Merge ~freyes/ubuntu/+source/keystone:upstream into ~ubuntu-openstack-dev/ubuntu/+source/keystone:upstream
- Git
- lp:~freyes/ubuntu/+source/keystone
- upstream
- Merge into upstream
Proposed by
Felipe Reyes
Status: | Merged |
---|---|
Merged at revision: | 1fde32da7e51eae8f6a38e5825ad803a3b89a314 |
Proposed branch: | ~freyes/ubuntu/+source/keystone:upstream |
Merge into: | ~ubuntu-openstack-dev/ubuntu/+source/keystone:upstream |
Diff against target: |
6994 lines (+1097/-1613) 98 files modified
.zuul.yaml (+13/-14) AUTHORS (+0/-12) ChangeLog (+7/-52) PKG-INFO (+63/-67) README.rst (+1/-1) api-ref/source/v3/authenticate-v3.inc (+1/-1) dev/null (+0/-6) devstack/plugin.sh (+0/-7) doc/source/admin/cli-manage-projects-users-and-roles.rst (+2/-2) doc/source/admin/domain-specific-config.inc (+0/-6) doc/source/admin/identity-concepts.rst (+9/-9) doc/source/admin/service-api-protection.rst (+43/-138) doc/source/admin/upgrading.rst (+1/-1) doc/source/conf.py (+1/-5) doc/source/configuration/policy.rst (+0/-9) doc/source/contributor/how-can-i-help.rst (+1/-1) doc/source/getting-started/community.rst (+3/-3) doc/source/getting-started/policy_mapping.rst (+1/-1) keystone.egg-info/PKG-INFO (+63/-67) keystone.egg-info/SOURCES.txt (+2/-16) keystone.egg-info/requires.txt (+3/-3) keystone/api/s3tokens.py (+1/-4) keystone/cmd/status.py (+0/-3) keystone/common/policies/application_credential.py (+16/-17) keystone/common/policies/consumer.py (+23/-24) keystone/common/policies/credential.py (+15/-15) keystone/common/policies/domain.py (+20/-20) keystone/common/policies/domain_config.py (+17/-17) keystone/common/policies/ec2_credential.py (+16/-17) keystone/common/policies/endpoint.py (+19/-19) keystone/common/policies/endpoint_group.py (+38/-37) keystone/common/policies/grant.py (+43/-44) keystone/common/policies/group.py (+40/-40) keystone/common/policies/identity_provider.py (+21/-22) keystone/common/policies/implied_role.py (+23/-23) keystone/common/policies/mapping.py (+22/-23) keystone/common/policies/policy.py (+19/-19) keystone/common/policies/policy_association.py (+37/-38) keystone/common/policies/project.py (+52/-52) keystone/common/policies/project_endpoint.py (+23/-23) keystone/common/policies/protocol.py (+24/-25) keystone/common/policies/region.py (+15/-16) keystone/common/policies/role.py (+43/-44) keystone/common/policies/role_assignment.py (+11/-12) keystone/common/policies/service.py (+23/-24) keystone/common/policies/service_provider.py (+23/-24) keystone/common/policies/token.py (+12/-12) keystone/common/policies/trust.py (+24/-24) keystone/common/policies/user.py (+20/-20) keystone/common/rbac_enforcer/enforcer.py (+0/-8) keystone/common/sql/core.py (+0/-10) keystone/common/utils.py (+2/-2) keystone/conf/__init__.py (+0/-7) keystone/conf/memcache.py (+1/-25) keystone/federation/idp.py (+2/-10) keystone/identity/mapping_backends/sql.py (+1/-1) keystone/identity/shadow_backends/sql.py (+1/-2) keystone/locale/en_GB/LC_MESSAGES/keystone.po (+2/-14) keystone/models/revoke_model.py (+1/-1) keystone/tests/unit/assignment/test_backends.py (+3/-3) keystone/tests/unit/catalog/test_backends.py (+18/-24) keystone/tests/unit/common/test_notifications.py (+1/-1) keystone/tests/unit/config_files/backend_ldap_sql.conf (+1/-1) keystone/tests/unit/config_files/backend_multi_ldap_sql.conf (+1/-1) keystone/tests/unit/config_files/backend_sql.conf (+1/-1) keystone/tests/unit/config_files/deprecated.conf (+8/-0) keystone/tests/unit/config_files/deprecated_override.conf (+15/-0) keystone/tests/unit/contrib/federation/test_utils.py (+3/-3) keystone/tests/unit/core.py (+11/-4) keystone/tests/unit/endpoint_policy/backends/test_base.py (+1/-1) keystone/tests/unit/identity/shadow_users/test_backend.py (+2/-2) keystone/tests/unit/identity/test_backends.py (+16/-20) keystone/tests/unit/ksfixtures/__init__.py (+0/-1) keystone/tests/unit/policy/backends/test_base.py (+1/-1) keystone/tests/unit/resource/test_backends.py (+19/-26) keystone/tests/unit/test_associate_project_endpoint_extension.py (+4/-4) keystone/tests/unit/test_backend_id_mapping_sql.py (+4/-24) keystone/tests/unit/test_backend_ldap.py (+23/-29) keystone/tests/unit/test_backend_sql.py (+2/-2) keystone/tests/unit/test_backend_templated.py (+2/-2) keystone/tests/unit/test_config.py (+35/-1) keystone/tests/unit/test_contrib_s3_core.py (+0/-82) keystone/tests/unit/test_hacking_checks.py (+1/-1) keystone/tests/unit/test_policy.py (+4/-6) keystone/tests/unit/test_sql_banned_operations.py (+1/-6) keystone/tests/unit/test_sql_upgrade.py (+2/-21) keystone/tests/unit/test_v3.py (+2/-2) keystone/tests/unit/test_v3_assignment.py (+1/-1) keystone/tests/unit/test_v3_federation.py (+6/-6) keystone/trust/backends/base.py (+1/-1) keystone/trust/backends/sql.py (+1/-5) keystone/trust/core.py (+9/-9) lower-constraints.txt (+3/-4) releasenotes/source/index.rst (+0/-3) releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po (+3/-124) requirements.txt (+3/-3) setup.cfg (+4/-4) tox.ini (+21/-25) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Corey Bryant | Pending | ||
Review via email: mp+416277@code.launchpad.net |
Commit message
Description of the change
To post a comment you must log in.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/.zuul.yaml b/.zuul.yaml |
2 | index fc3eebb..daadbc7 100644 |
3 | --- a/.zuul.yaml |
4 | +++ b/.zuul.yaml |
5 | @@ -33,14 +33,6 @@ |
6 | USE_PYTHON3: True |
7 | |
8 | - job: |
9 | - name: keystone-dsvm-py3-functional-fips |
10 | - parent: keystone-dsvm-py3-functional |
11 | - nodeset: devstack-single-node-centos-8-stream |
12 | - description: | |
13 | - Functional testing for a FIPS enabled Centos 8 system |
14 | - pre-run: playbooks/enable-fips.yaml |
15 | - |
16 | -- job: |
17 | name: keystone-dsvm-functional-federation-opensuse15 |
18 | parent: keystone-dsvm-functional |
19 | nodeset: devstack-single-node-opensuse-15 |
20 | @@ -110,6 +102,15 @@ |
21 | osa_test_repo: openstack/openstack-ansible-os_keystone |
22 | |
23 | - job: |
24 | + name: keystone-tox-protection |
25 | + parent: openstack-tox-py37 |
26 | + timeout: 3600 |
27 | + vars: |
28 | + tox_envlist: protection |
29 | + bindep_profile: test py37 |
30 | + python_version: 3.7 |
31 | + |
32 | +- job: |
33 | name: keystone-dsvm-ldap-domain-specific-driver |
34 | parent: devstack-tempest |
35 | vars: |
36 | @@ -209,7 +210,6 @@ |
37 | - check-requirements |
38 | - integrated-gate-py3 |
39 | - release-notes-jobs-python3 |
40 | - - openstack-python3-wallaby-jobs-arm64 |
41 | check: |
42 | jobs: |
43 | - keystone-dsvm-py3-functional: |
44 | @@ -220,9 +220,6 @@ |
45 | - ^etc/.*$ |
46 | - ^keystone/tests/unit/.*$ |
47 | - ^releasenotes/.*$ |
48 | - - keystone-dsvm-py3-functional-fips: |
49 | - voting: false |
50 | - irrelevant-files: *irrelevant-files |
51 | - keystone-dsvm-py3-functional-federation-ubuntu-focal: |
52 | voting: false |
53 | irrelevant-files: *irrelevant-files |
54 | @@ -248,7 +245,7 @@ |
55 | irrelevant-files: *tempest-irrelevant-files |
56 | - tempest-ipv6-only: |
57 | irrelevant-files: *tempest-irrelevant-files |
58 | - - keystone-protection-functional |
59 | + - keystone-tox-protection |
60 | gate: |
61 | jobs: |
62 | - keystone-dsvm-py3-functional: |
63 | @@ -261,7 +258,7 @@ |
64 | irrelevant-files: *tempest-irrelevant-files |
65 | - tempest-ipv6-only: |
66 | irrelevant-files: *tempest-irrelevant-files |
67 | - - keystone-protection-functional |
68 | + - keystone-tox-protection |
69 | experimental: |
70 | jobs: |
71 | - keystone-tox-patch_cover |
72 | @@ -271,6 +268,8 @@ |
73 | irrelevant-files: *irrelevant-files |
74 | - tempest-pg-full: |
75 | irrelevant-files: *tempest-irrelevant-files |
76 | + - tempest-full-py3-opensuse15: |
77 | + irrelevant-files: *tempest-irrelevant-files |
78 | - keystone-dsvm-functional-federation-centos7: |
79 | irrelevant-files: *irrelevant-files |
80 | - keystone-dsvm-functional-federation-ubuntu-xenial: |
81 | diff --git a/AUTHORS b/AUTHORS |
82 | index e0e5154..558a789 100644 |
83 | --- a/AUTHORS |
84 | +++ b/AUTHORS |
85 | @@ -1,7 +1,6 @@ |
86 | Adam Gandelman <adam.gandelman@canonical.com> |
87 | Adam Young <ayoung@f17httpd.ayoung530> |
88 | Adam Young <ayoung@redhat.com> |
89 | -Ade Lee <alee@redhat.com> |
90 | Adipudi Praveena <padipudi@padipudi.(none)> |
91 | Adrian Turjak <adriant@catalyst.net.nz> |
92 | Ajaya Agrawal <ajku.agr@gmail.com> |
93 | @@ -177,7 +176,6 @@ Ghe Rivero <ghe@debian.org> |
94 | Gordon Chung <chungg@ca.ibm.com> |
95 | Graham Hayes <graham.hayes@hpe.com> |
96 | Grzegorz Grasza <grzegorz.grasza@intel.com> |
97 | -Grzegorz Grasza <xek@redhat.com> |
98 | Guang Yee <guang.yee@hpe.com> |
99 | Guang Yee <guang.yee@suse.com> |
100 | Guo Shan <guoshan@awcloud.com> |
101 | @@ -199,7 +197,6 @@ Hervé Beraud <hberaud@redhat.com> |
102 | Hidekazu Nakamura <hid-nakamura@vf.jp.nec.com> |
103 | Hieu LE <hieulq@vn.fujitsu.com> |
104 | Hirofumi Ichihara <ichihara.hirofumi@lab.ntt.co.jp> |
105 | -Hironori Shiina <shiina.hironori@jp.fujitsu.com> |
106 | Hongbin Lu <hongbin034@gmail.com> |
107 | Hugh Saunders <hugh@wherenow.org> |
108 | Hugo Nicodemos <hugonicodemos@gmail.com> |
109 | @@ -348,7 +345,6 @@ Matthew Thode <mthode@mthode.org> |
110 | Matthew Treinish <mtreinish@kortar.org> |
111 | Matthew Treinish <treinish@linux.vnet.ibm.com> |
112 | Matthieu Huin <mhu@enovance.com> |
113 | -Maurice Escher <maurice.escher@sap.com> |
114 | Michael Basnight <mbasnight@gmail.com> |
115 | Michael J Fork <mjfork@us.ibm.com> |
116 | Michael Krotscheck <krotscheck@gmail.com> |
117 | @@ -422,7 +418,6 @@ Robert Collins <rbtcollins@hp.com> |
118 | Robert Collins <robertc@robertcollins.net> |
119 | Robert H. Hyerle <hyerle@hp.com> |
120 | Robin Norwood <robin.norwood@gmail.com> |
121 | -Rodolfo Alonso Hernandez <ralonsoh@redhat.com> |
122 | Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com> |
123 | Rodrigo Duarte <rduartes@redhat.com> |
124 | Rodrigo Duarte Sousa <rduartes@redhat.com> |
125 | @@ -484,12 +479,10 @@ Sreyansh Jain <taishiroy2904@gmail.com> |
126 | Stanisław Pitucha <stanislaw.pitucha@hp.com> |
127 | Stef T <stelford@internap.com> |
128 | Stephen Finucane <sfinucan@redhat.com> |
129 | -Stephen Finucane <stephenfin@redhat.com> |
130 | Steve Baker <sbaker@redhat.com> |
131 | Steve Martinelli <s.martinelli@gmail.com> |
132 | Steve Martinelli <stevemar@ca.ibm.com> |
133 | Steven Hardy <shardy@redhat.com> |
134 | -Stuart Grace <stuart.grace@bbc.co.uk> |
135 | Stuart McLaren <stuart.mclaren@hp.com> |
136 | Suramya Shah <shah.suramya@gmail.com> |
137 | Sushil Kumar <sushil.kumar2@globallogic.com> |
138 | @@ -499,7 +492,6 @@ Sylvain Afchain <sylvain.afchain@enovance.com> |
139 | THOMAS J. COCOZZELLO <tjcocozz@us.ibm.com> |
140 | Tahmina Ahmed <tahmina.csebuet@gmail.com> |
141 | Taishi Roy <taishiroy2904@gmail.com> |
142 | -Takashi Kajinami <tkajinam@redhat.com> |
143 | Takashi NATSUME <natsume.takashi@lab.ntt.co.jp> |
144 | Telles Nobrega <tellesmvn@lsd.ufcg.edu.br> |
145 | Theodore Ilie <theodorex.ilie@intel.com> |
146 | @@ -564,7 +556,6 @@ Yong Sheng Gong <gongysh@cn.ibm.com> |
147 | Yong Sheng Gong <gongysh@unitedstack.com> |
148 | You Ji <jiyou09@gmail.com> |
149 | You Yamagata <bi.yamagata@gmail.com> |
150 | -YuehuiLei <leiyuehui-s@inspur.com> |
151 | Yuiko Takada <takada-yuiko@mxn.nes.nec.co.jp> |
152 | Yun Mao <yunmao@gmail.com> |
153 | Yuriy Taraday <yorik.sar@gmail.com> |
154 | @@ -672,7 +663,6 @@ prashkre <prashkre@in.ibm.com> |
155 | qinglin.cheng <qinglin.cheng@easystack.cn> |
156 | r-sekine <r-sekine@intellilink.co.jp> |
157 | rajat29 <rajat.sharma@nectechnologies.in> |
158 | -ricolin <rico.lin.guanyu@gmail.com> |
159 | rocky <haigang.xu@easystack.cn> |
160 | root <root@newapps.(none)> |
161 | rpedde <ron@pedde.com> |
162 | @@ -699,7 +689,6 @@ wanghui <wang_hui@inspur.com> |
163 | wanglong <wl3617@qq.com> |
164 | wangqiangbj <wangqiangbj@inspur.com> |
165 | wangxiyuan <wangxiyuan@huawei.com> |
166 | -wangzihao <wangzihao@yovole.com> |
167 | werner mendizabal <nonameentername@gmail.com> |
168 | whoami-rajat <rajatdhasmana@gmail.com> |
169 | wingwj <wingwj@gmail.com> |
170 | @@ -710,7 +699,6 @@ xingzhou <xingzhou@cn.ibm.com> |
171 | xuhaigang <haigang.xu@easystack.cn> |
172 | xurong00037997 <xu.rong@zte.com.cn> |
173 | yanghuichan <yanghc@fiberhome.com> |
174 | -yangshaoxue <yang.shaoxue@99cloud.net> |
175 | yangweiwei <yangweiwei@cmss.chinamobile.com> |
176 | yangyapeng <yang.yapeng@99cloud.net> |
177 | yaroslavmt <yaroslavmt@gmail.com> |
178 | diff --git a/ChangeLog b/ChangeLog |
179 | index d5d2a11..2f980e8 100644 |
180 | --- a/ChangeLog |
181 | +++ b/ChangeLog |
182 | @@ -1,64 +1,21 @@ |
183 | CHANGES |
184 | ======= |
185 | |
186 | -* Add 'WarningsFixture' |
187 | -* Add support for pysaml2 >= 7.1.0 |
188 | -* tox: Random fixups |
189 | -* Deprecate ineffective [memcache] options |
190 | -* Fix response code of 'Revoke Token' in api-ref |
191 | -* Accept STS and IAM services from Ceph Obj Gateway |
192 | -* Fix oslo policy warning assert in unit tests |
193 | -* Temporary exclude the common.sql.core.py from sphinx-apidoc target |
194 | -* Remove broken tempest-full-py3-opensuse15 job |
195 | -* Fix typos in application credential policies |
196 | -* Fix typo in identity provider policies |
197 | -* Update master for stable/xena |
198 | -* Improve performance on trust deletion |
199 | -* Replace deprecated assertDictContainsSubset |
200 | - |
201 | -20.0.0 |
202 | +18.1.0 |
203 | ------ |
204 | |
205 | +* Fix typos in application credential policies |
206 | * Fix typos in ec2 credential policies |
207 | -* Fix oslo policy DeprecatedRule warnings |
208 | -* Update local\_id limit to 255 characters |
209 | -* Add FIPS check job |
210 | -* Replace deprecated import of ABCs from collections |
211 | -* Moving IRC network reference to OFTC |
212 | -* Update master for stable/wallaby |
213 | -* Remove use of deprecated oslo.db options |
214 | -* docs: Fix failing build |
215 | -* Make DB queries compatible with SQLAlchemy 1.4.x |
216 | -* fix get\_security\_compliance\_domain\_config policy rule typo |
217 | -* setup.cfg: Replace dashes with underscores |
218 | +* Fix typo in identity provider policies |
219 | * Hide AccountLocked exception from end users |
220 | * Retry update\_user when sqlalchemy raises StaleDataErrors |
221 | -* Imported Translations from Zanata |
222 | - |
223 | -19.0.0.0rc1 |
224 | ------------ |
225 | - |
226 | -* Add job for keystone functional protection tests |
227 | -* trivial: Update minor wording nit in RBAC persona documentation |
228 | -* Clarify top-level personas in RBAC documentation |
229 | -* Clarify \`\`reader\`\` role implementation in persona admin guide |
230 | -* [goal] Deprecate the JSON formatted policy file |
231 | -* Ignore oslo.db deprecating sqlalchemy-migrate warning |
232 | -* Add openstack-python3-wallaby-jobs-arm64 job |
233 | * Support bytes type in generate\_public\_ID() |
234 | -* Imported Translations from Zanata |
235 | -* Drop lower-constraints job |
236 | -* fix E741 ambiguous variable name |
237 | -* fix E225 missing whitespace around operator |
238 | * Use app cred user ID in policy enforcement |
239 | -* Generalize release note for bug 1878938 |
240 | -* Use enforce\_new\_defaults when setting up keystone protection tests |
241 | +* Update TOX\_CONSTRAINTS\_FILE for stable/victoria |
242 | +* Drop lower-constraints job |
243 | +* Delete system role assignments from system\_assignment table |
244 | * Implement more robust connection handling for asynchronous LDAP calls |
245 | -* Imported Translations from Zanata |
246 | -* Update master for stable/victoria |
247 | -* Add vine to lower-constraints |
248 | -* Simplify default config test |
249 | -* Replace assertItemsEqual with assertCountEqual |
250 | +* Update .gitreview for stable/victoria |
251 | |
252 | 18.0.0 |
253 | ------ |
254 | @@ -75,9 +32,7 @@ CHANGES |
255 | * Spelling Fix |
256 | * NIT: Spelling Fix |
257 | * Properly handle octet (byte) strings when converting LDAP responses |
258 | -* Add support for functional RBAC tests |
259 | * Fix invalid assertTrue which should be assertEqual |
260 | -* Delete system role assignments from system\_assignment table |
261 | * Fix api-ref for list endpoints |
262 | * Fix lower-constraint for PyMySQL |
263 | * Fix doc for package mod\_wsgi on Centos8/RHEL8 |
264 | diff --git a/PKG-INFO b/PKG-INFO |
265 | index 3b63a18..c4bc751 100644 |
266 | --- a/PKG-INFO |
267 | +++ b/PKG-INFO |
268 | @@ -1,11 +1,73 @@ |
269 | Metadata-Version: 2.1 |
270 | Name: keystone |
271 | -Version: 20.1.0.dev27 |
272 | +Version: 18.1.0 |
273 | Summary: OpenStack Identity |
274 | Home-page: https://docs.openstack.org/keystone/latest |
275 | Author: OpenStack |
276 | Author-email: openstack-discuss@lists.openstack.org |
277 | License: UNKNOWN |
278 | +Description: ================== |
279 | + OpenStack Keystone |
280 | + ================== |
281 | + |
282 | + .. image:: https://governance.openstack.org/tc/badges/keystone.svg |
283 | + :target: https://governance.openstack.org/tc/reference/tags/index.html |
284 | + |
285 | + .. Change things from this point on |
286 | + |
287 | + OpenStack Keystone provides authentication, authorization and service discovery |
288 | + mechanisms via HTTP primarily for use by projects in the OpenStack family. It |
289 | + is most commonly deployed as an HTTP interface to existing identity systems, |
290 | + such as LDAP. |
291 | + |
292 | + Developer documentation, the source of which is in ``doc/source/``, is |
293 | + published at: |
294 | + |
295 | + https://docs.openstack.org/keystone/latest |
296 | + |
297 | + The API reference and documentation are available at: |
298 | + |
299 | + https://docs.openstack.org/api-ref/identity |
300 | + |
301 | + The canonical client library is available at: |
302 | + |
303 | + https://opendev.org/openstack/python-keystoneclient |
304 | + |
305 | + Documentation for cloud administrators is available at: |
306 | + |
307 | + https://docs.openstack.org/ |
308 | + |
309 | + The source of documentation for cloud administrators is available at: |
310 | + |
311 | + https://opendev.org/openstack/openstack-manuals |
312 | + |
313 | + Information about our team meeting is available at: |
314 | + |
315 | + https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting |
316 | + |
317 | + Release notes is available at: |
318 | + |
319 | + https://docs.openstack.org/releasenotes/keystone |
320 | + |
321 | + Bugs and feature requests are tracked on Launchpad at: |
322 | + |
323 | + https://bugs.launchpad.net/keystone |
324 | + |
325 | + Future design work is tracked at: |
326 | + |
327 | + https://specs.openstack.org/openstack/keystone-specs |
328 | + |
329 | + Contributors are encouraged to join IRC (``#openstack-keystone`` on freenode): |
330 | + |
331 | + https://wiki.openstack.org/wiki/IRC |
332 | + |
333 | + Source for the project: |
334 | + |
335 | + https://opendev.org/openstack/keystone |
336 | + |
337 | + For information on contributing to Keystone, see ``CONTRIBUTING.rst``. |
338 | + |
339 | + |
340 | Platform: UNKNOWN |
341 | Classifier: Environment :: OpenStack |
342 | Classifier: Intended Audience :: Information Technology |
343 | @@ -24,69 +86,3 @@ Provides-Extra: ldap |
344 | Provides-Extra: memcache |
345 | Provides-Extra: mongodb |
346 | Provides-Extra: test |
347 | -License-File: LICENSE |
348 | -License-File: AUTHORS |
349 | - |
350 | -================== |
351 | -OpenStack Keystone |
352 | -================== |
353 | - |
354 | -.. image:: https://governance.openstack.org/tc/badges/keystone.svg |
355 | - :target: https://governance.openstack.org/tc/reference/tags/index.html |
356 | - |
357 | -.. Change things from this point on |
358 | - |
359 | -OpenStack Keystone provides authentication, authorization and service discovery |
360 | -mechanisms via HTTP primarily for use by projects in the OpenStack family. It |
361 | -is most commonly deployed as an HTTP interface to existing identity systems, |
362 | -such as LDAP. |
363 | - |
364 | -Developer documentation, the source of which is in ``doc/source/``, is |
365 | -published at: |
366 | - |
367 | - https://docs.openstack.org/keystone/latest |
368 | - |
369 | -The API reference and documentation are available at: |
370 | - |
371 | - https://docs.openstack.org/api-ref/identity |
372 | - |
373 | -The canonical client library is available at: |
374 | - |
375 | - https://opendev.org/openstack/python-keystoneclient |
376 | - |
377 | -Documentation for cloud administrators is available at: |
378 | - |
379 | - https://docs.openstack.org/ |
380 | - |
381 | -The source of documentation for cloud administrators is available at: |
382 | - |
383 | - https://opendev.org/openstack/openstack-manuals |
384 | - |
385 | -Information about our team meeting is available at: |
386 | - |
387 | - https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting |
388 | - |
389 | -Release notes is available at: |
390 | - |
391 | - https://docs.openstack.org/releasenotes/keystone |
392 | - |
393 | -Bugs and feature requests are tracked on Launchpad at: |
394 | - |
395 | - https://bugs.launchpad.net/keystone |
396 | - |
397 | -Future design work is tracked at: |
398 | - |
