + check_str=base.RULE_ADMIN_REQUIRED, + description='Add a single tag to a project.', + operations=[{'path': '/v3/projects/{project_id}/tags/{value}', + 'method': 'PUT'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'delete_project_tags', + check_str=base.RULE_ADMIN_REQUIRED, + description='Remove all tags from a project.', + operations=[{'path': '/v3/projects/{project_id}/tags', + 'method': 'DELETE'}]), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'delete_project_tag', + check_str=base.RULE_ADMIN_REQUIRED, + description='Delete a specified tag from project.', + operations=[{'path': '/v3/projects/{project_id}/tags/{value}', 'method': 'DELETE'}]) ] |