def test_deprecate_a_policy_check_string(self):
deprecated_rule = policy.DeprecatedRule(name='foo:create_bar',
check_str='role:fizz')
rule_list = [
policy.DocumentedRuleDefault(
name='foo:create_bar',
check_str='role:bang',
description='Create a bar.',
operations=[{
'path': '/v1/bars',
'method': 'POST'
}],
deprecated_rule=deprecated_rule,
deprecated_reason='"role:bang" is a better default',
deprecated_since='N')
]
enforcer = policy.Enforcer(self.conf)
enforcer.register_defaults(rule_list)
expected_msg = (
'Policy "foo:create_bar":"role:fizz" was deprecated in N in favor '
'of "foo:create_bar":"role:bang". Reason: "role:bang" is a better '
'default. Either ensure your deployment is ready for the new '
'default or copy/paste the deprecated policy into your policy '
'file and maintain it manually.')
with mock.patch('warnings.warn') as mock_warn:
enforcer.load_rules()
mock_warn.assert_called_once_with(expected_msg)
def setUp(self):
super(UpgradePolicyTestCase, self).setUp()
policy_json_contents = jsonutils.dumps(
{"deprecated_name": "rule:admin"})
self.create_config_file('policy.json', policy_json_contents)
deprecated_policy = policy.DeprecatedRule(
name='deprecated_name',
check_str='rule:admin',
deprecated_reason='test',
deprecated_since='Stein',
)
self.new_policy = policy.DocumentedRuleDefault(
name='new_policy_name',
check_str='rule:admin',
description='test_policy',
operations=[{
'path': '/test',
'method': 'GET'
}],
deprecated_rule=deprecated_policy,
)
self.extensions = []
ext = stevedore.extension.Extension(name='test_upgrade',
entry_point=None,
plugin=None,
obj=[self.new_policy])
self.extensions.append(ext)
# Just used for cli opt parsing
self.local_conf = cfg.ConfigOpts()
def test_deprecated_policy_must_include_deprecated_since(self):
deprecated_rule = policy.DeprecatedRule(name='foo:bar',
check_str='rule:baz')
self.assertRaises(ValueError,
policy.DocumentedRuleDefault,
name='foo:bar',
check_str='rule:baz',
description='Create a foo.',
operations=[{
'path': '/v1/foos/',
'method': 'POST'
}],
deprecated_rule=deprecated_rule,
deprecated_reason='Some reason.')
def test_deprecated_policies_are_aliased_to_new_names(self):
deprecated_rule = policy.DeprecatedRule(
name='foo:post_bar',
check_str='role:fizz',
deprecated_reason=(
'foo:post_bar is being removed in favor of foo:create_bar'),
deprecated_since='N',
)
new_rule = policy.RuleDefault(
name='foo:create_bar',
check_str='role:fizz',
description='Create a bar.',
deprecated_rule=deprecated_rule,
)
opts = {'rules': [new_rule]}
extensions = []
for name, opts in opts.items():
ext = stevedore.extension.Extension(name=name,
entry_point=None,
plugin=None,
obj=opts)
extensions.append(ext)
test_mgr = stevedore.named.NamedExtensionManager.make_test_instance(
extensions=extensions, namespace=['rules'])
expected = '''# Create a bar.
#"foo:create_bar": "role:fizz"