399 | - https://specs.openstack.org/openstack/keystone-specs |
400 | - |
401 | -Contributors are encouraged to join IRC (``#openstack-keystone`` on OFTC): |
402 | - |
403 | - https://wiki.openstack.org/wiki/IRC |
404 | - |
405 | -Source for the project: |
406 | - |
407 | - https://opendev.org/openstack/keystone |
408 | - |
409 | -For information on contributing to Keystone, see ``CONTRIBUTING.rst``. |
410 | - |
411 | - |
412 | - |
413 | diff --git a/README.rst b/README.rst |
414 | index 520a71e..2a19ff5 100644 |
415 | --- a/README.rst |
416 | +++ b/README.rst |
417 | @@ -49,7 +49,7 @@ Future design work is tracked at: |
418 | |
419 | https://specs.openstack.org/openstack/keystone-specs |
420 | |
421 | -Contributors are encouraged to join IRC (``#openstack-keystone`` on OFTC): |
422 | +Contributors are encouraged to join IRC (``#openstack-keystone`` on freenode): |
423 | |
424 | https://wiki.openstack.org/wiki/IRC |
425 | |
426 | diff --git a/api-ref/source/v3/authenticate-v3.inc b/api-ref/source/v3/authenticate-v3.inc |
427 | index d69972a..11f19cb 100644 |
428 | --- a/api-ref/source/v3/authenticate-v3.inc |
429 | +++ b/api-ref/source/v3/authenticate-v3.inc |
430 | @@ -965,7 +965,7 @@ Status Codes |
431 | |
432 | .. rest_status_code:: success status.yaml |
433 | |
434 | - - 204 |
435 | + - 201 |
436 | |
437 | .. rest_status_code:: error status.yaml |
438 | |
439 | diff --git a/devstack/lib/scope.sh b/devstack/lib/scope.sh |
440 | deleted file mode 100644 |
441 | index 255ed69..0000000 |
442 | --- a/devstack/lib/scope.sh |
443 | +++ /dev/null |
444 | @@ -1,26 +0,0 @@ |
445 | -# Copyright 2019 SUSE LLC |
446 | -# |
447 | -# Licensed under the Apache License, Version 2.0 (the "License"); you may |
448 | -# not use this file except in compliance with the License. You may obtain |
449 | -# a copy of the License at |
450 | -# |
451 | -# http://www.apache.org/licenses/LICENSE-2.0 |
452 | -# |
453 | -# Unless required by applicable law or agreed to in writing, software |
454 | -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
455 | -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
456 | -# License for the specific language governing permissions and limitations |
457 | -# under the License. |
458 | - |
459 | -function configure_enforce_scope { |
460 | - iniset $KEYSTONE_CONF oslo_policy enforce_scope true |
461 | - iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true |
462 | - iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml |
463 | - sudo systemctl restart devstack@keystone |
464 | -} |
465 | - |
466 | -function configure_protection_tests { |
467 | - iniset $TEMPEST_CONFIG identity-feature-enabled enforce_scope true |
468 | - iniset $TEMPEST_CONFIG auth admin_system true |
469 | - iniset $TEMPEST_CONFIG auth admin_project_name '' |
470 | -} |
471 | diff --git a/devstack/plugin.sh b/devstack/plugin.sh |
472 | index 8f7a385..924b820 100644 |
473 | --- a/devstack/plugin.sh |
474 | +++ b/devstack/plugin.sh |
475 | @@ -15,7 +15,6 @@ |
476 | |
477 | KEYSTONE_PLUGIN=$DEST/keystone/devstack |
478 | source $KEYSTONE_PLUGIN/lib/federation.sh |
479 | -source $KEYSTONE_PLUGIN/lib/scope.sh |
480 | |
481 | # For more information on Devstack plugins, including a more detailed |
482 | # explanation on when the different steps are executed please see: |
483 | @@ -48,12 +47,6 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then |
484 | if is_service_enabled keystone-saml2-federation; then |
485 | configure_tests_settings |
486 | fi |
487 | - if [[ "$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)" == "True" ]] ; then |
488 | - # devstack and tempest assume enforce_scope is false, so need to wait |
489 | - # until the final phase to turn it on |
490 | - configure_enforce_scope |
491 | - configure_protection_tests |
492 | - fi |
493 | fi |
494 | |
495 | if [[ "$1" == "unstack" ]]; then |
496 | diff --git a/doc/source/admin/cli-manage-projects-users-and-roles.rst b/doc/source/admin/cli-manage-projects-users-and-roles.rst |
497 | index 8d2f837..f27979d 100644 |
498 | --- a/doc/source/admin/cli-manage-projects-users-and-roles.rst |
499 | +++ b/doc/source/admin/cli-manage-projects-users-and-roles.rst |
500 | @@ -10,8 +10,8 @@ define which actions users can perform. You assign roles to |
501 | user-project pairs. |
502 | |
503 | You can define actions for OpenStack service roles in the |
504 | -``/etc/PROJECT/policy.yaml`` files. For example, define actions for |
505 | -Compute service roles in the ``/etc/nova/policy.yaml`` file. |
506 | +``/etc/PROJECT/policy.json`` files. For example, define actions for |
507 | +Compute service roles in the ``/etc/nova/policy.json`` file. |
508 | |
509 | You can manage projects, users, and roles independently from each other. |
510 | |
511 | diff --git a/doc/source/admin/domain-specific-config.inc b/doc/source/admin/domain-specific-config.inc |
512 | index 2d8f993..3797e30 100644 |
513 | --- a/doc/source/admin/domain-specific-config.inc |
514 | +++ b/doc/source/admin/domain-specific-config.inc |
515 | @@ -146,12 +146,6 @@ then the same public ID will be created. This is useful if you are running |
516 | multiple keystones and want to ensure the same ID would be generated whichever |
517 | server you hit. |
518 | |
519 | -.. NOTE:: |
520 | - |
521 | - In case of the LDAP backend, the names of users and groups are not hashed. |
522 | - As a result, these are length limited to 255 characters. Longer names |
523 | - will result in an error. |
524 | - |
525 | While keystone will dynamically maintain the identity mapping, including |
526 | removing entries when entities are deleted via the keystone, for those entities |
527 | in backends that are managed outside of keystone (e.g. a read-only LDAP), |
528 | diff --git a/doc/source/admin/identity-concepts.rst b/doc/source/admin/identity-concepts.rst |
529 | index 0f8cfc5..3d615c0 100644 |
530 | --- a/doc/source/admin/identity-concepts.rst |
531 | +++ b/doc/source/admin/identity-concepts.rst |
532 | @@ -122,9 +122,9 @@ Identity user management examples: |
533 | Individual services assign meaning to roles, typically through |
534 | limiting or granting access to users with the role to the |
535 | operations that the service supports. Role access is typically |
536 | - configured in the service's ``policy.yaml`` file. For example, |
537 | + configured in the service's ``policy.json`` file. For example, |
538 | to limit Compute access to the ``compute-user`` role, edit the |
539 | - Compute service's ``policy.yaml`` file to require this role for |
540 | + Compute service's ``policy.json`` file to require this role for |
541 | Compute operations. |
542 | |
543 | The Identity service assigns a project and a role to a user. You might |
544 | @@ -139,25 +139,25 @@ A user can have different roles in different projects. For example, Alice |
545 | might also have the ``admin`` role in the ``Cyberdyne`` project. A user |
546 | can also have multiple roles in the same project. |
547 | |
548 | -The ``/etc/[SERVICE_CODENAME]/policy.yaml`` file controls the |
549 | +The ``/etc/[SERVICE_CODENAME]/policy.json`` file controls the |
550 | tasks that users can perform for a given service. For example, the |
551 | -``/etc/nova/policy.yaml`` file specifies the access policy for the |
552 | -Compute service, the ``/etc/glance/policy.yaml`` file specifies |
553 | +``/etc/nova/policy.json`` file specifies the access policy for the |
554 | +Compute service, the ``/etc/glance/policy.json`` file specifies |
555 | the access policy for the Image service, and the |
556 | -``/etc/keystone/policy.yaml`` file specifies the access policy for |
557 | +``/etc/keystone/policy.json`` file specifies the access policy for |
558 | the Identity service. |
559 | |
560 | -The default ``policy.yaml`` files in the Compute, Identity, and |
561 | +The default ``policy.json`` files in the Compute, Identity, and |
562 | Image services recognize only the ``admin`` role. Any user with |
563 | any role in a project can access all operations that do not require the |
564 | ``admin`` role. |
565 | |
566 | To restrict users from performing operations in, for example, the |
567 | Compute service, you must create a role in the Identity service and |
568 | -then modify the ``/etc/nova/policy.yaml`` file so that this role |
569 | +then modify the ``/etc/nova/policy.json`` file so that this role |
570 | is required for Compute operations. |
571 | |
572 | -For example, the following line in the ``/etc/cinder/policy.yaml`` |
573 | +For example, the following line in the ``/etc/cinder/policy.json`` |
574 | file does not restrict which users can create volumes: |
575 | |
576 | .. code-block:: none |
577 | diff --git a/doc/source/admin/service-api-protection.rst b/doc/source/admin/service-api-protection.rst |
578 | index 47886ae..80b8af1 100644 |
579 | --- a/doc/source/admin/service-api-protection.rst |
580 | +++ b/doc/source/admin/service-api-protection.rst |
581 | @@ -10,16 +10,14 @@ Like most OpenStack services, keystone protects its API using role-based access |
582 | control (RBAC). |
583 | |
584 | Users can access different APIs depending on the roles they have on a project, |
585 | -domain, or system, which we refer to as scope. |
586 | +domain, or system. |
587 | |
588 | As of the Rocky release, keystone provides three roles called ``admin``, |
589 | ``member``, and ``reader`` by default. Operators can grant these roles to any |
590 | -actor (e.g., group or user) on any scope (e.g., system, domain, or project). |
591 | +actor (e.g., group or user) on any target (e.g., system, domain, or project). |
592 | If you need a refresher on authorization scopes and token types, please refer |
593 | to the `token guide`_. The following sections describe how each default role |
594 | -behaves with keystone's API across different scopes. Additionally, other |
595 | -service developers can use this document as a guide for implementing similar |
596 | -patterns in their services. |
597 | +behaves with keystone's API across different scopes. |
598 | |
599 | Default roles and behaviors across scopes allow operators to delegate more |
600 | functionality to their team, auditors, customers, and users without maintaining |
601 | @@ -31,10 +29,9 @@ custom policies. |
602 | Roles Definitions |
603 | ----------------- |
604 | |
605 | -The default roles provided by keystone, via ``keystone-manage boostrap``, are |
606 | -related through role implications. The ``admin`` role implies the ``member`` |
607 | -role, and the ``member`` role implies the ``reader`` role. These implications |
608 | -mean users with the ``admin`` role automatically have the ``member`` and |
609 | +The default roles imply one another. The ``admin`` role implies the ``member`` |
610 | +role, and the ``member`` role implies the ``reader`` role. This implication |
611 | +means users with the ``admin`` role automatically have the ``member`` and |
612 | ``reader`` roles. Additionally, users with the ``member`` role automatically |
613 | have the ``reader`` role. Implying roles reduces role assignments and forms a |
614 | natural hierarchy between the default roles. It also reduces the complexity of |
615 | @@ -54,26 +51,6 @@ Instead of: |
616 | Reader |
617 | ====== |
618 | |
619 | -.. warning:: |
620 | - |
621 | - While it's possible to use the ``reader`` role to perform audits, we highly |
622 | - recommend assessing the viability of using ``reader`` for auditing from the |
623 | - perspective of the compliance target you're pursuing. |
624 | - |
625 | - The ``reader`` role is the least-privileged role within the role hierarchy |
626 | - described here. As such, OpenStack development teams, by default, do not |
627 | - advocate exposing sensitive information to users with the ``reader`` role, |
628 | - regardless of the scope. We have noted the need for a formal, read-only, |
629 | - role that is useful for inspecting all applicable resources within a |
630 | - particular scope, but it shouldn't be implemented as the lowest level of |
631 | - authorization. This work will come in a subsequent release where we support |
632 | - an elevated read-only role, that implies ``reader``, but also exposes |
633 | - sensitive information, where applicable. |
634 | - |
635 | - This will allow operators to grant third-party auditors a permissive role |
636 | - for viewing sensitive information, specifically for compliance targets that |
637 | - require it. |
638 | - |
639 | The ``reader`` role provides read-only access to resources within the system, a |
640 | domain, or a project. Depending on the assignment scope, two users with the |
641 | ``reader`` role can expect different API behaviors. For example, a user with |
642 | @@ -87,20 +64,6 @@ roles. For example, to accomplish this without analyzing assignment scope, you |
643 | would need ``system-reader``, ``domain-reader``, and ``project-reader`` roles |
644 | in addition to custom policies for each service. |
645 | |
646 | -It's imperative to note that ``reader`` is the least authoritative role in the |
647 | -hierarchy because assignments using ``admin`` or ``member`` ultimately include |
648 | -the ``reader`` role. We document this explicitly so that ``reader`` roles are not |
649 | -overloaded with read-only access to sensitive information. For example, a deployment |
650 | -pursuing a specific compliance target may want to leverage the ``reader`` role |
651 | -to perform the audit. If the audit requires the auditor to evaluate sensitive |
652 | -information, like license keys or administrative metadata, within a given |
653 | -scope, auditors shouldn't expect to perform these operations with the |
654 | -``reader`` role. We justify this design decision because sensitive information |
655 | -should be explicitly protected, and not implicitly exposed. |
656 | - |
657 | -The ``reader`` role should be implemented and used from the perspective of |
658 | -least-privilege, which may or may not fulfill your auditing use case. |
659 | - |
660 | Member |
661 | ====== |
662 | |
663 | @@ -132,30 +95,9 @@ services are addressing this individually at their own pace). |
664 | As of the Train release, keystone applies the following personas |
665 | consistently across its API. |
666 | |
667 | ---------------- |
668 | -System Personas |
669 | ---------------- |
670 | - |
671 | -This section describes authorization personas typically used for operators and |
672 | -deployers. You can find all users with system role assignments using the |
673 | -following query: |
674 | - |
675 | -.. code-block:: console |
676 | - |
677 | - $ openstack role assignment list --names --system all |
678 | - +--------+------------------------+------------------------+---------+--------+--------+-----------+ |
679 | - | Role | User | Group | Project | Domain | System | Inherited | |
680 | - +--------+------------------------+------------------------+---------+--------+--------+-----------+ |
681 | - | admin | | system-admins@Default | | | all | False | |
682 | - | admin | admin@Default | | | | all | False | |
683 | - | admin | operator@Default | | | | all | False | |
684 | - | reader | | system-support@Default | | | all | False | |
685 | - | admin | operator@Default | | | | all | False | |
686 | - | member | system-support@Default | | | | all | False | |
687 | - +--------+------------------------+------------------------+---------+--------+--------+-----------+ |
688 | - |
689 | +--------------------- |
690 | System Administrators |
691 | -===================== |
692 | +--------------------- |
693 | |
694 | *System administrators* are allowed to manage every resource in keystone. |
695 | System administrators are typically operators and cloud administrators. They |
696 | @@ -169,7 +111,7 @@ assignments: |
697 | |
698 | .. code-block:: console |
699 | |
700 | - $ openstack role assignment list --names --system all --role admin |
701 | + $ openstack role assignment list --names --system all |
702 | +-------+------------------+-----------------------+---------+--------+--------+-----------+ |
703 | | Role | User | Group | Project | Domain | System | Inherited | |
704 | +-------+------------------+-----------------------+---------+--------+--------+-----------+ |
705 | @@ -178,57 +120,38 @@ assignments: |
706 | | admin | operator@Default | | | | all | False | |
707 | +-------+------------------+-----------------------+---------+--------+--------+-----------+ |
708 | |
709 | +------------------------------- |
710 | System Members & System Readers |
711 | -=============================== |
712 | +------------------------------- |
713 | |
714 | In keystone, *system members* and *system readers* are very similar and have |
715 | the same authorization. Users with these roles on the system can view all |
716 | -resources within keystone. They can list role assignments, users, projects, and |
717 | -group memberships, among other resources. |
718 | +resources within keystone. They can audit role assignments, users, projects, |
719 | +and group memberships, among other resources. |
720 | |
721 | -The *system reader* persona is useful for members of a support team or auditors |
722 | -if the audit doesn't require access to sensitive information. You can find |
723 | -*system members* and *system readers* in your deployment with the following |
724 | -assignments: |
725 | +The *system reader* persona is useful for auditors or members of a support |
726 | +team. You can find *system members* and *system readers* in your deployment |
727 | +with the following assignments: |
728 | |
729 | .. code-block:: console |
730 | |
731 | $ openstack role assignment list --names --system all --role member --role reader |
732 | - +--------+------------------------+------------------------+---------+--------+--------+-----------+ |
733 | - | Role | User | Group | Project | Domain | System | Inherited | |
734 | - +--------+------------------------+------------------------+---------+--------+--------+-----------+ |
735 | - | reader | | system-support@Default | | | all | False | |
736 | - | admin | operator@Default | | | | all | False | |
737 | - | member | system-support@Default | | | | all | False | |
738 | - +--------+------------------------+------------------------+---------+--------+--------+-----------+ |
739 | + +--------+------------------------+-------------------------+---------+--------+--------+-----------+ |
740 | + | Role | User | Group | Project | Domain | System | Inherited | |
741 | + +--------+------------------------+-------------------------+---------+--------+--------+-----------+ |
742 | + | reader | | system-auditors@Default | | | all | False | |
743 | + | admin | operator@Default | | | | all | False | |
744 | + | member | system-support@Default | | | | all | False | |
745 | + +--------+------------------------+-------------------------+---------+--------+--------+-----------+ |
746 | |
747 | .. warning:: |
748 | |
749 | Filtering system role assignments is currently broken and is being tracked |
750 | as a `bug <https://bugs.launchpad.net/keystone/+bug/1846817>`_. |
751 | |
752 | ---------------- |
753 | -Domain Personas |
754 | ---------------- |
755 | - |
756 | -This section describes authorization personas for people who manage their own |
757 | -domains, which contain projects, users, and groups. You can find all users with |
758 | -role assignments on a specific domain using the following query: |
759 | - |
760 | -.. code-block:: console |
761 | - |
762 | - $ openstack role assignment list --names --domain foobar |
763 | - +--------+-----------------+----------------------+---------+--------+--------+-----------+ |
764 | - | Role | User | Group | Project | Domain | System | Inherited | |
765 | - +--------+-----------------+----------------------+---------+--------+--------+-----------+ |
766 | - | reader | support@Default | | | foobar | | False | |
767 | - | admin | jsmith@Default | | | foobar | | False | |
768 | - | admin | | foobar-admins@foobar | | foobar | | False | |
769 | - | member | jdoe@foobar | | | foobar | | False | |
770 | - +--------+-----------------+----------------------+---------+--------+--------+-----------+ |
771 | - |
772 | +--------------------- |
773 | Domain Administrators |
774 | -===================== |
775 | +--------------------- |
776 | |
777 | *Domain administrators* can manage most aspects of the domain or its contents. |
778 | These users can create new projects and users within their domain. They can |
779 | @@ -251,18 +174,18 @@ assignment: |
780 | | admin | | foobar-admins@foobar | | foobar | | False | |
781 | +-------+----------------+----------------------+---------+--------+--------+-----------+ |
782 | |
783 | +------------------------------- |
784 | Domain Members & Domain Readers |
785 | -=============================== |
786 | +------------------------------- |
787 | |
788 | Domain members and domain readers have the same relationship as system members |
789 | and system readers. They're allowed to view resources and information about |
790 | their domain. They aren't allowed to access system-specific information or |
791 | information about projects, groups, and users outside their domain. |
792 | |
