diff options
| author | Lance Bragstad <lbragstad@gmail.com> | 2019-09-16 22:11:06 +0000 |
|---|---|---|
| committer | Lance Bragstad <lbragstad@gmail.com> | 2019-09-19 02:48:39 +0000 |
| commit | 8e67249d5bfb07b0a236189f62b3f338532f0df0 (patch) | |
| tree | f111eab60ff7008231c94c8420b7aff2957c06f2 /keystone/api | |
| parent | d8b49d802fa2dcfda97067b54b94a57ab2a35ee6 (diff) | |
| download | keystone-8e67249d5bfb07b0a236189f62b3f338532f0df0.tar.gz | |
Add default roles and scope checking to project tags
This commit makes it so that project tags adhere to system-scope and
also incorporates default roles into the policy checks by default.
Change-Id: Ie36df5677a08d7d95f056f3ea00eda05e1315ea5
Closes-Bug: 1844194
Closes-Bug: 1844193
Related-Bug: 1806762
Diffstat (limited to 'keystone/api')
| -rw-r--r-- | keystone/api/projects.py | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/keystone/api/projects.py b/keystone/api/projects.py index 4eb76b48f..108971c21 100644 --- a/keystone/api/projects.py +++ b/keystone/api/projects.py @@ -236,7 +236,10 @@ class ProjectTagsResource(_ProjectTagResourceBase): GET /v3/projects/{project_id}/tags """ - ENFORCER.enforce_call(action='identity:list_project_tags') + ENFORCER.enforce_call( + action='identity:list_project_tags', + build_target=_build_project_target_enforcement + ) ref = PROVIDERS.resource_api.list_project_tags(project_id) return self.wrap_member(ref) @@ -245,7 +248,10 @@ class ProjectTagsResource(_ProjectTagResourceBase): PUT /v3/projects/{project_id}/tags """ - ENFORCER.enforce_call(action='identity:update_project_tags') + ENFORCER.enforce_call( + action='identity:update_project_tags', + build_target=_build_project_target_enforcement + ) tags = self.request_body_json.get('tags', {}) validation.lazy_validate(schema.project_tags_update, tags) ref = PROVIDERS.resource_api.update_project_tags( @@ -257,7 +263,10 @@ class ProjectTagsResource(_ProjectTagResourceBase): DELETE /v3/projects/{project_id}/tags """ - ENFORCER.enforce_call(action='identity:delete_project_tags') + ENFORCER.enforce_call( + action='identity:delete_project_tags', + build_target=_build_project_target_enforcement + ) PROVIDERS.resource_api.update_project_tags(project_id, []) return None, http_client.NO_CONTENT @@ -268,7 +277,10 @@ class ProjectTagResource(_ProjectTagResourceBase): GET /v3/projects/{project_id}/tags/{value} """ - ENFORCER.enforce_call(action='identity:get_project_tag') + ENFORCER.enforce_call( + action='identity:get_project_tag', + build_target=_build_project_target_enforcement, + ) PROVIDERS.resource_api.get_project_tag(project_id, value) return None, http_client.NO_CONTENT @@ -277,7 +289,10 @@ class ProjectTagResource(_ProjectTagResourceBase): PUT /v3/projects/{project_id}/tags/{value} """ - ENFORCER.enforce_call(action='identity:create_project_tag') + ENFORCER.enforce_call( + action='identity:create_project_tag', + build_target=_build_project_target_enforcement + ) validation.lazy_validate(schema.project_tag_create, value) # Check if we will exceed the max number of tags on this project tags = PROVIDERS.resource_api.list_project_tags(project_id) @@ -298,7 +313,10 @@ class ProjectTagResource(_ProjectTagResourceBase): /v3/projects/{project_id}/tags/{value} """ - ENFORCER.enforce_call(action='identity:delete_project_tag') + ENFORCER.enforce_call( + action='identity:delete_project_tag', + build_target=_build_project_target_enforcement + ) PROVIDERS.resource_api.delete_project_tag(project_id, value) return None, http_client.NO_CONTENT |