# DEPRECATED
# "foo:post_bar":"role:fizz" has been deprecated since N in favor of
# "foo:create_bar":"role:fizz".
# foo:post_bar is being removed in favor of foo:create_bar
"foo:post_bar": "rule:foo:create_bar"
'''
stdout = self._capture_stdout()
with mock.patch('stevedore.named.NamedExtensionManager',
return_value=test_mgr) as mock_ext_mgr:
generator._generate_sample(['rules'], output_file=None)
mock_ext_mgr.assert_called_once_with(
'oslo.policy.policies',
names=['rules'],
on_load_failure_callback=generator.on_load_failure_callback,
invoke_on_load=True)
self.assertEqual(expected, stdout.getvalue())
def setUp(self):
super(ConvertJsonToYamlTestCase, self).setUp()
policy_json_contents = jsonutils.dumps({
"rule1_name":
"rule:admin",
"rule2_name":
"rule:overridden",
"deprecated_rule1_name":
"rule:admin"
})
self.create_config_file('policy.json', policy_json_contents)
self.output_file_path = self.get_config_file_fullname(
'converted_policy.yaml')
deprecated_policy = policy.DeprecatedRule(
name='deprecated_rule1_name',
check_str='rule:admin',
deprecated_reason='testing',
deprecated_since='ussuri',
)
self.registered_policy = [
policy.DocumentedRuleDefault(
name='rule1_name',
check_str='rule:admin',
description='test_rule1',
operations=[{
'path': '/test',
'method': 'GET'
}],
deprecated_rule=deprecated_policy,
scope_types=['system'],
),
policy.RuleDefault(
name='rule2_name',
check_str='rule:admin',
)
]
self.extensions = []
ext = stevedore.extension.Extension(name='test',
entry_point=None,
plugin=None,
obj=self.registered_policy)
self.extensions.append(ext)
# Just used for cli opt parsing
self.local_conf = cfg.ConfigOpts()
self.expected = '''# test_rule1
def _convert_to_ruledefault(p):
deprecated = p.get('deprecated_rule')
if deprecated:
deprecated_rule = policy.DeprecatedRule(deprecated['name'],
deprecated['check_str'])
else:
deprecated_rule = None
return policy.RuleDefault(
p['name'],
p['check_str'],
description=p['description'],
scope_types=p['scope_types'],
deprecated_rule=deprecated_rule,
deprecated_for_removal=p.get('deprecated_for_removal', False),
deprecated_reason=p.get('deprecated_reason'),
deprecated_since=p.get('deprecated_since'),
)
def test_deprecate_a_policy_name(self):
deprecated_rule = policy.DeprecatedRule(name='foo:bar',
check_str='role:baz')
rule_list = [
policy.DocumentedRuleDefault(
name='foo:create_bar',
check_str='role:baz',
description='Create a bar.',
operations=[{
'path': '/v1/bars/',
'method': 'POST'
}],
deprecated_rule=deprecated_rule,
deprecated_reason=
('"foo:bar" is not granular enough. If your deployment has '
'overridden "foo:bar", ensure you override the new policies '
'with same role or rule. Not doing this will require the '
'service to assume the new defaults for "foo:bar:create", '
'"foo:bar:update", "foo:bar:list", and "foo:bar:delete", '
'which might be backwards incompatible for your deployment'),
deprecated_since='N')
]
expected_msg = (
'Policy "foo:bar":"role:baz" was deprecated in N in favor of '
'"foo:create_bar":"role:baz". Reason: "foo:bar" is not granular '
'enough. If your deployment has overridden "foo:bar", ensure you '
'override the new policies with same role or rule. Not doing this '
'will require the service to assume the new defaults for '
'"foo:bar:create", "foo:bar:update", "foo:bar:list", and '
'"foo:bar:delete", which might be backwards incompatible for your '
'deployment. Either ensure your deployment is ready for the new '
'default or copy/paste the deprecated policy into your policy '
'file and maintain it manually.')
rules = jsonutils.dumps({'foo:bar': 'role:bang'})
self.create_config_file('policy.json', rules)
enforcer = policy.Enforcer(self.conf)
enforcer.register_defaults(rule_list)
with mock.patch('warnings.warn') as mock_warn:
enforcer.load_rules(True)
mock_warn.assert_called_once_with(expected_msg)