793 | -The domain member and domain reader use-cases are great for support teams, |
794 | -monitoring the details of an account, or auditing resources within a domain |
795 | -assuming the audit doesn't validate sensitive information. You can find domain |
796 | -members and domain readers with the following role assignments: |
797 | +The domain member and domain reader use-cases are great for auditing, support, |
798 | +or monitoring the details of an account. You can find domain members and domain |
799 | +readers with the following role assignments: |
800 | |
801 | .. code-block:: console |
802 | |
803 | @@ -276,35 +199,16 @@ members and domain readers with the following role assignments: |
804 | +--------+-----------------+-------+---------+--------+--------+-----------+ |
805 | | Role | User | Group | Project | Domain | System | Inherited | |
806 | +--------+-----------------+-------+---------+--------+--------+-----------+ |
807 | - | reader | support@Default | | | foobar | | False | |
808 | + | reader | auditor@Default | | | foobar | | False | |
809 | +--------+-----------------+-------+---------+--------+--------+-----------+ |
810 | |
811 | ----------------- |
812 | -Project Personas |
813 | ----------------- |
814 | - |
815 | -This section describes authorization personas for users operating within a |
816 | -project. These personas are commonly used by end users. You can find all users |
817 | -with role assignments on a specific project using the following query: |
818 | - |
819 | -.. code-block:: console |
820 | - |
821 | - $ openstack role assignment list --names --project production |
822 | - +--------+----------------+----------------------------+-------------------+--------+--------+-----------+ |
823 | - | Role | User | Group | Project | Domain | System | Inherited | |
824 | - +--------+----------------+----------------------------+-------------------+--------+--------+-----------+ |
825 | - | admin | jsmith@Default | | production@foobar | | | False | |
826 | - | admin | | production-admins@foobar | production@foobar | | | False | |
827 | - | member | | foobar-operators@Default | production@foobar | | | False | |
828 | - | reader | alice@Default | | production@foobar | | | False | |
829 | - | reader | | production-support@Default | production@foobar | | | False | |
830 | - +--------+----------------+----------------------------+-------------------+--------+--------+-----------+ |
831 | |
832 | +---------------------- |
833 | Project Administrators |
834 | -====================== |
835 | +---------------------- |
836 | |
837 | -*Project administrators* can only view and modify data within the project they |
838 | -have authorization on. They're able to view information about their projects |
839 | +*Project administrators* can only view and modify data within the project in |
840 | +their role assignment. They're able to view information about their projects |
841 | and set tags on their projects. They're not allowed to view system or domain |
842 | resources, as that would violate the tenancy of their role assignment. Since |
843 | the majority of the resources in keystone's API are system and domain-specific, |
844 | @@ -323,8 +227,9 @@ role assignment: |
845 | | admin | | production-admins@foobar | production@foobar | | | False | |
846 | +-------+----------------+--------------------------+-------------------+--------+--------+-----------+ |
847 | |
848 | +--------------------------------- |
849 | Project Members & Project Readers |
850 | -================================= |
851 | +--------------------------------- |
852 | |
853 | *Project members* and *project readers* can discover information about their |
854 | projects. They can access important information like resource limits for their |
855 | @@ -344,12 +249,12 @@ the following role assignments: |
856 | | member | | foobar-operators@Default | production@foobar | | | False | |
857 | +--------+------+--------------------------+-------------------+--------+--------+-----------+ |
858 | $ openstack role assignment list --names --project production --role reader |
859 | - +--------+---------------+----------------------------+-------------------+--------+--------+-----------+ |
860 | - | Role | User | Group | Project | Domain | System | Inherited | |
861 | - +--------+---------------+----------------------------+-------------------+--------+--------+-----------+ |
862 | - | reader | alice@Default | | production@foobar | | | False | |
863 | - | reader | | production-support@Default | production@foobar | | | False | |
864 | - +--------+---------------+----------------------------+-------------------+--------+--------+-----------+ |
865 | + +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+ |
866 | + | Role | User | Group | Project | Domain | System | Inherited | |
867 | + +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+ |
868 | + | reader | auditor@Default | | production@foobar | | | False | |
869 | + | reader | | production-support@Default | production@foobar | | | False | |
870 | + +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+ |
871 | |
872 | ---------------- |
873 | Writing Policies |
874 | diff --git a/doc/source/admin/upgrading.rst b/doc/source/admin/upgrading.rst |
875 | index 709d98d..687dba4 100644 |
876 | --- a/doc/source/admin/upgrading.rst |
877 | +++ b/doc/source/admin/upgrading.rst |
878 | @@ -42,7 +42,7 @@ Plan your upgrade: |
879 | to re-read the release notes for the previous release (or two!). |
880 | |
881 | * Prepare your new configuration files, including ``keystone.conf``, |
882 | - ``logging.conf``, ``policy.yaml``, ``keystone-paste.ini``, and anything else |
883 | + ``logging.conf``, ``policy.json``, ``keystone-paste.ini``, and anything else |
884 | in ``/etc/keystone/``, by customizing the corresponding files from the next |
885 | release. |
886 | |
887 | diff --git a/doc/source/conf.py b/doc/source/conf.py |
888 | index 45cd82f..819c1d9 100644 |
889 | --- a/doc/source/conf.py |
890 | +++ b/doc/source/conf.py |
891 | @@ -55,11 +55,7 @@ apidoc_output_dir = 'api' |
892 | apidoc_excluded_paths = [ |
893 | 'tests/*', |
894 | 'tests', |
895 | - 'test', |
896 | - # TODO(gmann): with new release of SQLAlchemy(1.4.27) TypeDecorator used |
897 | - # in common/sql/core.py file started failing. Remove this oncethe issue of |
898 | - # TypeDecorator is fixed. |
899 | - 'common/sql/core.py'] |
900 | + 'test'] |
901 | apidoc_separate_modules = True |
902 | |
903 | # sphinxcontrib.seqdiag options |
904 | diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst |
905 | index 3f80c5e..daafdea 100644 |
906 | --- a/doc/source/configuration/policy.rst |
907 | +++ b/doc/source/configuration/policy.rst |
908 | @@ -2,15 +2,6 @@ |
909 | Policy configuration |
910 | ==================== |
911 | |
912 | -.. warning:: |
913 | - |
914 | - JSON formatted policy file is deprecated since Keystone 19.0.0 (Wallaby). |
915 | - This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing |
916 | - JSON-formatted policy file to YAML in a backward-compatible way. |
917 | - |
918 | -.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html |
919 | - |
920 | - |
921 | Configuration |
922 | ~~~~~~~~~~~~~ |
923 | |
924 | diff --git a/doc/source/contributor/how-can-i-help.rst b/doc/source/contributor/how-can-i-help.rst |
925 | index 47c2f4a..4e37af0 100644 |
926 | --- a/doc/source/contributor/how-can-i-help.rst |
927 | +++ b/doc/source/contributor/how-can-i-help.rst |
928 | @@ -50,7 +50,7 @@ become part of the team: |
929 | You can also subscribe to email notifications for new bugs. |
930 | * Subscribe to the openstack-discuss@lists.openstack.org mailing list (filter on |
931 | subject tag ``[keystone]``) and join the #openstack-keystone IRC channel on |
932 | - OFTC. Help answer user support questions if you or your organization has |
933 | + freenode. Help answer user support questions if you or your organization has |
934 | faced and solved a similar problem, or chime in on design discussions that |
935 | will affect you and your organization. |
936 | * Check out the low hanging fruit bugs, submit patches to fix them: |
937 | diff --git a/doc/source/getting-started/community.rst b/doc/source/getting-started/community.rst |
938 | index 4598cd8..47145ad 100644 |
939 | --- a/doc/source/getting-started/community.rst |
940 | +++ b/doc/source/getting-started/community.rst |
941 | @@ -34,10 +34,10 @@ from feature designs to documentation to testing to deployment scripts. |
942 | .. _Launchpad: https://launchpad.net/keystone |
943 | .. _wiki: https://wiki.openstack.org/ |
944 | |
945 | -#openstack-keystone on OFTC IRC Network |
946 | ---------------------------------------- |
947 | +#openstack-keystone on Freenode IRC Network |
948 | +------------------------------------------- |
949 | |
950 | -You can find Keystone folks in `<irc://oftc.net/#openstack-keystone>`_. |
951 | +You can find Keystone folks in `<irc://freenode.net/#openstack-keystone>`_. |
952 | This is usually the best place to ask questions and find your way around. IRC |
953 | stands for Internet Relay Chat and it is a way to chat online in real time. |
954 | You can also ask a question and come back to the log files to read the answer |
955 | diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst |
956 | index a7cb27c..2975b45 100644 |
957 | --- a/doc/source/getting-started/policy_mapping.rst |
958 | +++ b/doc/source/getting-started/policy_mapping.rst |
959 | @@ -2,7 +2,7 @@ |
960 | Mapping of policy target to API |
961 | =============================== |
962 | |
963 | -The following table shows the target in the policy.yaml file for each API. |
964 | +The following table shows the target in the policy.json file for each API. |
965 | |
966 | ========================================================= === |
967 | Target API |
968 | diff --git a/keystone.egg-info/PKG-INFO b/keystone.egg-info/PKG-INFO |
969 | index 3b63a18..c4bc751 100644 |
970 | --- a/keystone.egg-info/PKG-INFO |
971 | +++ b/keystone.egg-info/PKG-INFO |
972 | @@ -1,11 +1,73 @@ |
973 | Metadata-Version: 2.1 |
974 | Name: keystone |
975 | -Version: 20.1.0.dev27 |
976 | +Version: 18.1.0 |
977 | Summary: OpenStack Identity |
978 | Home-page: https://docs.openstack.org/keystone/latest |
979 | Author: OpenStack |
980 | Author-email: openstack-discuss@lists.openstack.org |
981 | License: UNKNOWN |
982 | +Description: ================== |
983 | + OpenStack Keystone |
984 | + ================== |
985 | + |
986 | + .. image:: https://governance.openstack.org/tc/badges/keystone.svg |
987 | + :target: https://governance.openstack.org/tc/reference/tags/index.html |
988 | + |
989 | + .. Change things from this point on |
990 | + |
991 | + OpenStack Keystone provides authentication, authorization and service discovery |
992 | + mechanisms via HTTP primarily for use by projects in the OpenStack family. It |
993 | + is most commonly deployed as an HTTP interface to existing identity systems, |
994 | + such as LDAP. |
995 | + |
996 | + Developer documentation, the source of which is in ``doc/source/``, is |
997 | + published at: |
998 | + |
999 | + https://docs.openstack.org/keystone/latest |
1000 | + |
1001 | + The API reference and documentation are available at: |
1002 | + |
1003 | + https://docs.openstack.org/api-ref/identity |
1004 | + |
1005 | + The canonical client library is available at: |
1006 | + |
1007 | + https://opendev.org/openstack/python-keystoneclient |
1008 | + |
1009 | + Documentation for cloud administrators is available at: |
1010 | + |
1011 | + https://docs.openstack.org/ |
1012 | + |
1013 | + The source of documentation for cloud administrators is available at: |
1014 | + |
1015 | + https://opendev.org/openstack/openstack-manuals |
1016 | + |
1017 | + Information about our team meeting is available at: |
1018 | + |
1019 | + https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting |
1020 | + |
1021 | + Release notes is available at: |
1022 | + |
1023 | + https://docs.openstack.org/releasenotes/keystone |
1024 | + |
1025 | + Bugs and feature requests are tracked on Launchpad at: |
1026 | + |
1027 | + https://bugs.launchpad.net/keystone |
1028 | + |
1029 | + Future design work is tracked at: |
1030 | + |
1031 | + https://specs.openstack.org/openstack/keystone-specs |
1032 | + |
1033 | + Contributors are encouraged to join IRC (``#openstack-keystone`` on freenode): |
1034 | + |
1035 | + https://wiki.openstack.org/wiki/IRC |
1036 | + |
1037 | + Source for the project: |
1038 | + |
1039 | + https://opendev.org/openstack/keystone |
1040 | + |
1041 | + For information on contributing to Keystone, see ``CONTRIBUTING.rst``. |
1042 | + |
1043 | + |
1044 | Platform: UNKNOWN |
1045 | Classifier: Environment :: OpenStack |
1046 | Classifier: Intended Audience :: Information Technology |
1047 | @@ -24,69 +86,3 @@ Provides-Extra: ldap |
1048 | Provides-Extra: memcache |
1049 | Provides-Extra: mongodb |
1050 | Provides-Extra: test |
1051 | -License-File: LICENSE |
1052 | -License-File: AUTHORS |
1053 | - |
1054 | -================== |
1055 | -OpenStack Keystone |
1056 | -================== |
1057 | - |
1058 | -.. image:: https://governance.openstack.org/tc/badges/keystone.svg |
1059 | - :target: https://governance.openstack.org/tc/reference/tags/index.html |
1060 | - |
1061 | -.. Change things from this point on |
1062 | - |
1063 | -OpenStack Keystone provides authentication, authorization and service discovery |
1064 | -mechanisms via HTTP primarily for use by projects in the OpenStack family. It |
1065 | -is most commonly deployed as an HTTP interface to existing identity systems, |
1066 | -such as LDAP. |
1067 | - |
1068 | -Developer documentation, the source of which is in ``doc/source/``, is |
1069 | -published at: |
1070 | - |
1071 | - https://docs.openstack.org/keystone/latest |
1072 | - |
1073 | -The API reference and documentation are available at: |
1074 | - |
1075 | - https://docs.openstack.org/api-ref/identity |
1076 | - |
1077 | -The canonical client library is available at: |
1078 | - |
1079 | - https://opendev.org/openstack/python-keystoneclient |
1080 | - |
1081 | -Documentation for cloud administrators is available at: |
1082 | - |
1083 | - https://docs.openstack.org/ |
1084 | - |
1085 | -The source of documentation for cloud administrators is available at: |
1086 | - |
1087 | - https://opendev.org/openstack/openstack-manuals |
1088 | - |
1089 | -Information about our team meeting is available at: |
1090 | - |
1091 | - https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting |
1092 | - |
1093 | -Release notes is available at: |
1094 | - |
1095 | - https://docs.openstack.org/releasenotes/keystone |
1096 | - |
1097 | -Bugs and feature requests are tracked on Launchpad at: |
1098 | - |
1099 | - https://bugs.launchpad.net/keystone |
1100 | - |
1101 | -Future design work is tracked at: |
1102 | - |
1103 | - https://specs.openstack.org/openstack/keystone-specs |
1104 | - |
1105 | -Contributors are encouraged to join IRC (``#openstack-keystone`` on OFTC): |
1106 | - |
1107 | - https://wiki.openstack.org/wiki/IRC |
1108 | - |
1109 | -Source for the project: |
1110 | - |
1111 | - https://opendev.org/openstack/keystone |
1112 | - |
1113 | -For information on contributing to Keystone, see ``CONTRIBUTING.rst``. |
1114 | - |
1115 | - |
1116 | - |
1117 | diff --git a/keystone.egg-info/SOURCES.txt b/keystone.egg-info/SOURCES.txt |
1118 | index fc8c6b6..b1af601 100644 |
1119 | --- a/keystone.egg-info/SOURCES.txt |
1120 | +++ b/keystone.egg-info/SOURCES.txt |
1121 | @@ -315,7 +315,6 @@ devstack/files/federation/shib_apache_alias.txt |
1122 | devstack/files/federation/shib_apache_handler.txt |
1123 | devstack/files/federation/shibboleth2.xml |
1124 | devstack/lib/federation.sh |
1125 | -devstack/lib/scope.sh |
1126 | doc/Makefile |
1127 | doc/README.rst |
1128 | doc/requirements.txt |
1129 | @@ -473,7 +472,6 @@ keystone.egg-info/SOURCES.txt |
1130 | keystone.egg-info/dependency_links.txt |
1131 | keystone.egg-info/entry_points.txt |
1132 | keystone.egg-info/not-zip-safe |
1133 | -keystone.egg-info/pbr.json |
1134 | keystone.egg-info/requires.txt |
1135 | keystone.egg-info/top_level.txt |
1136 | keystone/api/__init__.py |
1137 | @@ -705,7 +703,6 @@ keystone/common/sql/contract_repo/versions/075_placeholder.py |
1138 | keystone/common/sql/contract_repo/versions/076_placeholder.py |
1139 | keystone/common/sql/contract_repo/versions/077_placeholder.py |
1140 | keystone/common/sql/contract_repo/versions/078_placeholder.py |
1141 | -keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py |
1142 | keystone/common/sql/contract_repo/versions/__init__.py |
1143 | keystone/common/sql/data_migration_repo/README |
1144 | keystone/common/sql/data_migration_repo/__init__.py |
1145 | @@ -789,7 +786,6 @@ keystone/common/sql/data_migration_repo/versions/075_placeholder.py |
1146 | keystone/common/sql/data_migration_repo/versions/076_placeholder.py |
1147 | keystone/common/sql/data_migration_repo/versions/077_placeholder.py |
1148 | keystone/common/sql/data_migration_repo/versions/078_placeholder.py |
1149 | -keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py |
1150 | keystone/common/sql/data_migration_repo/versions/__init__.py |
1151 | keystone/common/sql/expand_repo/README |
1152 | keystone/common/sql/expand_repo/__init__.py |
1153 | @@ -873,7 +869,6 @@ keystone/common/sql/expand_repo/versions/075_placeholder.py |
1154 | keystone/common/sql/expand_repo/versions/076_placeholder.py |
1155 | keystone/common/sql/expand_repo/versions/077_placeholder.py |
1156 | keystone/common/sql/expand_repo/versions/078_placeholder.py |
1157 | -keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py |
1158 | keystone/common/sql/expand_repo/versions/__init__.py |
1159 | keystone/common/sql/migrate_repo/README |
1160 | keystone/common/sql/migrate_repo/__init__.py |
1161 | @@ -1235,6 +1230,8 @@ keystone/tests/unit/config_files/backend_multi_ldap_sql.conf |
1162 | keystone/tests/unit/config_files/backend_pool_liveldap.conf |
1163 | keystone/tests/unit/config_files/backend_sql.conf |
1164 | keystone/tests/unit/config_files/backend_tls_liveldap.conf |
1165 | +keystone/tests/unit/config_files/deprecated.conf |
1166 | +keystone/tests/unit/config_files/deprecated_override.conf |
1167 | keystone/tests/unit/config_files/test_auth_plugin.conf |
1168 | keystone/tests/unit/config_files/domain_configs_default_ldap_one_sql/keystone.domain1.conf |
1169 | keystone/tests/unit/config_files/domain_configs_multi_ldap/keystone.Default.conf |
1170 | @@ -1281,7 +1278,6 @@ keystone/tests/unit/ksfixtures/key_repository.py |
1171 | keystone/tests/unit/ksfixtures/ldapdb.py |
1172 | keystone/tests/unit/ksfixtures/policy.py |
1173 | keystone/tests/unit/ksfixtures/temporaryfile.py |
1174 | -keystone/tests/unit/ksfixtures/warnings.py |
1175 | keystone/tests/unit/limit/__init__.py |
1176 | keystone/tests/unit/limit/test_backends.py |
1177 | keystone/tests/unit/policy/__init__.py |
1178 | @@ -1328,7 +1324,6 @@ keystone/trust/backends/__init__.py |
1179 | keystone/trust/backends/base.py |
1180 | keystone/trust/backends/sql.py |
1181 | keystone_tempest_plugin/README.rst |
1182 | -playbooks/enable-fips.yaml |
1183 | rally-jobs/README.rst |
1184 | rally-jobs/keystone.yaml |
1185 | releasenotes/notes/.placeholder |
1186 | @@ -1573,11 +1568,8 @@ releasenotes/notes/bug-1885753-51df25f3ff1d9ae8.yaml |
1187 | releasenotes/notes/bug-1886017-bc2ad648d57101a2.yaml |
1188 | releasenotes/notes/bug-1889936-78d6853b5212b8f1.yaml |
1189 | releasenotes/notes/bug-1896125-b17a4d12730fe493.yaml |
1190 | -releasenotes/notes/bug-1897280-e7065c4368a325ad.yaml |
1191 | releasenotes/notes/bug-1901207-13762f85b8a04481.yaml |
1192 | releasenotes/notes/bug-1901654-69b9f35d11cd0c75.yaml |
1193 | -releasenotes/notes/bug-1929066-6e741c9182620a37.yaml |
1194 | -releasenotes/notes/bug-1941020-f694395a9bcea72f.yaml |
1195 | releasenotes/notes/bug1828565-0790c4c60ba34100.yaml |
1196 | releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml |
1197 | releasenotes/notes/bug_1543048_and_1668503-7ead4e15faaab778.yaml |
1198 | @@ -1588,7 +1580,6 @@ releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml |
1199 | releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml |
1200 | releasenotes/notes/convert-keystone-to-flask-80d980e239b662b0.yaml |
1201 | releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml |
1202 | -releasenotes/notes/deprecate-json-formatted-policy-file-95f6307f88358f58.yaml |
1203 | releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml |
1204 | releasenotes/notes/deprecate-policies-api-b104fbd1d2367b1b.yaml |
1205 | releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml |
1206 | @@ -1678,15 +1669,10 @@ releasenotes/source/stein.rst |
1207 | releasenotes/source/train.rst |
1208 | releasenotes/source/unreleased.rst |
1209 | releasenotes/source/ussuri.rst |
1210 | -releasenotes/source/victoria.rst |
1211 | -releasenotes/source/wallaby.rst |
1212 | -releasenotes/source/xena.rst |
1213 | releasenotes/source/_static/.placeholder |
1214 | releasenotes/source/_templates/.placeholder |
1215 | releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po |
