diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2017-10-06 19:30:14 +0000 |
---|---|---|
committer | Lance Bragstad <lbragstad@gmail.com> | 2017-12-04 18:51:25 +0000 |
commit | 52c82ff9ab04dd78ff7045cb30d2f5de535dd7da (patch) | |
tree | 8e6002e6b0b1da89679bee7189547018c53ccca5 /doc | |
parent | a9931f3708e86983ae906d0060b111bc41d95e58 (diff) | |
download | oslo-policy-52c82ff9ab04dd78ff7045cb30d2f5de535dd7da.tar.gz |
Add scope_types to RuleDefault objects
This change will help oslo.policy consume different levels of scope
and enforce proper admin-ness across OpenStack. The idea is that once
keystone has the ability to issue system-scoped tokens, we can start
enforcing partial scope checks in `Enforcer.enforce()`.
bp add-scope-to-policy
Change-Id: I7fa171d859d82939511f8279e4e9464f792ed2cd
Diffstat (limited to 'doc')
-rw-r--r-- | doc/source/user/usage.rst | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/source/user/usage.rst b/doc/source/user/usage.rst index 93d8ad1..f288128 100644 --- a/doc/source/user/usage.rst +++ b/doc/source/user/usage.rst @@ -109,6 +109,16 @@ interact with the resource the policy protects. The `method` should be the HTTP verb corresponding to the `path`. The list of `operations` can be supplied with multiple dictionaries if the policy is used to protect multiple paths. +Setting scope +------------- + +The `RuleDefault` and `DocumentedRuleDefault` objects have an attribute +dedicated to the intended scope of the operation called `scope_types`. This +attribute can only be set at rule definition and never overridden via a policy +file. This variable is designed to save the scope at which a policy should +operate. During enforcement, the information in `scope_types` is compared to +the scope of the token used in the request. + Sample file generation ---------------------- |