# strings to offer formal support for project membership and a read-only
# variant consistent with other OpenStack services.
ADMIN_OR_PROJECT_MEMBER = f'role:admin or ({PROJECT_MEMBER})'
ADMIN_OR_PROJECT_READER = f'role:admin or ({PROJECT_READER})'
ADMIN_OR_PROJECT_READER_GET_IMAGE = (
f'role:admin or ({PROJECT_READER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC})')
ADMIN_OR_PROJECT_MEMBER_DOWNLOAD_IMAGE = (
f'role:admin or ({PROJECT_MEMBER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC})')
rules = [
policy.RuleDefault(name='default',
check_str='',
description='Defines the default rule used for '
'policies that historically had an empty '
'policy in the supplied policy.json file.',
deprecated_rule=policy.DeprecatedRule(
name='default', check_str='role:admin'),
deprecated_reason='In order to allow operators to '
'accept the default policies from code by not defining '
'them in the policy file, while still working with old '
'policy files that rely on the ``default`` rule for '
'policies that are not specified in the policy file, '
'the ``default`` rule must now be explicitly set to '
'``"role:admin"`` when that is the desired default for '
'unspecified rules.',
deprecated_since='Ussuri'),
policy.RuleDefault(name='context_is_admin',
check_str='role:admin',
description='Defines the rule for the is_admin:True '
'check.'),
]
metadef_policies = [
policy.RuleDefault(name="metadef_default", check_str=""),
policy.RuleDefault(name="metadef_admin", check_str="role:admin"),
policy.DocumentedRuleDefault(
name="get_metadef_namespace",
check_str=base.ADMIN_OR_PROJECT_READER_GET_NAMESPACE,
scope_types=['system', 'project'],
description="Get a specific namespace.",
operations=[{
'path': '/v2/metadefs/namespaces/{namespace_name}',
'method': 'GET'
}],
deprecated_rule=policy.DeprecatedRule(
name="get_metadef_namespace",
check_str="rule:metadef_default",
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.XENA),
),
policy.DocumentedRuleDefault(
name="get_metadef_namespaces",
check_str=base.ADMIN_OR_PROJECT_READER,
scope_types=['system', 'project'],
description="List namespace.",
operations=[{
'path': '/v2/metadefs/namespaces',
'method': 'GET'
}],
deprecated_rule=policy.DeprecatedRule(
name="get_metadef_namespaces",
check_str="rule:metadef_default",
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from manila.policies import base
BASE_POLICY_NAME = 'share_types_extra_spec:%s'
DEPRECATED_REASON = """
The share types extra specs API now supports system scope and default roles.
"""
deprecated_extra_spec_create = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'create',
check_str=base.RULE_ADMIN_API,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
deprecated_extra_spec_show = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'show',
check_str=base.RULE_ADMIN_API,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
deprecated_extra_spec_index = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'index',
check_str=base.RULE_ADMIN_API,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
deprecated_extra_spec_update = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'update',
check_str=base.RULE_ADMIN_API,
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from keystone.common.policies import base
DEPRECATED_REASON = (
"The EC2 credential API is now aware of system scope and default roles.")
deprecated_ec2_get_credential = policy.DeprecatedRule(
name=base.IDENTITY % 'ec2_get_credential',
check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN)
deprecated_ec2_list_credentials = policy.DeprecatedRule(
name=base.IDENTITY % 'ec2_list_credentials',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN)
deprecated_ec2_create_credential = policy.DeprecatedRule(
name=base.IDENTITY % 'ec2_create_credential',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN)
deprecated_ec2_delete_credential = policy.DeprecatedRule(
name=base.IDENTITY % 'ec2_delete_credential',
check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER,
check_str='field:subnetpools:shared=True',
description='Definition of a shared subnetpool'),
policy.DocumentedRuleDefault(
name='create_subnetpool',
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['project', 'system'],
description='Create a subnetpool',
operations=[
{
'method': 'POST',
'path': COLLECTION_PATH,
},
],
deprecated_rule=policy.DeprecatedRule(
name='create_subnetpool',
check_str=base.RULE_ANY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)),
policy.DocumentedRuleDefault(
name='create_subnetpool:shared',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Create a shared subnetpool',
operations=[
{
'method': 'POST',
'path': COLLECTION_PATH,
},
],
deprecated_rule=policy.DeprecatedRule(
name='create_subnetpool:shared',
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from manila.policies import base
BASE_POLICY_NAME = 'share_network:%s'
DEPRECATED_REASON = """
The share network API now support system scope and default roles.