1216 | -releasenotes/source/locale/fr/LC_MESSAGES/releasenotes.po |
1217 | releasenotes/source/locale/ja/LC_MESSAGES/releasenotes.po |
1218 | -releasenotes/source/locale/ko_KR/LC_MESSAGES/releasenotes.po |
1219 | tools/cover.sh |
1220 | tools/fast8.sh |
1221 | tools/sample_data.sh |
1222 | diff --git a/keystone.egg-info/pbr.json b/keystone.egg-info/pbr.json |
1223 | deleted file mode 100644 |
1224 | index 7de0b70..0000000 |
1225 | --- a/keystone.egg-info/pbr.json |
1226 | +++ /dev/null |
1227 | @@ -1 +0,0 @@ |
1228 | -{"git_version": "2ddf8f321", "is_release": false} |
1229 | \ No newline at end of file |
1230 | diff --git a/keystone.egg-info/requires.txt b/keystone.egg-info/requires.txt |
1231 | index 7ca68f2..b85b25d 100644 |
1232 | --- a/keystone.egg-info/requires.txt |
1233 | +++ b/keystone.egg-info/requires.txt |
1234 | @@ -11,16 +11,16 @@ keystonemiddleware>=7.0.0 |
1235 | msgpack>=0.5.0 |
1236 | oauthlib>=0.6.2 |
1237 | oslo.cache>=1.26.0 |
1238 | -oslo.config>=6.8.0 |
1239 | +oslo.config>=5.2.0 |
1240 | oslo.context>=2.22.0 |
1241 | oslo.db>=6.0.0 |
1242 | oslo.i18n>=3.15.3 |
1243 | oslo.log>=3.44.0 |
1244 | oslo.messaging>=5.29.0 |
1245 | oslo.middleware>=3.31.0 |
1246 | -oslo.policy>=3.7.0 |
1247 | +oslo.policy>=3.0.2 |
1248 | oslo.serialization!=2.19.1,>=2.18.0 |
1249 | -oslo.upgradecheck>=1.3.0 |
1250 | +oslo.upgradecheck>=0.1.0 |
1251 | oslo.utils>=3.33.0 |
1252 | osprofiler>=1.4.0 |
1253 | passlib>=1.7.0 |
1254 | diff --git a/keystone/api/s3tokens.py b/keystone/api/s3tokens.py |
1255 | index 4a8439d..73d0b39 100644 |
1256 | --- a/keystone/api/s3tokens.py |
1257 | +++ b/keystone/api/s3tokens.py |
1258 | @@ -56,10 +56,7 @@ def _calculate_signature_v4(string_to_sign, secret_key): |
1259 | if len(parts) != 4 or parts[0] != b'AWS4-HMAC-SHA256': |
1260 | raise exception.Unauthorized(message=_('Invalid EC2 signature.')) |
1261 | scope = parts[2].split(b'/') |
1262 | - if len(scope) != 4 or scope[3] != b'aws4_request': |
1263 | - raise exception.Unauthorized(message=_('Invalid EC2 signature.')) |
1264 | - allowed_services = [b's3', b'iam', b'sts'] |
1265 | - if scope[2] not in allowed_services: |
1266 | + if len(scope) != 4 or scope[2] != b's3' or scope[3] != b'aws4_request': |
1267 | raise exception.Unauthorized(message=_('Invalid EC2 signature.')) |
1268 | |
1269 | def _sign(key, msg): |
1270 | diff --git a/keystone/cmd/status.py b/keystone/cmd/status.py |
1271 | index 64b2e62..3585c2e 100644 |
1272 | --- a/keystone/cmd/status.py |
1273 | +++ b/keystone/cmd/status.py |
1274 | @@ -12,7 +12,6 @@ |
1275 | |
1276 | from oslo_policy import _checks |
1277 | from oslo_policy import policy |
1278 | -from oslo_upgradecheck import common_checks |
1279 | from oslo_upgradecheck import upgradecheck |
1280 | |
1281 | from keystone.common import driver_hints |
1282 | @@ -87,8 +86,6 @@ class Checks(upgradecheck.UpgradeCommands): |
1283 | check_trust_policies_are_not_empty), |
1284 | ("Check default roles are immutable", |
1285 | check_default_roles_are_immutable), |
1286 | - ("Policy File JSON to YAML Migration", |
1287 | - (common_checks.check_policy_json, {'conf': CONF})), |
1288 | ) |
1289 | |
1290 | |
1291 | diff --git a/keystone/common/policies/application_credential.py b/keystone/common/policies/application_credential.py |
1292 | index bae998a..e44c661 100644 |
1293 | --- a/keystone/common/policies/application_credential.py |
1294 | +++ b/keystone/common/policies/application_credential.py |
1295 | @@ -18,30 +18,23 @@ from keystone.common.policies import base |
1296 | collection_path = '/v3/users/{user_id}/application_credentials' |
1297 | resource_path = collection_path + '/{application_credential_id}' |
1298 | |
1299 | -DEPRECATED_REASON = ( |
1300 | - "The application credential API is now aware of system scope and default " |
1301 | - "roles." |
1302 | -) |
1303 | - |
1304 | deprecated_list_application_credentials_for_user = policy.DeprecatedRule( |
1305 | name=base.IDENTITY % 'list_application_credentials', |
1306 | - check_str=base.RULE_ADMIN_OR_OWNER, |
1307 | - deprecated_reason=DEPRECATED_REASON, |
1308 | - deprecated_since=versionutils.deprecated.TRAIN |
1309 | + check_str=base.RULE_ADMIN_OR_OWNER |
1310 | ) |
1311 | deprecated_get_application_credentials_for_user = policy.DeprecatedRule( |
1312 | name=base.IDENTITY % 'get_application_credential', |
1313 | - check_str=base.RULE_ADMIN_OR_OWNER, |
1314 | - deprecated_reason=DEPRECATED_REASON, |
1315 | - deprecated_since=versionutils.deprecated.TRAIN |
1316 | + check_str=base.RULE_ADMIN_OR_OWNER |
1317 | ) |
1318 | deprecated_delete_application_credentials_for_user = policy.DeprecatedRule( |
1319 | name=base.IDENTITY % 'delete_application_credential', |
1320 | - check_str=base.RULE_ADMIN_OR_OWNER, |
1321 | - deprecated_reason=DEPRECATED_REASON, |
1322 | - deprecated_since=versionutils.deprecated.TRAIN |
1323 | + check_str=base.RULE_ADMIN_OR_OWNER |
1324 | ) |
1325 | |
1326 | +DEPRECATED_REASON = ( |
1327 | + "The application credential API is now aware of system scope and default " |
1328 | + "roles." |
1329 | +) |
1330 | |
1331 | application_credential_policies = [ |
1332 | policy.DocumentedRuleDefault( |
1333 | @@ -53,7 +46,9 @@ application_credential_policies = [ |
1334 | 'method': 'GET'}, |
1335 | {'path': resource_path, |
1336 | 'method': 'HEAD'}], |
1337 | - deprecated_rule=deprecated_get_application_credentials_for_user), |
1338 | + deprecated_rule=deprecated_get_application_credentials_for_user, |
1339 | + deprecated_reason=DEPRECATED_REASON, |
1340 | + deprecated_since=versionutils.deprecated.TRAIN), |
1341 | policy.DocumentedRuleDefault( |
1342 | name=base.IDENTITY % 'list_application_credentials', |
1343 | check_str=base.RULE_SYSTEM_READER_OR_OWNER, |
1344 | @@ -63,7 +58,9 @@ application_credential_policies = [ |
1345 | 'method': 'GET'}, |
1346 | {'path': collection_path, |
1347 | 'method': 'HEAD'}], |
1348 | - deprecated_rule=deprecated_list_application_credentials_for_user), |
1349 | + deprecated_rule=deprecated_list_application_credentials_for_user, |
1350 | + deprecated_reason=DEPRECATED_REASON, |
1351 | + deprecated_since=versionutils.deprecated.TRAIN), |
1352 | policy.DocumentedRuleDefault( |
1353 | name=base.IDENTITY % 'create_application_credential', |
1354 | check_str=base.RULE_OWNER, |
1355 | @@ -78,7 +75,9 @@ application_credential_policies = [ |
1356 | description='Delete an application credential.', |
1357 | operations=[{'path': resource_path, |
1358 | 'method': 'DELETE'}], |
1359 | - deprecated_rule=deprecated_delete_application_credentials_for_user) |
1360 | + deprecated_rule=deprecated_delete_application_credentials_for_user, |
1361 | + deprecated_reason=DEPRECATED_REASON, |
1362 | + deprecated_since=versionutils.deprecated.TRAIN) |
1363 | ] |
1364 | |
1365 | |
1366 | diff --git a/keystone/common/policies/consumer.py b/keystone/common/policies/consumer.py |
1367 | index 7931bf0..bf9a6bd 100644 |
1368 | --- a/keystone/common/policies/consumer.py |
1369 | +++ b/keystone/common/policies/consumer.py |
1370 | @@ -15,41 +15,30 @@ from oslo_policy import policy |
1371 | |
1372 | from keystone.common.policies import base |
1373 | |
1374 | -DEPRECATED_REASON = ( |
1375 | - "The OAUTH1 consumer API is now aware of system scope and default roles." |
1376 | -) |
1377 | - |
1378 | deprecated_get_consumer = policy.DeprecatedRule( |
1379 | name=base.IDENTITY % 'get_consumer', |
1380 | - check_str=base.RULE_ADMIN_REQUIRED, |
1381 | - deprecated_reason=DEPRECATED_REASON, |
1382 | - deprecated_since=versionutils.deprecated.TRAIN |
1383 | + check_str=base.RULE_ADMIN_REQUIRED |
1384 | ) |
1385 | deprecated_list_consumers = policy.DeprecatedRule( |
1386 | name=base.IDENTITY % 'list_consumers', |
1387 | - check_str=base.RULE_ADMIN_REQUIRED, |
1388 | - deprecated_reason=DEPRECATED_REASON, |
1389 | - deprecated_since=versionutils.deprecated.TRAIN |
1390 | + check_str=base.RULE_ADMIN_REQUIRED |
1391 | ) |
1392 | deprecated_create_consumer = policy.DeprecatedRule( |
1393 | name=base.IDENTITY % 'create_consumer', |
1394 | - check_str=base.RULE_ADMIN_REQUIRED, |
1395 | - deprecated_reason=DEPRECATED_REASON, |
1396 | - deprecated_since=versionutils.deprecated.TRAIN |
1397 | + check_str=base.RULE_ADMIN_REQUIRED |
1398 | ) |
1399 | deprecated_update_consumer = policy.DeprecatedRule( |
1400 | name=base.IDENTITY % 'update_consumer', |
1401 | - check_str=base.RULE_ADMIN_REQUIRED, |
1402 | - deprecated_reason=DEPRECATED_REASON, |
1403 | - deprecated_since=versionutils.deprecated.TRAIN |
1404 | + check_str=base.RULE_ADMIN_REQUIRED |
1405 | ) |
1406 | deprecated_delete_consumer = policy.DeprecatedRule( |
1407 | name=base.IDENTITY % 'delete_consumer', |
1408 | - check_str=base.RULE_ADMIN_REQUIRED, |
1409 | - deprecated_reason=DEPRECATED_REASON, |
1410 | - deprecated_since=versionutils.deprecated.TRAIN |
1411 | + check_str=base.RULE_ADMIN_REQUIRED |
1412 | ) |
1413 | |
1414 | +DEPRECATED_REASON = ( |
1415 | + "The OAUTH1 consumer API is now aware of system scope and default roles." |
1416 | +) |
1417 | |
1418 | consumer_policies = [ |
1419 | policy.DocumentedRuleDefault( |
1420 | @@ -59,7 +48,9 @@ consumer_policies = [ |
1421 | description='Show OAUTH1 consumer details.', |
1422 | operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', |
1423 | 'method': 'GET'}], |
1424 | - deprecated_rule=deprecated_get_consumer), |
1425 | + deprecated_rule=deprecated_get_consumer, |
1426 | + deprecated_reason=DEPRECATED_REASON, |
1427 | + deprecated_since=versionutils.deprecated.TRAIN), |
1428 | policy.DocumentedRuleDefault( |
1429 | name=base.IDENTITY % 'list_consumers', |
1430 | check_str=base.SYSTEM_READER, |
1431 | @@ -67,7 +58,9 @@ consumer_policies = [ |
1432 | description='List OAUTH1 consumers.', |
1433 | operations=[{'path': '/v3/OS-OAUTH1/consumers', |
1434 | 'method': 'GET'}], |
1435 | - deprecated_rule=deprecated_list_consumers), |
1436 | + deprecated_rule=deprecated_list_consumers, |
1437 | + deprecated_reason=DEPRECATED_REASON, |
1438 | + deprecated_since=versionutils.deprecated.TRAIN), |
1439 | policy.DocumentedRuleDefault( |
1440 | name=base.IDENTITY % 'create_consumer', |
1441 | check_str=base.SYSTEM_ADMIN, |
1442 | @@ -75,7 +68,9 @@ consumer_policies = [ |
1443 | description='Create OAUTH1 consumer.', |
1444 | operations=[{'path': '/v3/OS-OAUTH1/consumers', |
1445 | 'method': 'POST'}], |
1446 | - deprecated_rule=deprecated_create_consumer), |
1447 | + deprecated_rule=deprecated_create_consumer, |
1448 | + deprecated_reason=DEPRECATED_REASON, |
1449 | + deprecated_since=versionutils.deprecated.TRAIN), |
1450 | policy.DocumentedRuleDefault( |
1451 | name=base.IDENTITY % 'update_consumer', |
1452 | check_str=base.SYSTEM_ADMIN, |
1453 | @@ -83,7 +78,9 @@ consumer_policies = [ |
1454 | description='Update OAUTH1 consumer.', |
1455 | operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', |
1456 | 'method': 'PATCH'}], |
1457 | - deprecated_rule=deprecated_update_consumer), |
1458 | + deprecated_rule=deprecated_update_consumer, |
1459 | + deprecated_reason=DEPRECATED_REASON, |
1460 | + deprecated_since=versionutils.deprecated.TRAIN), |
1461 | policy.DocumentedRuleDefault( |
1462 | name=base.IDENTITY % 'delete_consumer', |
1463 | check_str=base.SYSTEM_ADMIN, |
1464 | @@ -91,7 +88,9 @@ consumer_policies = [ |
1465 | description='Delete OAUTH1 consumer.', |
1466 | operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', |
1467 | 'method': 'DELETE'}], |
1468 | - deprecated_rule=deprecated_delete_consumer), |
1469 | + deprecated_rule=deprecated_delete_consumer, |
1470 | + deprecated_reason=DEPRECATED_REASON, |
1471 | + deprecated_since=versionutils.deprecated.TRAIN), |
1472 | ] |
1473 | |
1474 | |
1475 | diff --git a/keystone/common/policies/credential.py b/keystone/common/policies/credential.py |
1476 | index 675e318..52a9fa8 100644 |
1477 | --- a/keystone/common/policies/credential.py |
1478 | +++ b/keystone/common/policies/credential.py |
1479 | @@ -21,33 +21,23 @@ DEPRECATED_REASON = ( |
1480 | |
1481 | deprecated_get_credential = policy.DeprecatedRule( |
1482 | name=base.IDENTITY % 'get_credential', |
1483 | - check_str=base.RULE_ADMIN_REQUIRED, |
1484 | - deprecated_reason=DEPRECATED_REASON, |
1485 | - deprecated_since=versionutils.deprecated.STEIN |
1486 | + check_str=base.RULE_ADMIN_REQUIRED |
1487 | ) |
1488 | deprecated_list_credentials = policy.DeprecatedRule( |
1489 | name=base.IDENTITY % 'list_credentials', |
1490 | - check_str=base.RULE_ADMIN_REQUIRED, |
1491 | - deprecated_reason=DEPRECATED_REASON, |
1492 | - deprecated_since=versionutils.deprecated.STEIN |
1493 | + check_str=base.RULE_ADMIN_REQUIRED |
1494 | ) |
1495 | deprecated_create_credential = policy.DeprecatedRule( |
1496 | name=base.IDENTITY % 'create_credential', |
1497 | - check_str=base.RULE_ADMIN_REQUIRED, |
1498 | - deprecated_reason=DEPRECATED_REASON, |
1499 | - deprecated_since=versionutils.deprecated.STEIN |
1500 | + check_str=base.RULE_ADMIN_REQUIRED |
1501 | ) |
1502 | deprecated_update_credential = policy.DeprecatedRule( |
1503 | name=base.IDENTITY % 'update_credential', |
1504 | - check_str=base.RULE_ADMIN_REQUIRED, |
1505 | - deprecated_reason=DEPRECATED_REASON, |
1506 | - deprecated_since=versionutils.deprecated.STEIN |
1507 | + check_str=base.RULE_ADMIN_REQUIRED |
1508 | ) |
1509 | deprecated_delete_credential = policy.DeprecatedRule( |
1510 | name=base.IDENTITY % 'delete_credential', |
1511 | - check_str=base.RULE_ADMIN_REQUIRED, |
1512 | - deprecated_reason=DEPRECATED_REASON, |
1513 | - deprecated_since=versionutils.deprecated.STEIN |
1514 | + check_str=base.RULE_ADMIN_REQUIRED |
1515 | ) |
1516 | |
1517 | |
1518 | @@ -60,6 +50,8 @@ credential_policies = [ |
1519 | operations=[{'path': '/v3/credentials/{credential_id}', |
1520 | 'method': 'GET'}], |
1521 | deprecated_rule=deprecated_get_credential, |
1522 | + deprecated_reason=DEPRECATED_REASON, |
1523 | + deprecated_since=versionutils.deprecated.STEIN |
1524 | ), |
1525 | policy.DocumentedRuleDefault( |
1526 | name=base.IDENTITY % 'list_credentials', |
1527 | @@ -69,6 +61,8 @@ credential_policies = [ |
1528 | operations=[{'path': '/v3/credentials', |
1529 | 'method': 'GET'}], |
1530 | deprecated_rule=deprecated_list_credentials, |
1531 | + deprecated_reason=DEPRECATED_REASON, |
1532 | + deprecated_since=versionutils.deprecated.STEIN |
1533 | ), |
1534 | policy.DocumentedRuleDefault( |
1535 | name=base.IDENTITY % 'create_credential', |
1536 | @@ -78,6 +72,8 @@ credential_policies = [ |
1537 | operations=[{'path': '/v3/credentials', |
1538 | 'method': 'POST'}], |
1539 | deprecated_rule=deprecated_create_credential, |
1540 | + deprecated_reason=DEPRECATED_REASON, |
1541 | + deprecated_since=versionutils.deprecated.STEIN |
1542 | ), |
1543 | policy.DocumentedRuleDefault( |
1544 | name=base.IDENTITY % 'update_credential', |
1545 | @@ -87,6 +83,8 @@ credential_policies = [ |
1546 | operations=[{'path': '/v3/credentials/{credential_id}', |
1547 | 'method': 'PATCH'}], |
1548 | deprecated_rule=deprecated_update_credential, |
1549 | + deprecated_reason=DEPRECATED_REASON, |
1550 | + deprecated_since=versionutils.deprecated.STEIN |
1551 | ), |
1552 | policy.DocumentedRuleDefault( |
1553 | name=base.IDENTITY % 'delete_credential', |
1554 | @@ -96,6 +94,8 @@ credential_policies = [ |
1555 | operations=[{'path': '/v3/credentials/{credential_id}', |
1556 | 'method': 'DELETE'}], |
1557 | deprecated_rule=deprecated_delete_credential, |
1558 | + deprecated_reason=DEPRECATED_REASON, |
1559 | + deprecated_since=versionutils.deprecated.STEIN |
1560 | ) |
1561 | ] |
1562 | |
1563 | diff --git a/keystone/common/policies/domain.py b/keystone/common/policies/domain.py |
1564 | index cd743ee..7d3e3d7 100644 |
1565 | --- a/keystone/common/policies/domain.py |
1566 | +++ b/keystone/common/policies/domain.py |
1567 | @@ -21,33 +21,23 @@ DEPRECATED_REASON = ( |
1568 | |
1569 | deprecated_list_domains = policy.DeprecatedRule( |
1570 | name=base.IDENTITY % 'list_domains', |
1571 | - check_str=base.RULE_ADMIN_REQUIRED, |
1572 | - deprecated_reason=DEPRECATED_REASON, |
1573 | - deprecated_since=versionutils.deprecated.STEIN |
1574 | + check_str=base.RULE_ADMIN_REQUIRED |
1575 | ) |
1576 | deprecated_get_domain = policy.DeprecatedRule( |
1577 | name=base.IDENTITY % 'get_domain', |
1578 | - check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN, |
1579 | - deprecated_reason=DEPRECATED_REASON, |
1580 | - deprecated_since=versionutils.deprecated.STEIN |
1581 | + check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN |
1582 | ) |
1583 | deprecated_update_domain = policy.DeprecatedRule( |
1584 | name=base.IDENTITY % 'update_domain', |
1585 | - check_str=base.RULE_ADMIN_REQUIRED, |
1586 | - deprecated_reason=DEPRECATED_REASON, |
1587 | - deprecated_since=versionutils.deprecated.STEIN |
1588 | + check_str=base.RULE_ADMIN_REQUIRED |
1589 | ) |
1590 | deprecated_create_domain = policy.DeprecatedRule( |
1591 | name=base.IDENTITY % 'create_domain', |
1592 | - check_str=base.RULE_ADMIN_REQUIRED, |
1593 | - deprecated_reason=DEPRECATED_REASON, |
1594 | - deprecated_since=versionutils.deprecated.STEIN |
1595 | + check_str=base.RULE_ADMIN_REQUIRED |
1596 | ) |
1597 | deprecated_delete_domain = policy.DeprecatedRule( |
1598 | name=base.IDENTITY % 'delete_domain', |
1599 | - check_str=base.RULE_ADMIN_REQUIRED, |
1600 | - deprecated_reason=DEPRECATED_REASON, |
1601 | - deprecated_since=versionutils.deprecated.STEIN |
1602 | + check_str=base.RULE_ADMIN_REQUIRED |
1603 | ) |
1604 | SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER = ( |
1605 | '(role:reader and system_scope:all) or ' |
1606 | @@ -66,7 +56,9 @@ domain_policies = [ |
1607 | description='Show domain details.', |
1608 | operations=[{'path': '/v3/domains/{domain_id}', |
1609 | 'method': 'GET'}], |
1610 | - deprecated_rule=deprecated_get_domain), |
1611 | + deprecated_rule=deprecated_get_domain, |
1612 | + deprecated_reason=DEPRECATED_REASON, |
1613 | + deprecated_since=versionutils.deprecated.STEIN), |
1614 | policy.DocumentedRuleDefault( |
1615 | name=base.IDENTITY % 'list_domains', |
1616 | check_str=base.SYSTEM_READER, |
1617 | @@ -74,7 +66,9 @@ domain_policies = [ |
1618 | description='List domains.', |
1619 | operations=[{'path': '/v3/domains', |
1620 | 'method': 'GET'}], |
1621 | - deprecated_rule=deprecated_list_domains), |
1622 | + deprecated_rule=deprecated_list_domains, |
1623 | + deprecated_reason=DEPRECATED_REASON, |
1624 | + deprecated_since=versionutils.deprecated.STEIN), |
1625 | policy.DocumentedRuleDefault( |
1626 | name=base.IDENTITY % 'create_domain', |
1627 | check_str=base.SYSTEM_ADMIN, |
1628 | @@ -82,7 +76,9 @@ domain_policies = [ |
1629 | description='Create domain.', |
1630 | operations=[{'path': '/v3/domains', |
1631 | 'method': 'POST'}], |
1632 | - deprecated_rule=deprecated_create_domain), |
1633 | + deprecated_rule=deprecated_create_domain, |
1634 | + deprecated_reason=DEPRECATED_REASON, |
1635 | + deprecated_since=versionutils.deprecated.STEIN), |
1636 | policy.DocumentedRuleDefault( |
1637 | name=base.IDENTITY % 'update_domain', |
1638 | check_str=base.SYSTEM_ADMIN, |
1639 | @@ -90,7 +86,9 @@ domain_policies = [ |
1640 | description='Update domain.', |
1641 | operations=[{'path': '/v3/domains/{domain_id}', |
1642 | 'method': 'PATCH'}], |
1643 | - deprecated_rule=deprecated_update_domain), |
1644 | + deprecated_rule=deprecated_update_domain, |
1645 | + deprecated_reason=DEPRECATED_REASON, |
1646 | + deprecated_since=versionutils.deprecated.STEIN), |
1647 | policy.DocumentedRuleDefault( |
1648 | name=base.IDENTITY % 'delete_domain', |
1649 | check_str=base.SYSTEM_ADMIN, |
1650 | @@ -98,7 +96,9 @@ domain_policies = [ |
1651 | description='Delete domain.', |
1652 | operations=[{'path': '/v3/domains/{domain_id}', |
1653 | 'method': 'DELETE'}], |
1654 | - deprecated_rule=deprecated_delete_domain), |
1655 | + deprecated_rule=deprecated_delete_domain, |
1656 | + deprecated_reason=DEPRECATED_REASON, |
1657 | + deprecated_since=versionutils.deprecated.STEIN), |
1658 | ] |
1659 | |
1660 | |
1661 | diff --git a/keystone/common/policies/domain_config.py b/keystone/common/policies/domain_config.py |
1662 | index b1c8fda..a157f0d 100644 |
1663 | --- a/keystone/common/policies/domain_config.py |
1664 | +++ b/keystone/common/policies/domain_config.py |
1665 | @@ -15,46 +15,36 @@ from oslo_policy import policy |
1666 | |
1667 | from keystone.common.policies import base |
1668 | |
1669 | -DEPRECATED_REASON = ( |
1670 | - "The domain config API is now aware of system scope and default roles." |
1671 | -) |
1672 | - |
1673 | deprecated_get_domain_config = policy.DeprecatedRule( |
1674 | name=base.IDENTITY % 'get_domain_config', |
1675 | check_str=base.RULE_ADMIN_REQUIRED, |
1676 | - deprecated_reason=DEPRECATED_REASON, |
1677 | - deprecated_since=versionutils.deprecated.TRAIN |
1678 | ) |
1679 | |
1680 | deprecated_get_domain_config_default = policy.DeprecatedRule( |
1681 | name=base.IDENTITY % 'get_domain_config_default', |
1682 | check_str=base.RULE_ADMIN_REQUIRED, |
1683 | - deprecated_reason=DEPRECATED_REASON, |
1684 | - deprecated_since=versionutils.deprecated.TRAIN |
1685 | ) |
1686 | |
1687 | deprecated_create_domain_config = policy.DeprecatedRule( |
