summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--doc/source/getting-started/policy_mapping.rst12
-rw-r--r--etc/policy.v3cloudsample.json12
-rw-r--r--keystone/common/policies/__init__.py4
-rw-r--r--keystone/common/policies/limit.py67
-rw-r--r--keystone/common/policies/registered_limit.py67
5 files changed, 162 insertions, 0 deletions
diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst
index 582a8a4b6..511c0a84b 100644
--- a/doc/source/getting-started/policy_mapping.rst
+++ b/doc/source/getting-started/policy_mapping.rst
@@ -25,6 +25,18 @@ identity:create_endpoint POST /v3/endpoints
identity:update_endpoint PATCH /v3/endpoints/{endpoint_id}
identity:delete_endpoint DELETE /v3/endpoints/{endpoint_id}
+identity:get_registered_limit GET /v3/registered_limits/{registered_limit_id}
+identity:list_registered_limits GET /v3/registered_limits
+identity:create_registered_limits POST /v3/registered_limits
+identity:update_registered_limits PUT /v3/registered_limits
+identity:delete_registered_limit DELETE /v3/registered_limits/{registered_limit_id}
+
+identity:get_limit GET /v3/limits/{limit_id}
+identity:list_limits GET /v3/limits
+identity:create_limits POST /v3/limits
+identity:update_limits PUT /v3/limits
+identity:delete_limit DELETE /v3/limits/{limit_id}
+
identity:get_domain GET /v3/domains/{domain_id}
identity:list_domains GET /v3/domains
identity:create_domain POST /v3/domains
diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index f2a84cab8..d26fc5a9c 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -28,6 +28,18 @@
"identity:update_endpoint": "rule:cloud_admin",
"identity:delete_endpoint": "rule:cloud_admin",
+ "identity:get_registered_limit": "",
+ "identity:list_registered_limits": "",
+ "identity:create_registered_limits": "rule:admin_required",
+ "identity:update_registered_limits": "rule:admin_required",
+ "identity:delete_registered_limit": "rule:admin_required",
+
+ "identity:get_limit": "",
+ "identity:list_limits": "",
+ "identity:create_limits": "rule:admin_required",
+ "identity:update_limits": "rule:admin_required",
+ "identity:delete_limit": "rule:admin_required",
+
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
"identity:list_domains": "rule:cloud_admin",
"identity:create_domain": "rule:cloud_admin",
diff --git a/keystone/common/policies/__init__.py b/keystone/common/policies/__init__.py
index 454467b2d..4a93a7d14 100644
--- a/keystone/common/policies/__init__.py
+++ b/keystone/common/policies/__init__.py
@@ -26,6 +26,7 @@ from keystone.common.policies import grant
from keystone.common.policies import group
from keystone.common.policies import identity_provider
from keystone.common.policies import implied_role
+from keystone.common.policies import limit
from keystone.common.policies import mapping
from keystone.common.policies import policy
from keystone.common.policies import policy_association
@@ -33,6 +34,7 @@ from keystone.common.policies import project
from keystone.common.policies import project_endpoint
from keystone.common.policies import protocol
from keystone.common.policies import region
+from keystone.common.policies import registered_limit
from keystone.common.policies import revoke_event
from keystone.common.policies import role
from keystone.common.policies import role_assignment
@@ -60,6 +62,7 @@ def list_rules():
group.list_rules(),
identity_provider.list_rules(),
implied_role.list_rules(),
+ limit.list_rules(),
mapping.list_rules(),
policy.list_rules(),
policy_association.list_rules(),
@@ -67,6 +70,7 @@ def list_rules():
project_endpoint.list_rules(),
protocol.list_rules(),
region.list_rules(),
+ registered_limit.list_rules(),
revoke_event.list_rules(),
role.list_rules(),
role_assignment.list_rules(),
diff --git a/keystone/common/policies/limit.py b/keystone/common/policies/limit.py
new file mode 100644
index 000000000..1aea9aa38
--- /dev/null
+++ b/keystone/common/policies/limit.py
@@ -0,0 +1,67 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+limit_policies = [
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'get_limit',
+ check_str='',
+ # Getting a single limit or listing all limits should be information
+ # accessible to everyone. By setting scope_types=['system', 'project']
+ # we're making it so that anyone with a role on the system or a project
+ # can obtain this information. Making changes to a limit should be
+ # considered a protected system-level API, as noted below with
+ # scope_types=['system'].