"""
deprecated_share_network_create = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'create', check_str=base.RULE_DEFAULT)
deprecated_share_network_show = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'show', check_str=base.RULE_DEFAULT)
deprecated_share_network_index = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'index', check_str=base.RULE_DEFAULT)
deprecated_share_network_detail = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'detail', check_str=base.RULE_DEFAULT)
deprecated_share_network_update = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'update', check_str=base.RULE_DEFAULT)
deprecated_share_network_delete = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'delete', check_str=base.RULE_DEFAULT)
deprecated_share_network_add_security_service = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'add_security_service',
check_str=base.RULE_DEFAULT)
deprecated_share_network_remove_security_service = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'remove_security_service',
rules = [
policy.DocumentedRuleDefault(
name='create_flavor',
check_str=base.SYSTEM_ADMIN,
description='Create a flavor',
operations=[
{
'method': 'POST',
'path': FLAVOR_COLLECTION_PATH,
},
],
scope_types=['system'],
deprecated_rule=policy.DeprecatedRule(
name='create_flavor',
check_str=base.RULE_ADMIN_ONLY),
deprecated_reason=DEPRECATION_REASON,
deprecated_since='Wallaby'
),
policy.DocumentedRuleDefault(
name='get_flavor',
check_str=base.SYSTEM_OR_PROJECT_READER,
description='Get a flavor',
operations=[
{
'method': 'GET',
'path': FLAVOR_COLLECTION_PATH,
},
{
'method': 'GET',
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
ROOT_POLICY = 'os_compute_api:os-floating-ips'
BASE_POLICY_NAME = 'os_compute_api:os-floating-ips:%s'
DEPRECATED_FIP_POLICY = policy.DeprecatedRule(
ROOT_POLICY,
base.RULE_ADMIN_OR_OWNER,
)
DEPRECATED_REASON = """
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
"""
floating_ips_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'add',
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
description="Associate floating IPs to server. "
" This API is deprecated.",
operations=[{
rules = [
policy.DocumentedRuleDefault(
name='get_auto_allocated_topology',
check_str=base.PROJECT_READER,
description="Get a project's auto-allocated topology",
operations=[
{
'method': 'GET',
'path': RESOURCE_PATH,
},
],
scope_types=['project'],
deprecated_rule=policy.DeprecatedRule(
name='get_auto_allocated_topology',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATION_REASON,
deprecated_since=versionutils.deprecated.WALLABY)),
policy.DocumentedRuleDefault(
name='delete_auto_allocated_topology',
check_str=base.PROJECT_MEMBER,
description="Delete a project's auto-allocated topology",
operations=[
{
'method': 'DELETE',
'path': RESOURCE_PATH,
},
],
scope_types=['project'],
deprecated_rule=policy.DeprecatedRule(
name='delete_auto_allocated_topology',
'domain_id:%(target.user.domain_id)s)')
SYSTEM_READER_OR_DOMAIN_READER = (
'(role:reader and system_scope:all) or '
'(role:reader and domain_id:%(target.group.domain_id)s)')
SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
'(role:admin and system_scope:all) or '
'(role:admin and domain_id:%(target.group.domain_id)s)')
DEPRECATED_REASON = (
"The group API is now aware of system scope and default roles.")
deprecated_get_group = policy.DeprecatedRule(
name=base.IDENTITY % 'get_group',
check_str=base.RULE_ADMIN_REQUIRED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN)
deprecated_list_groups = policy.DeprecatedRule(
name=base.IDENTITY % 'list_groups',
check_str=base.RULE_ADMIN_REQUIRED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN)
deprecated_list_groups_for_user = policy.DeprecatedRule(
name=base.IDENTITY % 'list_groups_for_user',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN)
deprecated_list_users_in_group = policy.DeprecatedRule(
name=base.IDENTITY % 'list_users_in_group',
check_str=base.RULE_ADMIN_REQUIRED,
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-services:%s'
DEPRECATED_SERVICE_POLICY = policy.DeprecatedRule(
'os_compute_api:os-services',
base.RULE_ADMIN_API,
)
DEPRECATED_REASON = """
Since Ussuri release, nova API policies are introducing new default roles
with scope_type capabilities. These new changes improve the security level
and manageability. New policies are more rich in term of handling access
at system and project level token with read, write roles.
Start using the new policies and enable the scope checks via config option
``nova.conf [oslo_policy] enforce_scope=True`` which is False by default.
Old policies are marked as deprecated and silently going to be ignored
in nova 23.0.0 (OpenStack W) release
"""
services_policies = [
policy.DocumentedRuleDefault(
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-deferred-delete:%s'
DEPRECATED_REASON = """
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
"""
DEPRECATED_POLICY = policy.DeprecatedRule('os_compute_api:os-deferred-delete',
base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='21.0.0')
deferred_delete_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'restore',
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
description="Restore a soft deleted server",
operations=[
{
'method': 'POST',
'path': '/servers/{server_id}/action (restore)'
},
],
scope_types=['system', 'project'],
deprecated_rule=DEPRECATED_POLICY),
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from manila.policies import base
BASE_POLICY_NAME = 'share_network_subnet:%s'
DEPRECATED_REASON = """
The share network subnet API now supports system scope and default roles.