1688 | name=base.IDENTITY % 'create_domain_config', |
1689 | check_str=base.RULE_ADMIN_REQUIRED, |
1690 | - deprecated_reason=DEPRECATED_REASON, |
1691 | - deprecated_since=versionutils.deprecated.TRAIN |
1692 | ) |
1693 | |
1694 | deprecated_update_domain_config = policy.DeprecatedRule( |
1695 | name=base.IDENTITY % 'update_domain_config', |
1696 | check_str=base.RULE_ADMIN_REQUIRED, |
1697 | - deprecated_reason=DEPRECATED_REASON, |
1698 | - deprecated_since=versionutils.deprecated.TRAIN |
1699 | ) |
1700 | |
1701 | deprecated_delete_domain_config = policy.DeprecatedRule( |
1702 | name=base.IDENTITY % 'delete_domain_config', |
1703 | check_str=base.RULE_ADMIN_REQUIRED, |
1704 | - deprecated_reason=DEPRECATED_REASON, |
1705 | - deprecated_since=versionutils.deprecated.TRAIN |
1706 | ) |
1707 | |
1708 | |
1709 | +DEPRECATED_REASON = ( |
1710 | + "The domain config API is now aware of system scope and default roles." |
1711 | +) |
1712 | + |
1713 | domain_config_policies = [ |
1714 | policy.DocumentedRuleDefault( |
1715 | name=base.IDENTITY % 'create_domain_config', |
1716 | @@ -75,7 +65,9 @@ domain_config_policies = [ |
1717 | 'method': 'PUT' |
1718 | } |
1719 | ], |
1720 | - deprecated_rule=deprecated_create_domain_config |
1721 | + deprecated_rule=deprecated_create_domain_config, |
1722 | + deprecated_reason=DEPRECATED_REASON, |
1723 | + deprecated_since=versionutils.deprecated.TRAIN |
1724 | ), |
1725 | policy.DocumentedRuleDefault( |
1726 | name=base.IDENTITY % 'get_domain_config', |
1727 | @@ -111,6 +103,8 @@ domain_config_policies = [ |
1728 | } |
1729 | ], |
1730 | deprecated_rule=deprecated_get_domain_config, |
1731 | + deprecated_reason=DEPRECATED_REASON, |
1732 | + deprecated_since=versionutils.deprecated.TRAIN |
1733 | ), |
1734 | policy.DocumentedRuleDefault( |
1735 | name=base.IDENTITY % 'get_security_compliance_domain_config', |
1736 | @@ -130,12 +124,12 @@ domain_config_policies = [ |
1737 | 'method': 'HEAD' |
1738 | }, |
1739 | { |
1740 | - 'path': ('/v3/domains/{domain_id}/config/' |
1741 | + 'path': ('v3/domains/{domain_id}/config/' |
1742 | 'security_compliance/{option}'), |
1743 | 'method': 'GET' |
1744 | }, |
1745 | { |
1746 | - 'path': ('/v3/domains/{domain_id}/config/' |
1747 | + 'path': ('v3/domains/{domain_id}/config/' |
1748 | 'security_compliance/{option}'), |
1749 | 'method': 'HEAD' |
1750 | } |
1751 | @@ -162,6 +156,8 @@ domain_config_policies = [ |
1752 | } |
1753 | ], |
1754 | deprecated_rule=deprecated_update_domain_config, |
1755 | + deprecated_reason=DEPRECATED_REASON, |
1756 | + deprecated_since=versionutils.deprecated.TRAIN |
1757 | ), |
1758 | policy.DocumentedRuleDefault( |
1759 | name=base.IDENTITY % 'delete_domain_config', |
1760 | @@ -184,6 +180,8 @@ domain_config_policies = [ |
1761 | } |
1762 | ], |
1763 | deprecated_rule=deprecated_delete_domain_config, |
1764 | + deprecated_reason=DEPRECATED_REASON, |
1765 | + deprecated_since=versionutils.deprecated.TRAIN |
1766 | ), |
1767 | policy.DocumentedRuleDefault( |
1768 | name=base.IDENTITY % 'get_domain_config_default', |
1769 | @@ -218,6 +216,8 @@ domain_config_policies = [ |
1770 | } |
1771 | ], |
1772 | deprecated_rule=deprecated_get_domain_config_default, |
1773 | + deprecated_reason=DEPRECATED_REASON, |
1774 | + deprecated_since=versionutils.deprecated.TRAIN |
1775 | ) |
1776 | ] |
1777 | |
1778 | diff --git a/keystone/common/policies/ec2_credential.py b/keystone/common/policies/ec2_credential.py |
1779 | index 9e52709..266a80e 100644 |
1780 | --- a/keystone/common/policies/ec2_credential.py |
1781 | +++ b/keystone/common/policies/ec2_credential.py |
1782 | @@ -15,35 +15,26 @@ from oslo_policy import policy |
1783 | |
1784 | from keystone.common.policies import base |
1785 | |
1786 | -DEPRECATED_REASON = ( |
1787 | - "The EC2 credential API is now aware of system scope and default roles." |
1788 | -) |
1789 | - |
1790 | deprecated_ec2_get_credential = policy.DeprecatedRule( |
1791 | name=base.IDENTITY % 'ec2_get_credential', |
1792 | - check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER, |
1793 | - deprecated_reason=DEPRECATED_REASON, |
1794 | - deprecated_since=versionutils.deprecated.TRAIN |
1795 | + check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER |
1796 | ) |
1797 | deprecated_ec2_list_credentials = policy.DeprecatedRule( |
1798 | name=base.IDENTITY % 'ec2_list_credentials', |
1799 | - check_str=base.RULE_ADMIN_OR_OWNER, |
1800 | - deprecated_reason=DEPRECATED_REASON, |
1801 | - deprecated_since=versionutils.deprecated.TRAIN |
1802 | + check_str=base.RULE_ADMIN_OR_OWNER |
1803 | ) |
1804 | deprecated_ec2_create_credential = policy.DeprecatedRule( |
1805 | name=base.IDENTITY % 'ec2_create_credential', |
1806 | - check_str=base.RULE_ADMIN_OR_OWNER, |
1807 | - deprecated_reason=DEPRECATED_REASON, |
1808 | - deprecated_since=versionutils.deprecated.TRAIN |
1809 | + check_str=base.RULE_ADMIN_OR_OWNER |
1810 | ) |
1811 | deprecated_ec2_delete_credential = policy.DeprecatedRule( |
1812 | name=base.IDENTITY % 'ec2_delete_credential', |
1813 | - check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER, |
1814 | - deprecated_reason=DEPRECATED_REASON, |
1815 | - deprecated_since=versionutils.deprecated.TRAIN |
1816 | + check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER |
1817 | ) |
1818 | |
1819 | +DEPRECATED_REASON = ( |
1820 | + "The EC2 credential API is now aware of system scope and default roles." |
1821 | +) |
1822 | |
1823 | ec2_credential_policies = [ |
1824 | policy.DocumentedRuleDefault( |
1825 | @@ -54,7 +45,9 @@ ec2_credential_policies = [ |
1826 | operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/' |
1827 | '{credential_id}'), |
1828 | 'method': 'GET'}], |
1829 | - deprecated_rule=deprecated_ec2_get_credential |
1830 | + deprecated_rule=deprecated_ec2_get_credential, |
1831 | + deprecated_reason=DEPRECATED_REASON, |
1832 | + deprecated_since=versionutils.deprecated.TRAIN |
1833 | ), |
1834 | policy.DocumentedRuleDefault( |
1835 | name=base.IDENTITY % 'ec2_list_credentials', |
1836 | @@ -64,6 +57,8 @@ ec2_credential_policies = [ |
1837 | operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2', |
1838 | 'method': 'GET'}], |
1839 | deprecated_rule=deprecated_ec2_list_credentials, |
1840 | + deprecated_reason=DEPRECATED_REASON, |
1841 | + deprecated_since=versionutils.deprecated.TRAIN |
1842 | ), |
1843 | policy.DocumentedRuleDefault( |
1844 | name=base.IDENTITY % 'ec2_create_credential', |
1845 | @@ -73,6 +68,8 @@ ec2_credential_policies = [ |
1846 | operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2', |
1847 | 'method': 'POST'}], |
1848 | deprecated_rule=deprecated_ec2_create_credential, |
1849 | + deprecated_reason=DEPRECATED_REASON, |
1850 | + deprecated_since=versionutils.deprecated.TRAIN |
1851 | ), |
1852 | policy.DocumentedRuleDefault( |
1853 | name=base.IDENTITY % 'ec2_delete_credential', |
1854 | @@ -83,6 +80,8 @@ ec2_credential_policies = [ |
1855 | '{credential_id}'), |
1856 | 'method': 'DELETE'}], |
1857 | deprecated_rule=deprecated_ec2_delete_credential, |
1858 | + deprecated_reason=DEPRECATED_REASON, |
1859 | + deprecated_since=versionutils.deprecated.TRAIN |
1860 | ) |
1861 | ] |
1862 | |
1863 | diff --git a/keystone/common/policies/endpoint.py b/keystone/common/policies/endpoint.py |
1864 | index 7858249..b99a40e 100644 |
1865 | --- a/keystone/common/policies/endpoint.py |
1866 | +++ b/keystone/common/policies/endpoint.py |
1867 | @@ -15,34 +15,24 @@ from oslo_policy import policy |
1868 | |
1869 | from keystone.common.policies import base |
1870 | |
1871 | -DEPRECATED_REASON = ( |
1872 | - "The endpoint API is now aware of system scope and default roles." |
1873 | -) |
1874 | - |
1875 | deprecated_get_endpoint = policy.DeprecatedRule( |
1876 | name=base.IDENTITY % 'get_endpoint', check_str=base.RULE_ADMIN_REQUIRED, |
1877 | - deprecated_reason=DEPRECATED_REASON, |
1878 | - deprecated_since=versionutils.deprecated.STEIN |
1879 | ) |
1880 | deprecated_list_endpoints = policy.DeprecatedRule( |
1881 | name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED, |
1882 | - deprecated_reason=DEPRECATED_REASON, |
1883 | - deprecated_since=versionutils.deprecated.STEIN |
1884 | ) |
1885 | deprecated_update_endpoint = policy.DeprecatedRule( |
1886 | name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED, |
1887 | - deprecated_reason=DEPRECATED_REASON, |
1888 | - deprecated_since=versionutils.deprecated.STEIN |
1889 | ) |
1890 | deprecated_create_endpoint = policy.DeprecatedRule( |
1891 | name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED, |
1892 | - deprecated_reason=DEPRECATED_REASON, |
1893 | - deprecated_since=versionutils.deprecated.STEIN |
1894 | ) |
1895 | deprecated_delete_endpoint = policy.DeprecatedRule( |
1896 | name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED, |
1897 | - deprecated_reason=DEPRECATED_REASON, |
1898 | - deprecated_since=versionutils.deprecated.STEIN |
1899 | +) |
1900 | + |
1901 | +DEPRECATED_REASON = ( |
1902 | + "The endpoint API is now aware of system scope and default roles." |
1903 | ) |
1904 | |
1905 | |
1906 | @@ -54,7 +44,9 @@ endpoint_policies = [ |
1907 | description='Show endpoint details.', |
1908 | operations=[{'path': '/v3/endpoints/{endpoint_id}', |
1909 | 'method': 'GET'}], |
1910 | - deprecated_rule=deprecated_get_endpoint), |
1911 | + deprecated_rule=deprecated_get_endpoint, |
1912 | + deprecated_reason=DEPRECATED_REASON, |
1913 | + deprecated_since=versionutils.deprecated.STEIN), |
1914 | policy.DocumentedRuleDefault( |
1915 | name=base.IDENTITY % 'list_endpoints', |
1916 | check_str=base.SYSTEM_READER, |
1917 | @@ -62,7 +54,9 @@ endpoint_policies = [ |
1918 | description='List endpoints.', |
1919 | operations=[{'path': '/v3/endpoints', |
1920 | 'method': 'GET'}], |
1921 | - deprecated_rule=deprecated_list_endpoints), |
1922 | + deprecated_rule=deprecated_list_endpoints, |
1923 | + deprecated_reason=DEPRECATED_REASON, |
1924 | + deprecated_since=versionutils.deprecated.STEIN), |
1925 | policy.DocumentedRuleDefault( |
1926 | name=base.IDENTITY % 'create_endpoint', |
1927 | check_str=base.SYSTEM_ADMIN, |
1928 | @@ -70,7 +64,9 @@ endpoint_policies = [ |
1929 | description='Create endpoint.', |
1930 | operations=[{'path': '/v3/endpoints', |
1931 | 'method': 'POST'}], |
1932 | - deprecated_rule=deprecated_create_endpoint), |
1933 | + deprecated_rule=deprecated_create_endpoint, |
1934 | + deprecated_reason=DEPRECATED_REASON, |
1935 | + deprecated_since=versionutils.deprecated.STEIN), |
1936 | policy.DocumentedRuleDefault( |
1937 | name=base.IDENTITY % 'update_endpoint', |
1938 | check_str=base.SYSTEM_ADMIN, |
1939 | @@ -78,7 +74,9 @@ endpoint_policies = [ |
1940 | description='Update endpoint.', |
1941 | operations=[{'path': '/v3/endpoints/{endpoint_id}', |
1942 | 'method': 'PATCH'}], |
1943 | - deprecated_rule=deprecated_update_endpoint), |
1944 | + deprecated_rule=deprecated_update_endpoint, |
1945 | + deprecated_reason=DEPRECATED_REASON, |
1946 | + deprecated_since=versionutils.deprecated.STEIN), |
1947 | policy.DocumentedRuleDefault( |
1948 | name=base.IDENTITY % 'delete_endpoint', |
1949 | check_str=base.SYSTEM_ADMIN, |
1950 | @@ -86,7 +84,9 @@ endpoint_policies = [ |
1951 | description='Delete endpoint.', |
1952 | operations=[{'path': '/v3/endpoints/{endpoint_id}', |
1953 | 'method': 'DELETE'}], |
1954 | - deprecated_rule=deprecated_delete_endpoint) |
1955 | + deprecated_rule=deprecated_delete_endpoint, |
1956 | + deprecated_reason=DEPRECATED_REASON, |
1957 | + deprecated_since=versionutils.deprecated.STEIN) |
1958 | ] |
1959 | |
1960 | |
1961 | diff --git a/keystone/common/policies/endpoint_group.py b/keystone/common/policies/endpoint_group.py |
1962 | index 741e0b7..691a6fe 100644 |
1963 | --- a/keystone/common/policies/endpoint_group.py |
1964 | +++ b/keystone/common/policies/endpoint_group.py |
1965 | @@ -15,85 +15,64 @@ from oslo_policy import policy |
1966 | |
1967 | from keystone.common.policies import base |
1968 | |
1969 | -DEPRECATED_REASON = ( |
1970 | - "The endpoint groups API is now aware of system scope and default roles." |
1971 | -) |
1972 | - |
1973 | deprecated_list_endpoint_groups = policy.DeprecatedRule( |
1974 | name=base.IDENTITY % 'list_endpoint_groups', |
1975 | check_str=base.RULE_ADMIN_REQUIRED, |
1976 | - deprecated_reason=DEPRECATED_REASON, |
1977 | - deprecated_since=versionutils.deprecated.TRAIN |
1978 | ) |
1979 | |
1980 | deprecated_get_endpoint_group = policy.DeprecatedRule( |
1981 | name=base.IDENTITY % 'get_endpoint_group', |
1982 | check_str=base.RULE_ADMIN_REQUIRED, |
1983 | - deprecated_reason=DEPRECATED_REASON, |
1984 | - deprecated_since=versionutils.deprecated.TRAIN |
1985 | ) |
1986 | |
1987 | deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule( |
1988 | name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', |
1989 | check_str=base.RULE_ADMIN_REQUIRED, |
1990 | - deprecated_reason=DEPRECATED_REASON, |
1991 | - deprecated_since=versionutils.deprecated.TRAIN |
1992 | ) |
1993 | |
1994 | deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule( |
1995 | name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', |
1996 | check_str=base.RULE_ADMIN_REQUIRED, |
1997 | - deprecated_reason=DEPRECATED_REASON, |
1998 | - deprecated_since=versionutils.deprecated.TRAIN |
1999 | ) |
2000 | |
2001 | deprecated_get_endpoint_group_in_project = policy.DeprecatedRule( |
2002 | name=base.IDENTITY % 'get_endpoint_group_in_project', |
2003 | check_str=base.RULE_ADMIN_REQUIRED, |
2004 | - deprecated_reason=DEPRECATED_REASON, |
2005 | - deprecated_since=versionutils.deprecated.TRAIN |
2006 | ) |
2007 | |
2008 | deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule( |
2009 | name=base.IDENTITY % 'list_endpoint_groups_for_project', |
2010 | check_str=base.RULE_ADMIN_REQUIRED, |
2011 | - deprecated_reason=DEPRECATED_REASON, |
2012 | - deprecated_since=versionutils.deprecated.TRAIN |
2013 | ) |
2014 | |
2015 | deprecated_create_endpoint_group = policy.DeprecatedRule( |
2016 | name=base.IDENTITY % 'create_endpoint_group', |
2017 | check_str=base.RULE_ADMIN_REQUIRED, |
2018 | - deprecated_reason=DEPRECATED_REASON, |
2019 | - deprecated_since=versionutils.deprecated.TRAIN |
2020 | ) |
2021 | |
2022 | deprecated_update_endpoint_group = policy.DeprecatedRule( |
2023 | name=base.IDENTITY % 'update_endpoint_group', |
2024 | check_str=base.RULE_ADMIN_REQUIRED, |
2025 | - deprecated_reason=DEPRECATED_REASON, |
2026 | - deprecated_since=versionutils.deprecated.TRAIN |
2027 | ) |
2028 | |
2029 | deprecated_delete_endpoint_group = policy.DeprecatedRule( |
2030 | name=base.IDENTITY % 'delete_endpoint_group', |
2031 | check_str=base.RULE_ADMIN_REQUIRED, |
2032 | - deprecated_reason=DEPRECATED_REASON, |
2033 | - deprecated_since=versionutils.deprecated.TRAIN |
2034 | ) |
2035 | |
2036 | deprecated_add_endpoint_group_to_project = policy.DeprecatedRule( |
2037 | name=base.IDENTITY % 'add_endpoint_group_to_project', |
2038 | check_str=base.RULE_ADMIN_REQUIRED, |
2039 | - deprecated_reason=DEPRECATED_REASON, |
2040 | - deprecated_since=versionutils.deprecated.TRAIN |
2041 | ) |
2042 | |
2043 | deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule( |
2044 | name=base.IDENTITY % 'remove_endpoint_group_from_project', |
2045 | check_str=base.RULE_ADMIN_REQUIRED, |
2046 | - deprecated_reason=DEPRECATED_REASON, |
2047 | - deprecated_since=versionutils.deprecated.TRAIN |
2048 | +) |
2049 | + |
2050 | + |
2051 | +DEPRECATED_REASON = ( |
2052 | + "The endpoint groups API is now aware of system scope and default roles." |
2053 | ) |
2054 | |
2055 | |
2056 | @@ -105,7 +84,9 @@ group_endpoint_policies = [ |
2057 | description='Create endpoint group.', |
2058 | operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups', |
2059 | 'method': 'POST'}], |
2060 | - deprecated_rule=deprecated_create_endpoint_group), |
2061 | + deprecated_rule=deprecated_create_endpoint_group, |
2062 | + deprecated_reason=DEPRECATED_REASON, |
2063 | + deprecated_since=versionutils.deprecated.TRAIN), |
2064 | policy.DocumentedRuleDefault( |
2065 | name=base.IDENTITY % 'list_endpoint_groups', |
2066 | check_str=base.SYSTEM_READER, |
2067 | @@ -113,7 +94,9 @@ group_endpoint_policies = [ |
2068 | description='List endpoint groups.', |
2069 | operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups', |
2070 | 'method': 'GET'}], |
2071 | - deprecated_rule=deprecated_list_endpoint_groups), |
2072 | + deprecated_rule=deprecated_list_endpoint_groups, |
2073 | + deprecated_reason=DEPRECATED_REASON, |
2074 | + deprecated_since=versionutils.deprecated.TRAIN), |
2075 | policy.DocumentedRuleDefault( |
2076 | name=base.IDENTITY % 'get_endpoint_group', |
2077 | check_str=base.SYSTEM_READER, |
2078 | @@ -125,7 +108,9 @@ group_endpoint_policies = [ |
2079 | {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2080 | '{endpoint_group_id}'), |
2081 | 'method': 'HEAD'}], |
2082 | - deprecated_rule=deprecated_get_endpoint_group), |
2083 | + deprecated_rule=deprecated_get_endpoint_group, |
2084 | + deprecated_reason=DEPRECATED_REASON, |
2085 | + deprecated_since=versionutils.deprecated.TRAIN), |
2086 | policy.DocumentedRuleDefault( |
2087 | name=base.IDENTITY % 'update_endpoint_group', |
2088 | check_str=base.SYSTEM_ADMIN, |
2089 | @@ -134,7 +119,9 @@ group_endpoint_policies = [ |
2090 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2091 | '{endpoint_group_id}'), |
2092 | 'method': 'PATCH'}], |
2093 | - deprecated_rule=deprecated_update_endpoint_group), |
2094 | + deprecated_rule=deprecated_update_endpoint_group, |
2095 | + deprecated_reason=DEPRECATED_REASON, |
2096 | + deprecated_since=versionutils.deprecated.TRAIN), |
2097 | policy.DocumentedRuleDefault( |
2098 | name=base.IDENTITY % 'delete_endpoint_group', |
2099 | check_str=base.SYSTEM_ADMIN, |
2100 | @@ -143,7 +130,9 @@ group_endpoint_policies = [ |
2101 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2102 | '{endpoint_group_id}'), |
2103 | 'method': 'DELETE'}], |
2104 | - deprecated_rule=deprecated_delete_endpoint_group), |
2105 | + deprecated_rule=deprecated_delete_endpoint_group, |
2106 | + deprecated_reason=DEPRECATED_REASON, |
2107 | + deprecated_since=versionutils.deprecated.TRAIN), |
2108 | policy.DocumentedRuleDefault( |
2109 | name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', |
2110 | check_str=base.SYSTEM_READER, |
2111 | @@ -153,7 +142,9 @@ group_endpoint_policies = [ |
2112 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2113 | '{endpoint_group_id}/projects'), |
2114 | 'method': 'GET'}], |
2115 | - deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group), |
2116 | + deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group, |
2117 | + deprecated_reason=DEPRECATED_REASON, |
2118 | + deprecated_since=versionutils.deprecated.TRAIN), |
2119 | policy.DocumentedRuleDefault( |
2120 | name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', |
2121 | check_str=base.SYSTEM_READER, |
2122 | @@ -162,7 +153,9 @@ group_endpoint_policies = [ |
2123 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2124 | '{endpoint_group_id}/endpoints'), |
2125 | 'method': 'GET'}], |
2126 | - deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group), |
2127 | + deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group, |
2128 | + deprecated_reason=DEPRECATED_REASON, |
2129 | + deprecated_since=versionutils.deprecated.TRAIN), |
2130 | policy.DocumentedRuleDefault( |
2131 | name=base.IDENTITY % 'get_endpoint_group_in_project', |
2132 | check_str=base.SYSTEM_READER, |
2133 | @@ -175,7 +168,9 @@ group_endpoint_policies = [ |
2134 | {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2135 | '{endpoint_group_id}/projects/{project_id}'), |
2136 | 'method': 'HEAD'}], |
2137 | - deprecated_rule=deprecated_get_endpoint_group_in_project), |
2138 | + deprecated_rule=deprecated_get_endpoint_group_in_project, |
2139 | + deprecated_reason=DEPRECATED_REASON, |
2140 | + deprecated_since=versionutils.deprecated.TRAIN), |
2141 | policy.DocumentedRuleDefault( |
2142 | name=base.IDENTITY % 'list_endpoint_groups_for_project', |
2143 | check_str=base.SYSTEM_READER, |
2144 | @@ -184,7 +179,9 @@ group_endpoint_policies = [ |
2145 | operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' |
2146 | 'endpoint_groups'), |
2147 | 'method': 'GET'}], |
2148 | - deprecated_rule=deprecated_list_endpoint_groups_for_project), |
2149 | + deprecated_rule=deprecated_list_endpoint_groups_for_project, |
2150 | + deprecated_reason=DEPRECATED_REASON, |
2151 | + deprecated_since=versionutils.deprecated.TRAIN), |
2152 | policy.DocumentedRuleDefault( |
2153 | name=base.IDENTITY % 'add_endpoint_group_to_project', |
2154 | check_str=base.SYSTEM_ADMIN, |
2155 | @@ -193,7 +190,9 @@ group_endpoint_policies = [ |
2156 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2157 | '{endpoint_group_id}/projects/{project_id}'), |
2158 | 'method': 'PUT'}], |
2159 | - deprecated_rule=deprecated_add_endpoint_group_to_project), |
2160 | + deprecated_rule=deprecated_add_endpoint_group_to_project, |
2161 | + deprecated_reason=DEPRECATED_REASON, |
2162 | + deprecated_since=versionutils.deprecated.TRAIN), |
2163 | policy.DocumentedRuleDefault( |
2164 | name=base.IDENTITY % 'remove_endpoint_group_from_project', |