+ scope_types=['system', 'project'],
+ description='Show limit details.',
+ operations=[{'path': '/v3/limits/{limit_id}',
+ 'method': 'GET'},
+ {'path': '/v3/limits/{limit_id}',
+ 'method': 'HEAD'}]),
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'list_limits',
+ check_str='',
+ scope_types=['system', 'project'],
+ description='List limits.',
+ operations=[{'path': '/v3/limits',
+ 'method': 'GET'},
+ {'path': '/v3/limits',
+ 'method': 'HEAD'}]),
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'create_limits',
+ check_str=base.RULE_ADMIN_REQUIRED,
+ scope_types=['system'],
+ description='Create limits.',
+ operations=[{'path': '/v3/limits',
+ 'method': 'POST'}]),
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'update_limits',
+ check_str=base.RULE_ADMIN_REQUIRED,
+ scope_types=['system'],
+ description='Update limits.',
+ operations=[{'path': '/v3/limits/{limit_id}',
+ 'method': 'PUT'}]),
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'delete_limit',
+ check_str=base.RULE_ADMIN_REQUIRED,
+ scope_types=['system'],
+ description='Delete limit.',
+ operations=[{'path': '/v3/limits/{limit_id}',
+ 'method': 'DELETE'}])
+]
+
+
+def list_rules():
+ return limit_policies
diff --git a/keystone/common/policies/registered_limit.py b/keystone/common/policies/registered_limit.py
new file mode 100644
index 000000000..71e071720
--- /dev/null
+++ b/keystone/common/policies/registered_limit.py
@@ -0,0 +1,67 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+registered_limit_policies = [
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'get_registered_limit',
+ check_str='',
+ # Getting a single registered limit or listing all registered limits
+ # should be information accessible to everyone. By setting
+ # scope_types=['system', 'project'] we're making it so that anyone with
+ # a role on the system or a project can obtain this information.
+ # Making changes to a registered limit should be considered a protected
+ # system-level API, as noted below with scope_types=['system'].
+ scope_types=['system', 'project'],
+ description='Show registered limit details.',
+ operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
+ 'method': 'GET'},
+ {'path': '/v3/registered_limits/{registered_limit_id}',
+ 'method': 'HEAD'}]),
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'list_registered_limits',
+ check_str='',
+ scope_types=['system', 'project'],
+ description='List registered limits.',
+ operations=[{'path': '/v3/registered_limits',
+ 'method': 'GET'},
+ {'path': '/v3/registered_limits',
+ 'method': 'HEAD'}]),
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'create_registered_limits',
+ check_str=base.RULE_ADMIN_REQUIRED,
+ scope_types=['system'],
+ description='Create registered limits.',
+ operations=[{'path': '/v3/registered_limits',
+ 'method': 'POST'}]),
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'update_registered_limits',
+ check_str=base.RULE_ADMIN_REQUIRED,
+ scope_types=['system'],
+ description='Update registered limits.',
+ operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
+ 'method': 'PUT'}]),
+ policy.DocumentedRuleDefault(
+ name=base.IDENTITY % 'delete_registered_limit',
+ check_str=base.RULE_ADMIN_REQUIRED,
+ scope_types=['system'],
+ description='Delete registered limit.',
+ operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
+ 'method': 'DELETE'}])
+]
+
+
+def list_rules():
+ return registered_limit_policies
View Lorry Controller Status