"""
deprecated_subnet_create = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'create',
check_str=base.RULE_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
deprecated_subnet_delete = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'delete',
check_str=base.RULE_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
deprecated_subnet_show = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'show',
check_str=base.RULE_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
deprecated_subnet_index = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'index',
check_str=base.RULE_DEFAULT,
from oslo_log import versionutils
from oslo_policy import policy
from keystone.common.policies import base
DEPRECATED_REASON = """
As of the Train release, the project endpoint API now understands default
roles and system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the project endpoint API.
"""
deprecated_list_projects_for_endpoint = policy.DeprecatedRule(
name=base.IDENTITY % 'list_projects_for_endpoint',
check_str=base.RULE_ADMIN_REQUIRED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN)
deprecated_add_endpoint_to_project = policy.DeprecatedRule(
name=base.IDENTITY % 'add_endpoint_to_project',
check_str=base.RULE_ADMIN_REQUIRED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN)
deprecated_check_endpoint_in_project = policy.DeprecatedRule(
name=base.IDENTITY % 'check_endpoint_in_project',
check_str=base.RULE_ADMIN_REQUIRED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN)
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from manila.policies import base
BASE_POLICY_NAME = 'share_export_location:%s'
DEPRECATED_REASON = """
The share export location API now support system scope and default roles.
"""
deprecated_export_location_index = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'index',
check_str=base.RULE_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
deprecated_export_location_show = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'show',
check_str=base.RULE_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
share_export_location_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'index',
check_str=base.SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
description="Get all export locations of a given share.",
operations=[{
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from keystone.common.policies import base
DEPRECATED_REASON = (
"The OAUTH1 consumer API is now aware of system scope and default roles.")
deprecated_get_consumer = policy.DeprecatedRule(
name=base.IDENTITY % 'get_consumer',
check_str=base.RULE_ADMIN_REQUIRED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN)
deprecated_list_consumers = policy.DeprecatedRule(
name=base.IDENTITY % 'list_consumers',
check_str=base.RULE_ADMIN_REQUIRED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN)
deprecated_create_consumer = policy.DeprecatedRule(
name=base.IDENTITY % 'create_consumer',
check_str=base.RULE_ADMIN_REQUIRED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN)
deprecated_update_consumer = policy.DeprecatedRule(
name=base.IDENTITY % 'update_consumer',
check_str=base.RULE_ADMIN_REQUIRED,
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from keystone.common.policies import base
collection_path = '/v3/users/{user_id}/application_credentials'
resource_path = collection_path + '/{application_credential_id}'
deprecated_list_application_credentials_for_user = policy.DeprecatedRule(
name=base.IDENTITY % 'list_application_credentials',
check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_get_application_credentials_for_user = policy.DeprecatedRule(
name=base.IDENTITY % 'get_application_credentials',
check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_delete_application_credentials_for_user = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_application_credentials',
check_str=base.RULE_ADMIN_OR_OWNER)
DEPRECATED_REASON = (
"The application credential API is now aware of system scope and default "
"roles.")
application_credential_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_application_credential',
'user_id:%(target.user.id)s')
SYSTEM_READER_OR_DOMAIN_READER = (
'(' + base.SYSTEM_READER + ') or '
'(role:reader and domain_id:%(target.domain_id)s)')
SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
'(role:admin and system_scope:all) or '
'(role:admin and domain_id:%(target.project.domain_id)s)')
DEPRECATED_REASON = (
"The project API is now aware of system scope and default roles.")