2165 | check_str=base.SYSTEM_ADMIN, |
2166 | @@ -202,7 +201,9 @@ group_endpoint_policies = [ |
2167 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2168 | '{endpoint_group_id}/projects/{project_id}'), |
2169 | 'method': 'DELETE'}], |
2170 | - deprecated_rule=deprecated_remove_endpoint_group_from_project) |
2171 | + deprecated_rule=deprecated_remove_endpoint_group_from_project, |
2172 | + deprecated_reason=DEPRECATED_REASON, |
2173 | + deprecated_since=versionutils.deprecated.TRAIN) |
2174 | ] |
2175 | |
2176 | |
2177 | diff --git a/keystone/common/policies/grant.py b/keystone/common/policies/grant.py |
2178 | index 0e1b928..09ef1c9 100644 |
2179 | --- a/keystone/common/policies/grant.py |
2180 | +++ b/keystone/common/policies/grant.py |
2181 | @@ -66,79 +66,54 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = ( |
2182 | '(' + DOMAIN_MATCHES_ROLE + ')' |
2183 | ) |
2184 | |
2185 | -DEPRECATED_REASON = ( |
2186 | - "The assignment API is now aware of system scope and default roles." |
2187 | -) |
2188 | - |
2189 | deprecated_check_system_grant_for_user = policy.DeprecatedRule( |
2190 | name=base.IDENTITY % 'check_system_grant_for_user', |
2191 | - check_str=base.RULE_ADMIN_REQUIRED, |
2192 | - deprecated_reason=DEPRECATED_REASON, |
2193 | - deprecated_since=versionutils.deprecated.STEIN |
2194 | + check_str=base.RULE_ADMIN_REQUIRED |
2195 | ) |
2196 | deprecated_list_system_grants_for_user = policy.DeprecatedRule( |
2197 | name=base.IDENTITY % 'list_system_grants_for_user', |
2198 | - check_str=base.RULE_ADMIN_REQUIRED, |
2199 | - deprecated_reason=DEPRECATED_REASON, |
2200 | - deprecated_since=versionutils.deprecated.STEIN |
2201 | + check_str=base.RULE_ADMIN_REQUIRED |
2202 | ) |
2203 | deprecated_create_system_grant_for_user = policy.DeprecatedRule( |
2204 | name=base.IDENTITY % 'create_system_grant_for_user', |
2205 | - check_str=base.RULE_ADMIN_REQUIRED, |
2206 | - deprecated_reason=DEPRECATED_REASON, |
2207 | - deprecated_since=versionutils.deprecated.STEIN |
2208 | + check_str=base.RULE_ADMIN_REQUIRED |
2209 | ) |
2210 | deprecated_revoke_system_grant_for_user = policy.DeprecatedRule( |
2211 | name=base.IDENTITY % 'revoke_system_grant_for_user', |
2212 | - check_str=base.RULE_ADMIN_REQUIRED, |
2213 | - deprecated_reason=DEPRECATED_REASON, |
2214 | - deprecated_since=versionutils.deprecated.STEIN |
2215 | + check_str=base.RULE_ADMIN_REQUIRED |
2216 | ) |
2217 | deprecated_check_system_grant_for_group = policy.DeprecatedRule( |
2218 | name=base.IDENTITY % 'check_system_grant_for_group', |
2219 | - check_str=base.RULE_ADMIN_REQUIRED, |
2220 | - deprecated_reason=DEPRECATED_REASON, |
2221 | - deprecated_since=versionutils.deprecated.STEIN |
2222 | + check_str=base.RULE_ADMIN_REQUIRED |
2223 | ) |
2224 | deprecated_list_system_grants_for_group = policy.DeprecatedRule( |
2225 | name=base.IDENTITY % 'list_system_grants_for_group', |
2226 | - check_str=base.RULE_ADMIN_REQUIRED, |
2227 | - deprecated_reason=DEPRECATED_REASON, |
2228 | - deprecated_since=versionutils.deprecated.STEIN |
2229 | + check_str=base.RULE_ADMIN_REQUIRED |
2230 | ) |
2231 | deprecated_create_system_grant_for_group = policy.DeprecatedRule( |
2232 | name=base.IDENTITY % 'create_system_grant_for_group', |
2233 | - check_str=base.RULE_ADMIN_REQUIRED, |
2234 | - deprecated_reason=DEPRECATED_REASON, |
2235 | - deprecated_since=versionutils.deprecated.STEIN |
2236 | + check_str=base.RULE_ADMIN_REQUIRED |
2237 | ) |
2238 | deprecated_revoke_system_grant_for_group = policy.DeprecatedRule( |
2239 | name=base.IDENTITY % 'revoke_system_grant_for_group', |
2240 | - check_str=base.RULE_ADMIN_REQUIRED, |
2241 | - deprecated_reason=DEPRECATED_REASON, |
2242 | - deprecated_since=versionutils.deprecated.STEIN |
2243 | + check_str=base.RULE_ADMIN_REQUIRED |
2244 | ) |
2245 | deprecated_list_grants = policy.DeprecatedRule( |
2246 | - name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED, |
2247 | - deprecated_reason=DEPRECATED_REASON, |
2248 | - deprecated_since=versionutils.deprecated.STEIN |
2249 | + name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED |
2250 | ) |
2251 | deprecated_check_grant = policy.DeprecatedRule( |
2252 | - name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED, |
2253 | - deprecated_reason=DEPRECATED_REASON, |
2254 | - deprecated_since=versionutils.deprecated.STEIN |
2255 | + name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED |
2256 | ) |
2257 | deprecated_create_grant = policy.DeprecatedRule( |
2258 | - name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED, |
2259 | - deprecated_reason=DEPRECATED_REASON, |
2260 | - deprecated_since=versionutils.deprecated.STEIN |
2261 | + name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED |
2262 | ) |
2263 | deprecated_revoke_grant = policy.DeprecatedRule( |
2264 | - name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED, |
2265 | - deprecated_reason=DEPRECATED_REASON, |
2266 | - deprecated_since=versionutils.deprecated.STEIN |
2267 | + name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED |
2268 | ) |
2269 | |
2270 | +DEPRECATED_REASON = ( |
2271 | + "The assignment API is now aware of system scope and default roles." |
2272 | +) |
2273 | |
2274 | resource_paths = [ |
2275 | '/projects/{project_id}/users/{user_id}/roles/{role_id}', |
2276 | @@ -192,7 +167,9 @@ grant_policies = [ |
2277 | 'are inherited to all projects in the subtree, if ' |
2278 | 'applicable.'), |
2279 | operations=list_operations(resource_paths, ['HEAD', 'GET']), |
2280 | - deprecated_rule=deprecated_check_grant), |
2281 | + deprecated_rule=deprecated_check_grant, |
2282 | + deprecated_reason=DEPRECATED_REASON, |
2283 | + deprecated_since=versionutils.deprecated.STEIN), |
2284 | policy.DocumentedRuleDefault( |
2285 | name=base.IDENTITY % 'list_grants', |
2286 | check_str=SYSTEM_READER_OR_DOMAIN_READER_LIST, |
2287 | @@ -204,7 +181,9 @@ grant_policies = [ |
2288 | 'domains, where grants are inherited to all projects ' |
2289 | 'in the specified domain.'), |
2290 | operations=list_grants_operations, |
2291 | - deprecated_rule=deprecated_list_grants), |
2292 | + deprecated_rule=deprecated_list_grants, |
2293 | + deprecated_reason=DEPRECATED_REASON, |
2294 | + deprecated_since=versionutils.deprecated.STEIN), |
2295 | policy.DocumentedRuleDefault( |
2296 | name=base.IDENTITY % 'create_grant', |
2297 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
2298 | @@ -216,7 +195,9 @@ grant_policies = [ |
2299 | 'are inherited to all projects in the subtree, if ' |
2300 | 'applicable.'), |
2301 | operations=list_operations(resource_paths, ['PUT']), |
2302 | - deprecated_rule=deprecated_create_grant), |
2303 | + deprecated_rule=deprecated_create_grant, |
2304 | + deprecated_reason=DEPRECATED_REASON, |
2305 | + deprecated_since=versionutils.deprecated.STEIN), |
2306 | policy.DocumentedRuleDefault( |
2307 | name=base.IDENTITY % 'revoke_grant', |
2308 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
2309 | @@ -230,7 +211,9 @@ grant_policies = [ |
2310 | 'the target would remove the logical effect of ' |
2311 | 'inheriting it to the target\'s projects subtree.'), |
2312 | operations=list_operations(resource_paths, ['DELETE']), |
2313 | - deprecated_rule=deprecated_revoke_grant), |
2314 | + deprecated_rule=deprecated_revoke_grant, |
2315 | + deprecated_reason=DEPRECATED_REASON, |
2316 | + deprecated_since=versionutils.deprecated.STEIN), |
2317 | policy.DocumentedRuleDefault( |
2318 | name=base.IDENTITY % 'list_system_grants_for_user', |
2319 | check_str=base.SYSTEM_READER, |
2320 | @@ -243,6 +226,8 @@ grant_policies = [ |
2321 | } |
2322 | ], |
2323 | deprecated_rule=deprecated_list_system_grants_for_user, |
2324 | + deprecated_reason=DEPRECATED_REASON, |
2325 | + deprecated_since=versionutils.deprecated.STEIN |
2326 | ), |
2327 | policy.DocumentedRuleDefault( |
2328 | name=base.IDENTITY % 'check_system_grant_for_user', |
2329 | @@ -256,6 +241,8 @@ grant_policies = [ |
2330 | } |
2331 | ], |
2332 | deprecated_rule=deprecated_check_system_grant_for_user, |
2333 | + deprecated_reason=DEPRECATED_REASON, |
2334 | + deprecated_since=versionutils.deprecated.STEIN |
2335 | ), |
2336 | policy.DocumentedRuleDefault( |
2337 | name=base.IDENTITY % 'create_system_grant_for_user', |
2338 | @@ -269,6 +256,8 @@ grant_policies = [ |
2339 | } |
2340 | ], |
2341 | deprecated_rule=deprecated_create_system_grant_for_user, |
2342 | + deprecated_reason=DEPRECATED_REASON, |
2343 | + deprecated_since=versionutils.deprecated.STEIN |
2344 | ), |
2345 | policy.DocumentedRuleDefault( |
2346 | name=base.IDENTITY % 'revoke_system_grant_for_user', |
2347 | @@ -282,6 +271,8 @@ grant_policies = [ |
2348 | } |
2349 | ], |
2350 | deprecated_rule=deprecated_revoke_system_grant_for_user, |
2351 | + deprecated_reason=DEPRECATED_REASON, |
2352 | + deprecated_since=versionutils.deprecated.STEIN |
2353 | ), |
2354 | policy.DocumentedRuleDefault( |
2355 | name=base.IDENTITY % 'list_system_grants_for_group', |
2356 | @@ -295,6 +286,8 @@ grant_policies = [ |
2357 | } |
2358 | ], |
2359 | deprecated_rule=deprecated_list_system_grants_for_group, |
2360 | + deprecated_reason=DEPRECATED_REASON, |
2361 | + deprecated_since=versionutils.deprecated.STEIN |
2362 | ), |
2363 | policy.DocumentedRuleDefault( |
2364 | name=base.IDENTITY % 'check_system_grant_for_group', |
2365 | @@ -308,6 +301,8 @@ grant_policies = [ |
2366 | } |
2367 | ], |
2368 | deprecated_rule=deprecated_check_system_grant_for_group, |
2369 | + deprecated_reason=DEPRECATED_REASON, |
2370 | + deprecated_since=versionutils.deprecated.STEIN |
2371 | ), |
2372 | policy.DocumentedRuleDefault( |
2373 | name=base.IDENTITY % 'create_system_grant_for_group', |
2374 | @@ -321,6 +316,8 @@ grant_policies = [ |
2375 | } |
2376 | ], |
2377 | deprecated_rule=deprecated_create_system_grant_for_group, |
2378 | + deprecated_reason=DEPRECATED_REASON, |
2379 | + deprecated_since=versionutils.deprecated.STEIN |
2380 | ), |
2381 | policy.DocumentedRuleDefault( |
2382 | name=base.IDENTITY % 'revoke_system_grant_for_group', |
2383 | @@ -334,6 +331,8 @@ grant_policies = [ |
2384 | } |
2385 | ], |
2386 | deprecated_rule=deprecated_revoke_system_grant_for_group, |
2387 | + deprecated_reason=DEPRECATED_REASON, |
2388 | + deprecated_since=versionutils.deprecated.STEIN |
2389 | ) |
2390 | ] |
2391 | |
2392 | diff --git a/keystone/common/policies/group.py b/keystone/common/policies/group.py |
2393 | index 0106bad..d33da92 100644 |
2394 | --- a/keystone/common/policies/group.py |
2395 | +++ b/keystone/common/policies/group.py |
2396 | @@ -51,63 +51,43 @@ DEPRECATED_REASON = ( |
2397 | |
2398 | deprecated_get_group = policy.DeprecatedRule( |
2399 | name=base.IDENTITY % 'get_group', |
2400 | - check_str=base.RULE_ADMIN_REQUIRED, |
2401 | - deprecated_reason=DEPRECATED_REASON, |
2402 | - deprecated_since=versionutils.deprecated.STEIN |
2403 | + check_str=base.RULE_ADMIN_REQUIRED |
2404 | ) |
2405 | deprecated_list_groups = policy.DeprecatedRule( |
2406 | name=base.IDENTITY % 'list_groups', |
2407 | - check_str=base.RULE_ADMIN_REQUIRED, |
2408 | - deprecated_reason=DEPRECATED_REASON, |
2409 | - deprecated_since=versionutils.deprecated.STEIN |
2410 | + check_str=base.RULE_ADMIN_REQUIRED |
2411 | ) |
2412 | deprecated_list_groups_for_user = policy.DeprecatedRule( |
2413 | name=base.IDENTITY % 'list_groups_for_user', |
2414 | - check_str=base.RULE_ADMIN_OR_OWNER, |
2415 | - deprecated_reason=DEPRECATED_REASON, |
2416 | - deprecated_since=versionutils.deprecated.STEIN |
2417 | + check_str=base.RULE_ADMIN_OR_OWNER |
2418 | ) |
2419 | deprecated_list_users_in_group = policy.DeprecatedRule( |
2420 | name=base.IDENTITY % 'list_users_in_group', |
2421 | - check_str=base.RULE_ADMIN_REQUIRED, |
2422 | - deprecated_reason=DEPRECATED_REASON, |
2423 | - deprecated_since=versionutils.deprecated.STEIN |
2424 | + check_str=base.RULE_ADMIN_REQUIRED |
2425 | ) |
2426 | deprecated_check_user_in_group = policy.DeprecatedRule( |
2427 | name=base.IDENTITY % 'check_user_in_group', |
2428 | - check_str=base.RULE_ADMIN_REQUIRED, |
2429 | - deprecated_reason=DEPRECATED_REASON, |
2430 | - deprecated_since=versionutils.deprecated.STEIN |
2431 | + check_str=base.RULE_ADMIN_REQUIRED |
2432 | ) |
2433 | deprecated_create_group = policy.DeprecatedRule( |
2434 | name=base.IDENTITY % 'create_group', |
2435 | - check_str=base.RULE_ADMIN_REQUIRED, |
2436 | - deprecated_reason=DEPRECATED_REASON, |
2437 | - deprecated_since=versionutils.deprecated.STEIN |
2438 | + check_str=base.RULE_ADMIN_REQUIRED |
2439 | ) |
2440 | deprecated_update_group = policy.DeprecatedRule( |
2441 | name=base.IDENTITY % 'update_group', |
2442 | - check_str=base.RULE_ADMIN_REQUIRED, |
2443 | - deprecated_reason=DEPRECATED_REASON, |
2444 | - deprecated_since=versionutils.deprecated.STEIN |
2445 | + check_str=base.RULE_ADMIN_REQUIRED |
2446 | ) |
2447 | deprecated_delete_group = policy.DeprecatedRule( |
2448 | name=base.IDENTITY % 'delete_group', |
2449 | - check_str=base.RULE_ADMIN_REQUIRED, |
2450 | - deprecated_reason=DEPRECATED_REASON, |
2451 | - deprecated_since=versionutils.deprecated.STEIN |
2452 | + check_str=base.RULE_ADMIN_REQUIRED |
2453 | ) |
2454 | deprecated_remove_user_from_group = policy.DeprecatedRule( |
2455 | name=base.IDENTITY % 'remove_user_from_group', |
2456 | - check_str=base.RULE_ADMIN_REQUIRED, |
2457 | - deprecated_reason=DEPRECATED_REASON, |
2458 | - deprecated_since=versionutils.deprecated.STEIN |
2459 | + check_str=base.RULE_ADMIN_REQUIRED |
2460 | ) |
2461 | deprecated_add_user_to_group = policy.DeprecatedRule( |
2462 | name=base.IDENTITY % 'add_user_to_group', |
2463 | - check_str=base.RULE_ADMIN_REQUIRED, |
2464 | - deprecated_reason=DEPRECATED_REASON, |
2465 | - deprecated_since=versionutils.deprecated.STEIN |
2466 | + check_str=base.RULE_ADMIN_REQUIRED |
2467 | ) |
2468 | |
2469 | group_policies = [ |
2470 | @@ -120,7 +100,9 @@ group_policies = [ |
2471 | 'method': 'GET'}, |
2472 | {'path': '/v3/groups/{group_id}', |
2473 | 'method': 'HEAD'}], |
2474 | - deprecated_rule=deprecated_get_group), |
2475 | + deprecated_rule=deprecated_get_group, |
2476 | + deprecated_reason=DEPRECATED_REASON, |
2477 | + deprecated_since=versionutils.deprecated.STEIN), |
2478 | policy.DocumentedRuleDefault( |
2479 | name=base.IDENTITY % 'list_groups', |
2480 | check_str=SYSTEM_READER_OR_DOMAIN_READER, |
2481 | @@ -130,7 +112,9 @@ group_policies = [ |
2482 | 'method': 'GET'}, |
2483 | {'path': '/v3/groups', |
2484 | 'method': 'HEAD'}], |
2485 | - deprecated_rule=deprecated_list_groups), |
2486 | + deprecated_rule=deprecated_list_groups, |
2487 | + deprecated_reason=DEPRECATED_REASON, |
2488 | + deprecated_since=versionutils.deprecated.STEIN), |
2489 | policy.DocumentedRuleDefault( |
2490 | name=base.IDENTITY % 'list_groups_for_user', |
2491 | check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER, |
2492 | @@ -140,7 +124,9 @@ group_policies = [ |
2493 | 'method': 'GET'}, |
2494 | {'path': '/v3/users/{user_id}/groups', |
2495 | 'method': 'HEAD'}], |
2496 | - deprecated_rule=deprecated_list_groups_for_user), |
2497 | + deprecated_rule=deprecated_list_groups_for_user, |
2498 | + deprecated_reason=DEPRECATED_REASON, |
2499 | + deprecated_since=versionutils.deprecated.STEIN), |
2500 | policy.DocumentedRuleDefault( |
2501 | name=base.IDENTITY % 'create_group', |
2502 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
2503 | @@ -148,7 +134,9 @@ group_policies = [ |
2504 | description='Create group.', |
2505 | operations=[{'path': '/v3/groups', |
2506 | 'method': 'POST'}], |
2507 | - deprecated_rule=deprecated_create_group), |
2508 | + deprecated_rule=deprecated_create_group, |
2509 | + deprecated_reason=DEPRECATED_REASON, |
2510 | + deprecated_since=versionutils.deprecated.STEIN), |
2511 | policy.DocumentedRuleDefault( |
2512 | name=base.IDENTITY % 'update_group', |
2513 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
2514 | @@ -156,7 +144,9 @@ group_policies = [ |
2515 | description='Update group.', |
2516 | operations=[{'path': '/v3/groups/{group_id}', |
2517 | 'method': 'PATCH'}], |
2518 | - deprecated_rule=deprecated_update_group), |
2519 | + deprecated_rule=deprecated_update_group, |
2520 | + deprecated_reason=DEPRECATED_REASON, |
2521 | + deprecated_since=versionutils.deprecated.STEIN), |
2522 | policy.DocumentedRuleDefault( |
2523 | name=base.IDENTITY % 'delete_group', |
2524 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
2525 | @@ -164,7 +154,9 @@ group_policies = [ |
2526 | description='Delete group.', |
2527 | operations=[{'path': '/v3/groups/{group_id}', |
2528 | 'method': 'DELETE'}], |
2529 | - deprecated_rule=deprecated_delete_group), |
2530 | + deprecated_rule=deprecated_delete_group, |
2531 | + deprecated_reason=DEPRECATED_REASON, |
2532 | + deprecated_since=versionutils.deprecated.STEIN), |
2533 | policy.DocumentedRuleDefault( |
2534 | name=base.IDENTITY % 'list_users_in_group', |
2535 | check_str=SYSTEM_READER_OR_DOMAIN_READER, |
2536 | @@ -174,7 +166,9 @@ group_policies = [ |
2537 | 'method': 'GET'}, |
2538 | {'path': '/v3/groups/{group_id}/users', |
2539 | 'method': 'HEAD'}], |
2540 | - deprecated_rule=deprecated_list_users_in_group), |
2541 | + deprecated_rule=deprecated_list_users_in_group, |
2542 | + deprecated_reason=DEPRECATED_REASON, |
2543 | + deprecated_since=versionutils.deprecated.STEIN), |
2544 | policy.DocumentedRuleDefault( |
2545 | name=base.IDENTITY % 'remove_user_from_group', |
2546 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER, |
2547 | @@ -182,7 +176,9 @@ group_policies = [ |
2548 | description='Remove user from group.', |
2549 | operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', |
2550 | 'method': 'DELETE'}], |
2551 | - deprecated_rule=deprecated_remove_user_from_group), |
2552 | + deprecated_rule=deprecated_remove_user_from_group, |
2553 | + deprecated_reason=DEPRECATED_REASON, |
2554 | + deprecated_since=versionutils.deprecated.STEIN), |
2555 | policy.DocumentedRuleDefault( |
2556 | name=base.IDENTITY % 'check_user_in_group', |
2557 | check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER, |
2558 | @@ -192,7 +188,9 @@ group_policies = [ |
2559 | 'method': 'HEAD'}, |
2560 | {'path': '/v3/groups/{group_id}/users/{user_id}', |
2561 | 'method': 'GET'}], |
2562 | - deprecated_rule=deprecated_check_user_in_group), |
2563 | + deprecated_rule=deprecated_check_user_in_group, |
2564 | + deprecated_reason=DEPRECATED_REASON, |
2565 | + deprecated_since=versionutils.deprecated.STEIN), |
2566 | policy.DocumentedRuleDefault( |
2567 | name=base.IDENTITY % 'add_user_to_group', |
2568 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER, |
2569 | @@ -200,7 +198,9 @@ group_policies = [ |
2570 | description='Add user to group.', |
2571 | operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', |
2572 | 'method': 'PUT'}], |
2573 | - deprecated_rule=deprecated_add_user_to_group) |
2574 | + deprecated_rule=deprecated_add_user_to_group, |
2575 | + deprecated_reason=DEPRECATED_REASON, |
2576 | + deprecated_since=versionutils.deprecated.STEIN) |
2577 | ] |
2578 | |
2579 | |
2580 | diff --git a/keystone/common/policies/identity_provider.py b/keystone/common/policies/identity_provider.py |
2581 | index c1b4d5a..8d6ad46 100644 |
2582 | --- a/keystone/common/policies/identity_provider.py |
2583 | +++ b/keystone/common/policies/identity_provider.py |
2584 | @@ -15,41 +15,30 @@ from oslo_policy import policy |
2585 | |
2586 | from keystone.common.policies import base |
2587 | |
2588 | -DEPRECATED_REASON = ( |
2589 | - "The identity provider API is now aware of system scope and default roles." |
2590 | -) |
2591 | - |
2592 | deprecated_get_idp = policy.DeprecatedRule( |
2593 | name=base.IDENTITY % 'get_identity_provider', |
2594 | - check_str=base.RULE_ADMIN_REQUIRED, |
2595 | - deprecated_reason=DEPRECATED_REASON, |
2596 | - deprecated_since=versionutils.deprecated.STEIN |
2597 | + check_str=base.RULE_ADMIN_REQUIRED |
2598 | ) |
2599 | deprecated_list_idp = policy.DeprecatedRule( |
2600 | name=base.IDENTITY % 'list_identity_providers', |
2601 | - check_str=base.RULE_ADMIN_REQUIRED, |
2602 | - deprecated_reason=DEPRECATED_REASON, |
2603 | - deprecated_since=versionutils.deprecated.STEIN |
2604 | + check_str=base.RULE_ADMIN_REQUIRED |
2605 | ) |
2606 | deprecated_update_idp = policy.DeprecatedRule( |
2607 | name=base.IDENTITY % 'update_identity_provider', |
2608 | - check_str=base.RULE_ADMIN_REQUIRED, |
2609 | - deprecated_reason=DEPRECATED_REASON, |
2610 | - deprecated_since=versionutils.deprecated.STEIN |
2611 | + check_str=base.RULE_ADMIN_REQUIRED |
2612 | ) |
2613 | deprecated_create_idp = policy.DeprecatedRule( |
2614 | name=base.IDENTITY % 'create_identity_provider', |
2615 | - check_str=base.RULE_ADMIN_REQUIRED, |
2616 | - deprecated_reason=DEPRECATED_REASON, |
2617 | - deprecated_since=versionutils.deprecated.STEIN |
2618 | + check_str=base.RULE_ADMIN_REQUIRED |
2619 | ) |
2620 | deprecated_delete_idp = policy.DeprecatedRule( |
2621 | name=base.IDENTITY % 'delete_identity_provider', |
2622 | - check_str=base.RULE_ADMIN_REQUIRED, |
2623 | - deprecated_reason=DEPRECATED_REASON, |
2624 | - deprecated_since=versionutils.deprecated.STEIN |
2625 | + check_str=base.RULE_ADMIN_REQUIRED |
2626 | ) |
2627 | |
2628 | +DEPRECATED_REASON = ( |
2629 | + "The identity provider API is now aware of system scope and default roles." |
2630 | +) |
2631 | |
2632 | identity_provider_policies = [ |
2633 | policy.DocumentedRuleDefault( |
2634 | @@ -65,7 +54,9 @@ identity_provider_policies = [ |
2635 | description='Create identity provider.', |
2636 | operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', |
2637 | 'method': 'PUT'}], |
2638 | - deprecated_rule=deprecated_create_idp), |
2639 | + deprecated_rule=deprecated_create_idp, |
2640 | + deprecated_reason=DEPRECATED_REASON, |
2641 | + deprecated_since=versionutils.deprecated.STEIN), |
2642 | policy.DocumentedRuleDefault( |
2643 | name=base.IDENTITY % 'list_identity_providers', |
2644 | check_str=base.SYSTEM_READER, |
2645 | @@ -82,6 +73,8 @@ identity_provider_policies = [ |
2646 | } |
2647 | ], |
2648 | deprecated_rule=deprecated_list_idp, |
2649 | + deprecated_reason=DEPRECATED_REASON, |
2650 | + deprecated_since=versionutils.deprecated.STEIN |
2651 | ), |
2652 | policy.DocumentedRuleDefault( |
2653 | name=base.IDENTITY % 'get_identity_provider', |
2654 | @@ -99,6 +92,8 @@ identity_provider_policies = [ |
2655 | } |
2656 | ], |
2657 | deprecated_rule=deprecated_get_idp, |
2658 | + deprecated_reason=DEPRECATED_REASON, |
2659 | + deprecated_since=versionutils.deprecated.STEIN |
2660 | ), |
2661 | policy.DocumentedRuleDefault( |
2662 | name=base.IDENTITY % 'update_identity_provider', |
2663 | @@ -107,7 +102,9 @@ identity_provider_policies = [ |
2664 | description='Update identity provider.', |
2665 | operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', |
2666 | 'method': 'PATCH'}], |
2667 | - deprecated_rule=deprecated_update_idp), |
2668 | + deprecated_rule=deprecated_update_idp, |
2669 | + deprecated_reason=DEPRECATED_REASON, |
2670 | + deprecated_since=versionutils.deprecated.STEIN), |
2671 | policy.DocumentedRuleDefault( |
2672 | name=base.IDENTITY % 'delete_identity_provider', |
2673 | check_str=base.SYSTEM_ADMIN, |
2674 | @@ -115,7 +112,9 @@ identity_provider_policies = [ |
2675 | description='Delete identity provider.', |
2676 | operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', |
2677 | 'method': 'DELETE'}], |
2678 | - deprecated_rule=deprecated_delete_idp), |
2679 | + deprecated_rule=deprecated_delete_idp, |
2680 | + deprecated_reason=DEPRECATED_REASON, |
2681 | + deprecated_since=versionutils.deprecated.STEIN), |
2682 | ] |
2683 | |
2684 | |
2685 | diff --git a/keystone/common/policies/implied_role.py b/keystone/common/policies/implied_role.py |
2686 | index 01bcc00..6d164b0 100644 |
2687 | --- a/keystone/common/policies/implied_role.py |
2688 | +++ b/keystone/common/policies/implied_role.py |
2689 | @@ -15,45 +15,33 @@ from oslo_policy import policy |
2690 | |
2691 | from keystone.common.policies import base |
2692 | |
2693 | -DEPRECATED_REASON = ( |
2694 | - "The implied role API is now aware of system scope and default roles." |
2695 | -) |
2696 | - |
2697 | deprecated_get_implied_role = policy.DeprecatedRule( |
2698 | name=base.IDENTITY % 'get_implied_role', |
2699 | - check_str=base.RULE_ADMIN_REQUIRED, |
2700 | - deprecated_reason=DEPRECATED_REASON, |
2701 | - deprecated_since=versionutils.deprecated.TRAIN |
2702 | + check_str=base.RULE_ADMIN_REQUIRED |
2703 | ) |
2704 | deprecated_list_implied_roles = policy.DeprecatedRule( |
2705 | name=base.IDENTITY % 'list_implied_roles', |
2706 | check_str=base.RULE_ADMIN_REQUIRED, |
2707 | - deprecated_reason=DEPRECATED_REASON, |
2708 | - deprecated_since=versionutils.deprecated.TRAIN |
2709 | ) |
2710 | deprecated_list_role_inference_rules = policy.DeprecatedRule( |
2711 | name=base.IDENTITY % 'list_role_inference_rules', |
2712 | check_str=base.RULE_ADMIN_REQUIRED, |
2713 | - deprecated_reason=DEPRECATED_REASON, |
2714 | - deprecated_since=versionutils.deprecated.TRAIN |
2715 | ) |
2716 | deprecated_check_implied_role = policy.DeprecatedRule( |
2717 | name=base.IDENTITY % 'check_implied_role', |
2718 | check_str=base.RULE_ADMIN_REQUIRED, |
2719 | - deprecated_reason=DEPRECATED_REASON, |
2720 | - deprecated_since=versionutils.deprecated.TRAIN |
2721 | ) |
2722 | deprecated_create_implied_role = policy.DeprecatedRule( |
2723 | name=base.IDENTITY % 'create_implied_role', |
2724 | check_str=base.RULE_ADMIN_REQUIRED, |
2725 | - deprecated_reason=DEPRECATED_REASON, |
2726 | - deprecated_since=versionutils.deprecated.TRAIN |
2727 | ) |
2728 | deprecated_delete_implied_role = policy.DeprecatedRule( |
2729 | name=base.IDENTITY % 'delete_implied_role', |
2730 | check_str=base.RULE_ADMIN_REQUIRED, |
2731 | - deprecated_reason=DEPRECATED_REASON, |
2732 | - deprecated_since=versionutils.deprecated.TRAIN |
2733 | +) |
2734 | + |
2735 | +DEPRECATED_REASON = ( |
2736 | + "The implied role API is now aware of system scope and default roles." |
2737 | ) |
2738 | |
2739 | |
2740 | @@ -73,7 +61,9 @@ implied_role_policies = [ |
2741 | operations=[ |
2742 | {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', |
2743 | 'method': 'GET'}], |
2744 | - deprecated_rule=deprecated_get_implied_role), |
2745 | + deprecated_rule=deprecated_get_implied_role, |
2746 | + deprecated_reason=DEPRECATED_REASON, |
2747 | + deprecated_since=versionutils.deprecated.TRAIN), |
2748 | policy.DocumentedRuleDefault( |
2749 | name=base.IDENTITY % 'list_implied_roles', |
2750 | check_str=base.SYSTEM_READER, |
2751 | @@ -87,7 +77,9 @@ implied_role_policies = [ |
2752 | operations=[ |
2753 | {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'GET'}, |
2754 | {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'HEAD'}], |
2755 | - deprecated_rule=deprecated_list_implied_roles), |
2756 | + deprecated_rule=deprecated_list_implied_roles, |
2757 | + deprecated_reason=DEPRECATED_REASON, |
2758 | + deprecated_since=versionutils.deprecated.TRAIN), |
2759 | policy.DocumentedRuleDefault( |
2760 | name=base.IDENTITY % 'create_implied_role', |
2761 | check_str=base.SYSTEM_ADMIN, |
2762 | @@ -99,7 +91,9 @@ implied_role_policies = [ |
2763 | operations=[ |
2764 | {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', |
2765 | 'method': 'PUT'}], |
2766 | - deprecated_rule=deprecated_create_implied_role), |
2767 | + deprecated_rule=deprecated_create_implied_role, |
2768 | + deprecated_reason=DEPRECATED_REASON, |
2769 | + deprecated_since=versionutils.deprecated.TRAIN), |
2770 | policy.DocumentedRuleDefault( |
2771 | name=base.IDENTITY % 'delete_implied_role', |
2772 | check_str=base.SYSTEM_ADMIN, |
2773 | @@ -112,7 +106,9 @@ implied_role_policies = [ |
2774 | operations=[ |
2775 | {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', |
2776 | 'method': 'DELETE'}], |
2777 | - deprecated_rule=deprecated_delete_implied_role), |
2778 | + deprecated_rule=deprecated_delete_implied_role, |
2779 | + deprecated_reason=DEPRECATED_REASON, |
2780 | + deprecated_since=versionutils.deprecated.TRAIN), |
2781 | policy.DocumentedRuleDefault( |
2782 | name=base.IDENTITY % 'list_role_inference_rules', |
2783 | check_str=base.SYSTEM_READER, |
2784 | @@ -124,7 +120,9 @@ implied_role_policies = [ |
2785 | operations=[ |
2786 | {'path': '/v3/role_inferences', 'method': 'GET'}, |
2787 | {'path': '/v3/role_inferences', 'method': 'HEAD'}], |
2788 | - deprecated_rule=deprecated_list_role_inference_rules), |
2789 | + deprecated_rule=deprecated_list_role_inference_rules, |
2790 | + deprecated_reason=DEPRECATED_REASON, |
2791 | + deprecated_since=versionutils.deprecated.TRAIN), |
2792 | policy.DocumentedRuleDefault( |
2793 | name=base.IDENTITY % 'check_implied_role', |
2794 | check_str=base.SYSTEM_READER, |
2795 | @@ -136,7 +134,9 @@ implied_role_policies = [ |
2796 | operations=[ |
2797 | {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', |
2798 | 'method': 'HEAD'}], |
2799 | - deprecated_rule=deprecated_check_implied_role), |
2800 | + deprecated_rule=deprecated_check_implied_role, |
2801 | + deprecated_reason=DEPRECATED_REASON, |
2802 | + deprecated_since=versionutils.deprecated.TRAIN), |
2803 | ] |
2804 | |
2805 | |
2806 | diff --git a/keystone/common/policies/mapping.py b/keystone/common/policies/mapping.py |
2807 | index 6c4f0de..498bc7c 100644 |
2808 | --- a/keystone/common/policies/mapping.py |
2809 | +++ b/keystone/common/policies/mapping.py |
2810 | @@ -15,41 +15,30 @@ from oslo_policy import policy |
2811 | |
2812 | from keystone.common.policies import base |
2813 | |
2814 | -DEPRECATED_REASON = ( |
2815 | - "The federated mapping API is now aware of system scope and default roles." |
2816 | -) |
2817 | - |
2818 | deprecated_get_mapping = policy.DeprecatedRule( |
2819 | name=base.IDENTITY % 'get_mapping', |
2820 | - check_str=base.RULE_ADMIN_REQUIRED, |
2821 | - deprecated_reason=DEPRECATED_REASON, |
2822 | - deprecated_since=versionutils.deprecated.STEIN |
2823 | + check_str=base.RULE_ADMIN_REQUIRED |
2824 | ) |
2825 | deprecated_list_mappings = policy.DeprecatedRule( |
2826 | name=base.IDENTITY % 'list_mappings', |
2827 | - check_str=base.RULE_ADMIN_REQUIRED, |
2828 | - deprecated_reason=DEPRECATED_REASON, |
2829 | - deprecated_since=versionutils.deprecated.STEIN |
2830 | + check_str=base.RULE_ADMIN_REQUIRED |
2831 | ) |
2832 | deprecated_update_mapping = policy.DeprecatedRule( |
2833 | name=base.IDENTITY % 'update_mapping', |
2834 | - check_str=base.RULE_ADMIN_REQUIRED, |
2835 | - deprecated_reason=DEPRECATED_REASON, |
2836 | - deprecated_since=versionutils.deprecated.STEIN |
2837 | + check_str=base.RULE_ADMIN_REQUIRED |
2838 | ) |
2839 | deprecated_create_mapping = policy.DeprecatedRule( |
2840 | name=base.IDENTITY % 'create_mapping', |
2841 | - check_str=base.RULE_ADMIN_REQUIRED, |
2842 | - deprecated_reason=DEPRECATED_REASON, |
2843 | - deprecated_since=versionutils.deprecated.STEIN |
2844 | + check_str=base.RULE_ADMIN_REQUIRED |
2845 | ) |
2846 | deprecated_delete_mapping = policy.DeprecatedRule( |
2847 | name=base.IDENTITY % 'delete_mapping', |
2848 | - check_str=base.RULE_ADMIN_REQUIRED, |
2849 | - deprecated_reason=DEPRECATED_REASON, |
2850 | - deprecated_since=versionutils.deprecated.STEIN |
2851 | + check_str=base.RULE_ADMIN_REQUIRED |
2852 | ) |
2853 | |
2854 | +DEPRECATED_REASON = ( |
2855 | + "The federated mapping API is now aware of system scope and default roles." |
2856 | +) |
2857 | |
2858 | mapping_policies = [ |
2859 | policy.DocumentedRuleDefault( |
2860 | @@ -66,7 +55,9 @@ mapping_policies = [ |
2861 | 'more sets of rules.'), |
2862 | operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', |
2863 | 'method': 'PUT'}], |
2864 | - deprecated_rule=deprecated_create_mapping), |
2865 | + deprecated_rule=deprecated_create_mapping, |
2866 | + deprecated_reason=DEPRECATED_REASON, |
2867 | + deprecated_since=versionutils.deprecated.STEIN), |
2868 | policy.DocumentedRuleDefault( |
2869 | name=base.IDENTITY % 'get_mapping', |
2870 | check_str=base.SYSTEM_READER, |
2871 | @@ -82,7 +73,9 @@ mapping_policies = [ |
2872 | 'method': 'HEAD' |
2873 | } |
2874 | ], |
2875 | - deprecated_rule=deprecated_get_mapping |
2876 | + deprecated_rule=deprecated_get_mapping, |
2877 | + deprecated_reason=DEPRECATED_REASON, |
2878 | + deprecated_since=versionutils.deprecated.STEIN |
2879 | ), |
2880 | policy.DocumentedRuleDefault( |
2881 | name=base.IDENTITY % 'list_mappings', |
2882 | @@ -100,6 +93,8 @@ mapping_policies = [ |
2883 | } |
2884 | ], |
2885 | deprecated_rule=deprecated_list_mappings, |
2886 | + deprecated_reason=DEPRECATED_REASON, |
2887 | + deprecated_since=versionutils.deprecated.STEIN |
2888 | ), |
2889 | policy.DocumentedRuleDefault( |
2890 | name=base.IDENTITY % 'delete_mapping', |
2891 | @@ -108,7 +103,9 @@ mapping_policies = [ |
2892 | description='Delete a federated mapping.', |
2893 | operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', |
2894 | 'method': 'DELETE'}], |
2895 | - deprecated_rule=deprecated_delete_mapping), |
2896 | + deprecated_rule=deprecated_delete_mapping, |
2897 | + deprecated_reason=DEPRECATED_REASON, |
2898 | + deprecated_since=versionutils.deprecated.STEIN), |
2899 | policy.DocumentedRuleDefault( |
2900 | name=base.IDENTITY % 'update_mapping', |
2901 | check_str=base.SYSTEM_ADMIN, |
2902 | @@ -116,7 +113,9 @@ mapping_policies = [ |
2903 | description='Update a federated mapping.', |
2904 | operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', |
2905 | 'method': 'PATCH'}], |
2906 | - deprecated_rule=deprecated_update_mapping) |
2907 | + deprecated_rule=deprecated_update_mapping, |
2908 | + deprecated_reason=DEPRECATED_REASON, |
2909 | + deprecated_since=versionutils.deprecated.STEIN) |
2910 | ] |
2911 | |
2912 | |
2913 | diff --git a/keystone/common/policies/policy.py b/keystone/common/policies/policy.py |
2914 | index 502fa9d..4c912f3 100644 |
2915 | --- a/keystone/common/policies/policy.py |
2916 | +++ b/keystone/common/policies/policy.py |
2917 | @@ -15,43 +15,33 @@ from oslo_policy import policy |
2918 | |
2919 | from keystone.common.policies import base |
2920 | |
2921 | -DEPRECATED_REASON = ( |
2922 | - "The policy API is now aware of system scope and default roles." |
2923 | -) |
2924 | - |
2925 | deprecated_get_policy = policy.DeprecatedRule( |
2926 | name=base.IDENTITY % 'get_policy', |
2927 | check_str=base.RULE_ADMIN_REQUIRED, |
2928 | - deprecated_reason=DEPRECATED_REASON, |
2929 | - deprecated_since=versionutils.deprecated.TRAIN |
2930 | ) |
2931 | |
2932 | deprecated_list_policies = policy.DeprecatedRule( |
2933 | name=base.IDENTITY % 'list_policies', |
2934 | check_str=base.RULE_ADMIN_REQUIRED, |
2935 | - deprecated_reason=DEPRECATED_REASON, |
2936 | - deprecated_since=versionutils.deprecated.TRAIN |
2937 | ) |
2938 | |
2939 | deprecated_update_policy = policy.DeprecatedRule( |
2940 | name=base.IDENTITY % 'update_policy', |
2941 | check_str=base.RULE_ADMIN_REQUIRED, |
2942 | - deprecated_reason=DEPRECATED_REASON, |
2943 | - deprecated_since=versionutils.deprecated.TRAIN |
2944 | ) |
2945 | |
2946 | deprecated_create_policy = policy.DeprecatedRule( |
2947 | name=base.IDENTITY % 'create_policy', |
2948 | check_str=base.RULE_ADMIN_REQUIRED, |
2949 | - deprecated_reason=DEPRECATED_REASON, |
2950 | - deprecated_since=versionutils.deprecated.TRAIN |
2951 | ) |
2952 | |
2953 | deprecated_delete_policy = policy.DeprecatedRule( |
2954 | name=base.IDENTITY % 'delete_policy', |
2955 | check_str=base.RULE_ADMIN_REQUIRED, |
2956 | - deprecated_reason=DEPRECATED_REASON, |
2957 | - deprecated_since=versionutils.deprecated.TRAIN |
2958 | +) |
2959 | + |
2960 | +DEPRECATED_REASON = ( |
2961 | + "The policy API is now aware of system scope and default roles." |
2962 | ) |
2963 | |
2964 | |
2965 | @@ -65,7 +55,9 @@ policy_policies = [ |
2966 | description='Show policy details.', |
2967 | operations=[{'path': '/v3/policies/{policy_id}', |
2968 | 'method': 'GET'}], |
2969 | - deprecated_rule=deprecated_get_policy), |
2970 | + deprecated_rule=deprecated_get_policy, |
2971 | + deprecated_reason=DEPRECATED_REASON, |
2972 | + deprecated_since=versionutils.deprecated.TRAIN), |
2973 | policy.DocumentedRuleDefault( |
2974 | name=base.IDENTITY % 'list_policies', |
2975 | check_str=base.SYSTEM_READER, |
2976 | @@ -73,7 +65,9 @@ policy_policies = [ |
2977 | description='List policies.', |
2978 | operations=[{'path': '/v3/policies', |
2979 | 'method': 'GET'}], |
2980 | - deprecated_rule=deprecated_list_policies), |
2981 | + deprecated_rule=deprecated_list_policies, |
2982 | + deprecated_reason=DEPRECATED_REASON, |
2983 | + deprecated_since=versionutils.deprecated.TRAIN), |
2984 | policy.DocumentedRuleDefault( |
2985 | name=base.IDENTITY % 'create_policy', |
2986 | check_str=base.SYSTEM_ADMIN, |
2987 | @@ -81,7 +75,9 @@ policy_policies = [ |
2988 | description='Create policy.', |
2989 | operations=[{'path': '/v3/policies', |
2990 | 'method': 'POST'}], |
2991 | - deprecated_rule=deprecated_create_policy), |
2992 | + deprecated_rule=deprecated_create_policy, |
2993 | + deprecated_reason=DEPRECATED_REASON, |
2994 | + deprecated_since=versionutils.deprecated.TRAIN), |
2995 | policy.DocumentedRuleDefault( |
2996 | name=base.IDENTITY % 'update_policy', |
2997 | check_str=base.SYSTEM_ADMIN, |
2998 | @@ -89,7 +85,9 @@ policy_policies = [ |
2999 | description='Update policy.', |
3000 | operations=[{'path': '/v3/policies/{policy_id}', |
3001 | 'method': 'PATCH'}], |
3002 | - deprecated_rule=deprecated_update_policy), |
3003 | + deprecated_rule=deprecated_update_policy, |
3004 | + deprecated_reason=DEPRECATED_REASON, |
3005 | + deprecated_since=versionutils.deprecated.TRAIN), |
3006 | policy.DocumentedRuleDefault( |
3007 | name=base.IDENTITY % 'delete_policy', |
3008 | check_str=base.SYSTEM_ADMIN, |
3009 | @@ -97,7 +95,9 @@ policy_policies = [ |
3010 | description='Delete policy.', |
3011 | operations=[{'path': '/v3/policies/{policy_id}', |
3012 | 'method': 'DELETE'}], |
3013 | - deprecated_rule=deprecated_delete_policy) |
3014 | + deprecated_rule=deprecated_delete_policy, |
3015 | + deprecated_reason=DEPRECATED_REASON, |
3016 | + deprecated_since=versionutils.deprecated.TRAIN) |
3017 | ] |
3018 | |
3019 | |
3020 | diff --git a/keystone/common/policies/policy_association.py b/keystone/common/policies/policy_association.py |
3021 | index 1cf6f86..af57900 100644 |
3022 | --- a/keystone/common/policies/policy_association.py |
3023 | +++ b/keystone/common/policies/policy_association.py |
3024 | @@ -19,88 +19,65 @@ from keystone.common.policies import base |
3025 | # System-scoped tokens should be required to manage policy associations to |
3026 | # existing system-level resources. |
3027 | |
3028 | -DEPRECATED_REASON = ( |
3029 | - "The policy association API is now aware of system scope and default " |
3030 | - "roles." |
3031 | -) |
3032 | - |
3033 | deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule( |
3034 | name=base.IDENTITY % 'check_policy_association_for_endpoint', |
3035 | check_str=base.RULE_ADMIN_REQUIRED, |
3036 | - deprecated_reason=DEPRECATED_REASON, |
3037 | - deprecated_since=versionutils.deprecated.TRAIN |
3038 | ) |
3039 | |
3040 | deprecated_check_policy_assoc_for_service = policy.DeprecatedRule( |
3041 | name=base.IDENTITY % 'check_policy_association_for_service', |
3042 | check_str=base.RULE_ADMIN_REQUIRED, |
3043 | - deprecated_reason=DEPRECATED_REASON, |
3044 | - deprecated_since=versionutils.deprecated.TRAIN |
3045 | ) |
3046 | |
3047 | deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule( |
3048 | name=base.IDENTITY % 'check_policy_association_for_region_and_service', |
3049 | check_str=base.RULE_ADMIN_REQUIRED, |
3050 | - deprecated_reason=DEPRECATED_REASON, |
3051 | - deprecated_since=versionutils.deprecated.TRAIN |
3052 | ) |
3053 | |
3054 | deprecated_get_policy_for_endpoint = policy.DeprecatedRule( |
3055 | name=base.IDENTITY % 'get_policy_for_endpoint', |
3056 | check_str=base.RULE_ADMIN_REQUIRED, |
3057 | - deprecated_reason=DEPRECATED_REASON, |
3058 | - deprecated_since=versionutils.deprecated.TRAIN |
3059 | ) |
3060 | |
3061 | deprecated_list_endpoints_for_policy = policy.DeprecatedRule( |
3062 | name=base.IDENTITY % 'list_endpoints_for_policy', |
3063 | check_str=base.RULE_ADMIN_REQUIRED, |
3064 | - deprecated_reason=DEPRECATED_REASON, |
3065 | - deprecated_since=versionutils.deprecated.TRAIN |
3066 | ) |
3067 | |
3068 | deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule( |
3069 | name=base.IDENTITY % 'create_policy_association_for_endpoint', |
3070 | check_str=base.RULE_ADMIN_REQUIRED, |
3071 | - deprecated_reason=DEPRECATED_REASON, |
3072 | - deprecated_since=versionutils.deprecated.TRAIN |
3073 | ) |
3074 | |
3075 | deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule( |
3076 | name=base.IDENTITY % 'delete_policy_association_for_endpoint', |
3077 | check_str=base.RULE_ADMIN_REQUIRED, |
3078 | - deprecated_reason=DEPRECATED_REASON, |
3079 | - deprecated_since=versionutils.deprecated.TRAIN |
3080 | ) |
3081 | |
3082 | deprecated_create_policy_assoc_for_service = policy.DeprecatedRule( |
3083 | name=base.IDENTITY % 'create_policy_association_for_service', |
3084 | check_str=base.RULE_ADMIN_REQUIRED, |
3085 | - deprecated_reason=DEPRECATED_REASON, |
3086 | - deprecated_since=versionutils.deprecated.TRAIN |
3087 | ) |
3088 | |
3089 | deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule( |
3090 | name=base.IDENTITY % 'delete_policy_association_for_service', |
3091 | check_str=base.RULE_ADMIN_REQUIRED, |
3092 | - deprecated_reason=DEPRECATED_REASON, |
3093 | - deprecated_since=versionutils.deprecated.TRAIN |
3094 | ) |
3095 | |
3096 | deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule( |
3097 | name=base.IDENTITY % 'create_policy_association_for_region_and_service', |
3098 | check_str=base.RULE_ADMIN_REQUIRED, |
3099 | - deprecated_reason=DEPRECATED_REASON, |
3100 | - deprecated_since=versionutils.deprecated.TRAIN |
3101 | ) |
3102 | |
3103 | deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule( |
3104 | name=base.IDENTITY % 'delete_policy_association_for_region_and_service', |
3105 | check_str=base.RULE_ADMIN_REQUIRED, |
3106 | - deprecated_reason=DEPRECATED_REASON, |
3107 | - deprecated_since=versionutils.deprecated.TRAIN |
3108 | ) |
3109 | |
3110 | +DEPRECATED_REASON = ( |