deprecated_list_projects = policy.DeprecatedRule(
name=base.IDENTITY % 'list_projects',
check_str=base.RULE_ADMIN_REQUIRED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN)
deprecated_get_project = policy.DeprecatedRule(
name=base.IDENTITY % 'get_project',
check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN)
deprecated_list_user_projects = policy.DeprecatedRule(
name=base.IDENTITY % 'list_user_projects',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN)
deprecated_create_project = policy.DeprecatedRule(
name=base.IDENTITY % 'create_project',
check_str=base.RULE_ADMIN_REQUIRED,
},
]
rules = [
policy.RuleDefault(name='external',
check_str='field:networks:router:external=True',
description='Definition of an external network'),
policy.DocumentedRuleDefault(
name='create_network',
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description='Create a network',
operations=ACTION_POST,
deprecated_rule=policy.DeprecatedRule(
name='create_network',
check_str=base.RULE_ANY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)),
policy.DocumentedRuleDefault(
name='create_network:shared',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Create a shared network',
operations=ACTION_POST,
deprecated_rule=policy.DeprecatedRule(
name='create_network:shared',
check_str=base.RULE_ADMIN_ONLY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)),
policy.DocumentedRuleDefault(
name='create_network:router:external',
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from keystone.common.policies import base
DEPRECATED_REASON = (
"The token API is now aware of system scope and default roles.")
deprecated_check_token = policy.DeprecatedRule(
name=base.IDENTITY % 'check_token',
check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN)
deprecated_validate_token = policy.DeprecatedRule(
name=base.IDENTITY % 'validate_token',
check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN)
deprecated_revoke_token = policy.DeprecatedRule(
name=base.IDENTITY % 'revoke_token',
check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN)
SYSTEM_ADMIN_OR_TOKEN_SUBJECT = (
'(role:admin and system_scope:all) or rule:token_subject' # nosec
'or user_id:%(target.credential.user_id)s'
)
SYSTEM_ADMIN_OR_CRED_OWNER = (
'(role:admin and system_scope:all) '
'or user_id:%(target.credential.user_id)s'
)
DEPRECATED_REASON = (
'As of the Stein release, the credential API now understands how to '
'handle system-scoped tokens in addition to project-scoped tokens, making '
'the API more accessible to users without compromising security or '
'manageability for administrators. The new default policies for this API '
'account for these changes automatically.'
)
deprecated_get_credential = policy.DeprecatedRule(
name=base.IDENTITY % 'get_credential',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_list_credentials = policy.DeprecatedRule(
name=base.IDENTITY % 'list_credentials',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_create_credential = policy.DeprecatedRule(
name=base.IDENTITY % 'create_credential',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_update_credential = policy.DeprecatedRule(
name=base.IDENTITY % 'update_credential',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_delete_credential = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_credential',
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from manila.policies import base
BASE_POLICY_NAME = 'share_type:%s'
DEPRECATED_REASON = """
The share type API now supports system scope and default roles.
"""
deprecated_share_type_create = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'create', check_str=base.RULE_ADMIN_API)
deprecated_share_type_update = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'update', check_str=base.RULE_ADMIN_API)
deprecated_share_type_show = policy.DeprecatedRule(name=BASE_POLICY_NAME %
'show',
check_str=base.RULE_DEFAULT)
deprecated_share_type_index = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'index', check_str=base.RULE_DEFAULT)
deprecated_share_type_get_default = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'default', check_str=base.RULE_DEFAULT)
deprecated_share_type_delete = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'delete', check_str=base.RULE_ADMIN_API)
deprecated_share_type_list_project_access = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'list_project_access',
check_str=base.RULE_ADMIN_API)
deprecated_share_type_add_project_access = policy.DeprecatedRule(
'(' + base.SYSTEM_READER + ') or '
'(role:reader and domain_id:%(target.domain_id)s)'
)
SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN = (
'(' + base.SYSTEM_READER + ') or '
'(role:reader and domain_id:%(target.project.domain_id)s) or '
'(role:admin and project_id:%(target.project.id)s)'
)
DEPRECATED_REASON = (
"The assignment API is now aware of system scope and default roles."
)
deprecated_list_role_assignments = policy.DeprecatedRule(
name=base.IDENTITY % 'list_role_assignments',
check_str=base.RULE_ADMIN_REQUIRED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN
)
deprecated_list_role_assignments_for_tree = policy.DeprecatedRule(
name=base.IDENTITY % 'list_role_assignments_for_tree',
check_str=base.RULE_ADMIN_REQUIRED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN
)
role_assignment_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_role_assignments',
check_str=SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain'],