3111 | + "The policy association API is now aware of system scope and default " |
3112 | + "roles." |
3113 | +) |
3114 | |
3115 | policy_association_policies = [ |
3116 | policy.DocumentedRuleDefault( |
3117 | @@ -111,7 +88,9 @@ policy_association_policies = [ |
3118 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3119 | 'endpoints/{endpoint_id}'), |
3120 | 'method': 'PUT'}], |
3121 | - deprecated_rule=deprecated_create_policy_assoc_for_endpoint), |
3122 | + deprecated_rule=deprecated_create_policy_assoc_for_endpoint, |
3123 | + deprecated_reason=DEPRECATED_REASON, |
3124 | + deprecated_since=versionutils.deprecated.TRAIN), |
3125 | policy.DocumentedRuleDefault( |
3126 | name=base.IDENTITY % 'check_policy_association_for_endpoint', |
3127 | check_str=base.SYSTEM_READER, |
3128 | @@ -123,7 +102,9 @@ policy_association_policies = [ |
3129 | {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3130 | 'endpoints/{endpoint_id}'), |
3131 | 'method': 'HEAD'}], |
3132 | - deprecated_rule=deprecated_check_policy_assoc_for_endpoint), |
3133 | + deprecated_rule=deprecated_check_policy_assoc_for_endpoint, |
3134 | + deprecated_reason=DEPRECATED_REASON, |
3135 | + deprecated_since=versionutils.deprecated.TRAIN), |
3136 | policy.DocumentedRuleDefault( |
3137 | name=base.IDENTITY % 'delete_policy_association_for_endpoint', |
3138 | check_str=base.SYSTEM_ADMIN, |
3139 | @@ -132,7 +113,9 @@ policy_association_policies = [ |
3140 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3141 | 'endpoints/{endpoint_id}'), |
3142 | 'method': 'DELETE'}], |
3143 | - deprecated_rule=deprecated_delete_policy_assoc_for_endpoint), |
3144 | + deprecated_rule=deprecated_delete_policy_assoc_for_endpoint, |
3145 | + deprecated_reason=DEPRECATED_REASON, |
3146 | + deprecated_since=versionutils.deprecated.TRAIN), |
3147 | policy.DocumentedRuleDefault( |
3148 | name=base.IDENTITY % 'create_policy_association_for_service', |
3149 | check_str=base.SYSTEM_ADMIN, |
3150 | @@ -141,7 +124,9 @@ policy_association_policies = [ |
3151 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3152 | 'services/{service_id}'), |
3153 | 'method': 'PUT'}], |
3154 | - deprecated_rule=deprecated_create_policy_assoc_for_service), |
3155 | + deprecated_rule=deprecated_create_policy_assoc_for_service, |
3156 | + deprecated_reason=DEPRECATED_REASON, |
3157 | + deprecated_since=versionutils.deprecated.TRAIN), |
3158 | policy.DocumentedRuleDefault( |
3159 | name=base.IDENTITY % 'check_policy_association_for_service', |
3160 | check_str=base.SYSTEM_READER, |
3161 | @@ -153,7 +138,9 @@ policy_association_policies = [ |
3162 | {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3163 | 'services/{service_id}'), |
3164 | 'method': 'HEAD'}], |
3165 | - deprecated_rule=deprecated_check_policy_assoc_for_service), |
3166 | + deprecated_rule=deprecated_check_policy_assoc_for_service, |
3167 | + deprecated_reason=DEPRECATED_REASON, |
3168 | + deprecated_since=versionutils.deprecated.TRAIN), |
3169 | policy.DocumentedRuleDefault( |
3170 | name=base.IDENTITY % 'delete_policy_association_for_service', |
3171 | check_str=base.SYSTEM_ADMIN, |
3172 | @@ -162,7 +149,9 @@ policy_association_policies = [ |
3173 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3174 | 'services/{service_id}'), |
3175 | 'method': 'DELETE'}], |
3176 | - deprecated_rule=deprecated_delete_policy_assoc_for_service), |
3177 | + deprecated_rule=deprecated_delete_policy_assoc_for_service, |
3178 | + deprecated_reason=DEPRECATED_REASON, |
3179 | + deprecated_since=versionutils.deprecated.TRAIN), |
3180 | policy.DocumentedRuleDefault( |
3181 | name=base.IDENTITY % ( |
3182 | 'create_policy_association_for_region_and_service'), |
3183 | @@ -173,7 +162,9 @@ policy_association_policies = [ |
3184 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3185 | 'services/{service_id}/regions/{region_id}'), |
3186 | 'method': 'PUT'}], |
3187 | - deprecated_rule=deprecated_create_policy_assoc_for_region_and_service), |
3188 | + deprecated_rule=deprecated_create_policy_assoc_for_region_and_service, |
3189 | + deprecated_reason=DEPRECATED_REASON, |
3190 | + deprecated_since=versionutils.deprecated.TRAIN), |
3191 | policy.DocumentedRuleDefault( |
3192 | name=base.IDENTITY % 'check_policy_association_for_region_and_service', |
3193 | check_str=base.SYSTEM_READER, |
3194 | @@ -185,7 +176,9 @@ policy_association_policies = [ |
3195 | {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3196 | 'services/{service_id}/regions/{region_id}'), |
3197 | 'method': 'HEAD'}], |
3198 | - deprecated_rule=deprecated_check_policy_assoc_for_region_and_service), |
3199 | + deprecated_rule=deprecated_check_policy_assoc_for_region_and_service, |
3200 | + deprecated_reason=DEPRECATED_REASON, |
3201 | + deprecated_since=versionutils.deprecated.TRAIN), |
3202 | policy.DocumentedRuleDefault( |
3203 | name=base.IDENTITY % ( |
3204 | 'delete_policy_association_for_region_and_service'), |
3205 | @@ -195,7 +188,9 @@ policy_association_policies = [ |
3206 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3207 | 'services/{service_id}/regions/{region_id}'), |
3208 | 'method': 'DELETE'}], |
3209 | - deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service), |
3210 | + deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service, |
3211 | + deprecated_reason=DEPRECATED_REASON, |
3212 | + deprecated_since=versionutils.deprecated.TRAIN), |
3213 | policy.DocumentedRuleDefault( |
3214 | name=base.IDENTITY % 'get_policy_for_endpoint', |
3215 | check_str=base.SYSTEM_READER, |
3216 | @@ -207,7 +202,9 @@ policy_association_policies = [ |
3217 | {'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/' |
3218 | 'policy'), |
3219 | 'method': 'HEAD'}], |
3220 | - deprecated_rule=deprecated_get_policy_for_endpoint), |
3221 | + deprecated_rule=deprecated_get_policy_for_endpoint, |
3222 | + deprecated_reason=DEPRECATED_REASON, |
3223 | + deprecated_since=versionutils.deprecated.TRAIN), |
3224 | policy.DocumentedRuleDefault( |
3225 | name=base.IDENTITY % 'list_endpoints_for_policy', |
3226 | check_str=base.SYSTEM_READER, |
3227 | @@ -216,7 +213,9 @@ policy_association_policies = [ |
3228 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3229 | 'endpoints'), |
3230 | 'method': 'GET'}], |
3231 | - deprecated_rule=deprecated_list_endpoints_for_policy) |
3232 | + deprecated_rule=deprecated_list_endpoints_for_policy, |
3233 | + deprecated_reason=DEPRECATED_REASON, |
3234 | + deprecated_since=versionutils.deprecated.TRAIN) |
3235 | ] |
3236 | |
3237 | |
3238 | diff --git a/keystone/common/policies/project.py b/keystone/common/policies/project.py |
3239 | index db7cdee..c7b7c0a 100644 |
3240 | --- a/keystone/common/policies/project.py |
3241 | +++ b/keystone/common/policies/project.py |
3242 | @@ -52,84 +52,60 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = ( |
3243 | '(role:admin and domain_id:%(target.project.domain_id)s)' |
3244 | ) |
3245 | |
3246 | -DEPRECATED_REASON = ( |
3247 | - "The project API is now aware of system scope and default roles." |
3248 | -) |
3249 | - |
3250 | deprecated_list_projects = policy.DeprecatedRule( |
3251 | name=base.IDENTITY % 'list_projects', |
3252 | - check_str=base.RULE_ADMIN_REQUIRED, |
3253 | - deprecated_reason=DEPRECATED_REASON, |
3254 | - deprecated_since=versionutils.deprecated.STEIN |
3255 | + check_str=base.RULE_ADMIN_REQUIRED |
3256 | ) |
3257 | deprecated_get_project = policy.DeprecatedRule( |
3258 | name=base.IDENTITY % 'get_project', |
3259 | - check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, |
3260 | - deprecated_reason=DEPRECATED_REASON, |
3261 | - deprecated_since=versionutils.deprecated.STEIN |
3262 | + check_str=base.RULE_ADMIN_OR_TARGET_PROJECT |
3263 | ) |
3264 | deprecated_list_user_projects = policy.DeprecatedRule( |
3265 | name=base.IDENTITY % 'list_user_projects', |
3266 | - check_str=base.RULE_ADMIN_OR_OWNER, |
3267 | - deprecated_reason=DEPRECATED_REASON, |
3268 | - deprecated_since=versionutils.deprecated.STEIN |
3269 | + check_str=base.RULE_ADMIN_OR_OWNER |
3270 | ) |
3271 | deprecated_create_project = policy.DeprecatedRule( |
3272 | name=base.IDENTITY % 'create_project', |
3273 | - check_str=base.RULE_ADMIN_REQUIRED, |
3274 | - deprecated_reason=DEPRECATED_REASON, |
3275 | - deprecated_since=versionutils.deprecated.STEIN |
3276 | + check_str=base.RULE_ADMIN_REQUIRED |
3277 | ) |
3278 | deprecated_update_project = policy.DeprecatedRule( |
3279 | name=base.IDENTITY % 'update_project', |
3280 | - check_str=base.RULE_ADMIN_REQUIRED, |
3281 | - deprecated_reason=DEPRECATED_REASON, |
3282 | - deprecated_since=versionutils.deprecated.STEIN |
3283 | + check_str=base.RULE_ADMIN_REQUIRED |
3284 | ) |
3285 | deprecated_delete_project = policy.DeprecatedRule( |
3286 | name=base.IDENTITY % 'delete_project', |
3287 | - check_str=base.RULE_ADMIN_REQUIRED, |
3288 | - deprecated_reason=DEPRECATED_REASON, |
3289 | - deprecated_since=versionutils.deprecated.STEIN |
3290 | + check_str=base.RULE_ADMIN_REQUIRED |
3291 | ) |
3292 | deprecated_list_project_tags = policy.DeprecatedRule( |
3293 | name=base.IDENTITY % 'list_project_tags', |
3294 | - check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, |
3295 | - deprecated_reason=DEPRECATED_REASON, |
3296 | - deprecated_since=versionutils.deprecated.TRAIN |
3297 | + check_str=base.RULE_ADMIN_OR_TARGET_PROJECT |
3298 | ) |
3299 | deprecated_get_project_tag = policy.DeprecatedRule( |
3300 | name=base.IDENTITY % 'get_project_tag', |
3301 | - check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, |
3302 | - deprecated_reason=DEPRECATED_REASON, |
3303 | - deprecated_since=versionutils.deprecated.TRAIN |
3304 | + check_str=base.RULE_ADMIN_OR_TARGET_PROJECT |
3305 | ) |
3306 | deprecated_update_project_tag = policy.DeprecatedRule( |
3307 | name=base.IDENTITY % 'update_project_tags', |
3308 | - check_str=base.RULE_ADMIN_REQUIRED, |
3309 | - deprecated_reason=DEPRECATED_REASON, |
3310 | - deprecated_since=versionutils.deprecated.TRAIN |
3311 | + check_str=base.RULE_ADMIN_REQUIRED |
3312 | ) |
3313 | deprecated_create_project_tag = policy.DeprecatedRule( |
3314 | name=base.IDENTITY % 'create_project_tag', |
3315 | - check_str=base.RULE_ADMIN_REQUIRED, |
3316 | - deprecated_reason=DEPRECATED_REASON, |
3317 | - deprecated_since=versionutils.deprecated.TRAIN |
3318 | + check_str=base.RULE_ADMIN_REQUIRED |
3319 | ) |
3320 | deprecated_delete_project_tag = policy.DeprecatedRule( |
3321 | name=base.IDENTITY % 'delete_project_tag', |
3322 | - check_str=base.RULE_ADMIN_REQUIRED, |
3323 | - deprecated_reason=DEPRECATED_REASON, |
3324 | - deprecated_since=versionutils.deprecated.TRAIN |
3325 | + check_str=base.RULE_ADMIN_REQUIRED |
3326 | ) |
3327 | deprecated_delete_project_tags = policy.DeprecatedRule( |
3328 | name=base.IDENTITY % 'delete_project_tags', |
3329 | - check_str=base.RULE_ADMIN_REQUIRED, |
3330 | - deprecated_reason=DEPRECATED_REASON, |
3331 | - deprecated_since=versionutils.deprecated.TRAIN |
3332 | + check_str=base.RULE_ADMIN_REQUIRED |
3333 | ) |
3334 | |
3335 | |
3336 | +DEPRECATED_REASON = ( |
3337 | + "The project API is now aware of system scope and default roles." |
3338 | +) |
3339 | + |
3340 | TAGS_DEPRECATED_REASON = """ |
3341 | As of the Train release, the project tags API understands how to handle |
3342 | system-scoped tokens in addition to project and domain tokens, making the API |
3343 | @@ -146,7 +122,9 @@ project_policies = [ |
3344 | description='Show project details.', |
3345 | operations=[{'path': '/v3/projects/{project_id}', |
3346 | 'method': 'GET'}], |
3347 | - deprecated_rule=deprecated_get_project), |
3348 | + deprecated_rule=deprecated_get_project, |
3349 | + deprecated_reason=DEPRECATED_REASON, |
3350 | + deprecated_since=versionutils.deprecated.STEIN), |
3351 | policy.DocumentedRuleDefault( |
3352 | name=base.IDENTITY % 'list_projects', |
3353 | check_str=SYSTEM_READER_OR_DOMAIN_READER, |
3354 | @@ -158,7 +136,9 @@ project_policies = [ |
3355 | description='List projects.', |
3356 | operations=[{'path': '/v3/projects', |
3357 | 'method': 'GET'}], |
3358 | - deprecated_rule=deprecated_list_projects), |
3359 | + deprecated_rule=deprecated_list_projects, |
3360 | + deprecated_reason=DEPRECATED_REASON, |
3361 | + deprecated_since=versionutils.deprecated.STEIN), |
3362 | policy.DocumentedRuleDefault( |
3363 | name=base.IDENTITY % 'list_user_projects', |
3364 | check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER, |
3365 | @@ -166,7 +146,9 @@ project_policies = [ |
3366 | description='List projects for user.', |
3367 | operations=[{'path': '/v3/users/{user_id}/projects', |
3368 | 'method': 'GET'}], |
3369 | - deprecated_rule=deprecated_list_user_projects), |
3370 | + deprecated_rule=deprecated_list_user_projects, |
3371 | + deprecated_reason=DEPRECATED_REASON, |
3372 | + deprecated_since=versionutils.deprecated.STEIN), |
3373 | policy.DocumentedRuleDefault( |
3374 | name=base.IDENTITY % 'create_project', |
3375 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
3376 | @@ -174,7 +156,9 @@ project_policies = [ |
3377 | description='Create project.', |
3378 | operations=[{'path': '/v3/projects', |
3379 | 'method': 'POST'}], |
3380 | - deprecated_rule=deprecated_create_project), |
3381 | + deprecated_rule=deprecated_create_project, |
3382 | + deprecated_reason=DEPRECATED_REASON, |
3383 | + deprecated_since=versionutils.deprecated.STEIN), |
3384 | policy.DocumentedRuleDefault( |
3385 | name=base.IDENTITY % 'update_project', |
3386 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
3387 | @@ -182,7 +166,9 @@ project_policies = [ |
3388 | description='Update project.', |
3389 | operations=[{'path': '/v3/projects/{project_id}', |
3390 | 'method': 'PATCH'}], |
3391 | - deprecated_rule=deprecated_update_project), |
3392 | + deprecated_rule=deprecated_update_project, |
3393 | + deprecated_reason=DEPRECATED_REASON, |
3394 | + deprecated_since=versionutils.deprecated.STEIN), |
3395 | policy.DocumentedRuleDefault( |
3396 | name=base.IDENTITY % 'delete_project', |
3397 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
3398 | @@ -190,7 +176,9 @@ project_policies = [ |
3399 | description='Delete project.', |
3400 | operations=[{'path': '/v3/projects/{project_id}', |
3401 | 'method': 'DELETE'}], |
3402 | - deprecated_rule=deprecated_delete_project), |
3403 | + deprecated_rule=deprecated_delete_project, |
3404 | + deprecated_reason=DEPRECATED_REASON, |
3405 | + deprecated_since=versionutils.deprecated.STEIN), |
3406 | policy.DocumentedRuleDefault( |
3407 | name=base.IDENTITY % 'list_project_tags', |
3408 | check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER, |
3409 | @@ -200,7 +188,9 @@ project_policies = [ |
3410 | 'method': 'GET'}, |
3411 | {'path': '/v3/projects/{project_id}/tags', |
3412 | 'method': 'HEAD'}], |
3413 | - deprecated_rule=deprecated_list_project_tags), |
3414 | + deprecated_rule=deprecated_list_project_tags, |
3415 | + deprecated_reason=TAGS_DEPRECATED_REASON, |
3416 | + deprecated_since=versionutils.deprecated.TRAIN), |
3417 | policy.DocumentedRuleDefault( |
3418 | name=base.IDENTITY % 'get_project_tag', |
3419 | check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER, |
3420 | @@ -210,7 +200,9 @@ project_policies = [ |
3421 | 'method': 'GET'}, |
3422 | {'path': '/v3/projects/{project_id}/tags/{value}', |
3423 | 'method': 'HEAD'}], |
3424 | - deprecated_rule=deprecated_get_project_tag), |
3425 | + deprecated_rule=deprecated_get_project_tag, |
3426 | + deprecated_reason=TAGS_DEPRECATED_REASON, |
3427 | + deprecated_since=versionutils.deprecated.TRAIN), |
3428 | policy.DocumentedRuleDefault( |
3429 | name=base.IDENTITY % 'update_project_tags', |
3430 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, |
3431 | @@ -218,7 +210,9 @@ project_policies = [ |
3432 | description='Replace all tags on a project with the new set of tags.', |
3433 | operations=[{'path': '/v3/projects/{project_id}/tags', |
3434 | 'method': 'PUT'}], |
3435 | - deprecated_rule=deprecated_update_project_tag), |
3436 | + deprecated_rule=deprecated_update_project_tag, |
3437 | + deprecated_reason=TAGS_DEPRECATED_REASON, |
3438 | + deprecated_since=versionutils.deprecated.TRAIN), |
3439 | policy.DocumentedRuleDefault( |
3440 | name=base.IDENTITY % 'create_project_tag', |
3441 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, |
3442 | @@ -226,7 +220,9 @@ project_policies = [ |
3443 | description='Add a single tag to a project.', |
3444 | operations=[{'path': '/v3/projects/{project_id}/tags/{value}', |
3445 | 'method': 'PUT'}], |
3446 | - deprecated_rule=deprecated_create_project_tag), |
3447 | + deprecated_rule=deprecated_create_project_tag, |
3448 | + deprecated_reason=TAGS_DEPRECATED_REASON, |
3449 | + deprecated_since=versionutils.deprecated.TRAIN), |
3450 | policy.DocumentedRuleDefault( |
3451 | name=base.IDENTITY % 'delete_project_tags', |
3452 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, |
3453 | @@ -234,7 +230,9 @@ project_policies = [ |
3454 | description='Remove all tags from a project.', |
3455 | operations=[{'path': '/v3/projects/{project_id}/tags', |
3456 | 'method': 'DELETE'}], |
3457 | - deprecated_rule=deprecated_delete_project_tags), |
3458 | + deprecated_rule=deprecated_delete_project_tags, |
3459 | + deprecated_reason=TAGS_DEPRECATED_REASON, |
3460 | + deprecated_since=versionutils.deprecated.TRAIN), |
3461 | policy.DocumentedRuleDefault( |
3462 | name=base.IDENTITY % 'delete_project_tag', |
3463 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, |
3464 | @@ -242,7 +240,9 @@ project_policies = [ |
3465 | description='Delete a specified tag from project.', |
3466 | operations=[{'path': '/v3/projects/{project_id}/tags/{value}', |
3467 | 'method': 'DELETE'}], |
3468 | - deprecated_rule=deprecated_delete_project_tag) |
3469 | + deprecated_rule=deprecated_delete_project_tag, |
3470 | + deprecated_reason=TAGS_DEPRECATED_REASON, |
3471 | + deprecated_since=versionutils.deprecated.TRAIN) |
3472 | ] |
3473 | |
3474 | |
3475 | diff --git a/keystone/common/policies/project_endpoint.py b/keystone/common/policies/project_endpoint.py |
3476 | index 86a020e..c04cddd 100644 |
3477 | --- a/keystone/common/policies/project_endpoint.py |
3478 | +++ b/keystone/common/policies/project_endpoint.py |
3479 | @@ -15,49 +15,39 @@ from oslo_policy import policy |
3480 | |
3481 | from keystone.common.policies import base |
3482 | |
3483 | -DEPRECATED_REASON = """ |
3484 | -As of the Train release, the project endpoint API now understands default |
3485 | -roles and system-scoped tokens, making the API more granular by default without |
3486 | -compromising security. The new policy defaults account for these changes |
3487 | -automatically. Be sure to take these new defaults into consideration if you are |
3488 | -relying on overrides in your deployment for the project endpoint API. |
3489 | -""" |
3490 | - |
3491 | deprecated_list_projects_for_endpoint = policy.DeprecatedRule( |
3492 | name=base.IDENTITY % 'list_projects_for_endpoint', |
3493 | check_str=base.RULE_ADMIN_REQUIRED, |
3494 | - deprecated_reason=DEPRECATED_REASON, |
3495 | - deprecated_since=versionutils.deprecated.TRAIN |
3496 | ) |
3497 | |
3498 | deprecated_add_endpoint_to_project = policy.DeprecatedRule( |
3499 | name=base.IDENTITY % 'add_endpoint_to_project', |
3500 | check_str=base.RULE_ADMIN_REQUIRED, |
3501 | - deprecated_reason=DEPRECATED_REASON, |
3502 | - deprecated_since=versionutils.deprecated.TRAIN |
3503 | ) |
3504 | |
3505 | deprecated_check_endpoint_in_project = policy.DeprecatedRule( |
3506 | name=base.IDENTITY % 'check_endpoint_in_project', |
3507 | check_str=base.RULE_ADMIN_REQUIRED, |
3508 | - deprecated_reason=DEPRECATED_REASON, |
3509 | - deprecated_since=versionutils.deprecated.TRAIN |
3510 | ) |
3511 | |
3512 | deprecated_list_endpoints_for_project = policy.DeprecatedRule( |
3513 | name=base.IDENTITY % 'list_endpoints_for_project', |
3514 | check_str=base.RULE_ADMIN_REQUIRED, |
3515 | - deprecated_reason=DEPRECATED_REASON, |
3516 | - deprecated_since=versionutils.deprecated.TRAIN |
3517 | ) |
3518 | |
3519 | deprecated_remove_endpoint_from_project = policy.DeprecatedRule( |
3520 | name=base.IDENTITY % 'remove_endpoint_from_project', |
3521 | check_str=base.RULE_ADMIN_REQUIRED, |
3522 | - deprecated_reason=DEPRECATED_REASON, |
3523 | - deprecated_since=versionutils.deprecated.TRAIN |
3524 | ) |
3525 | |
3526 | +DEPRECATED_REASON = """ |
3527 | +As of the Train release, the project endpoint API now understands default |
3528 | +roles and system-scoped tokens, making the API more granular by default without |
3529 | +compromising security. The new policy defaults account for these changes |
3530 | +automatically. Be sure to take these new defaults into consideration if you are |
3531 | +relying on overrides in your deployment for the project endpoint API. |
3532 | +""" |
3533 | + |
3534 | |
3535 | project_endpoint_policies = [ |
3536 | |
3537 | @@ -73,7 +63,9 @@ project_endpoint_policies = [ |
3538 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/' |
3539 | 'projects'), |
3540 | 'method': 'GET'}], |
3541 | - deprecated_rule=deprecated_list_projects_for_endpoint), |
3542 | + deprecated_rule=deprecated_list_projects_for_endpoint, |
3543 | + deprecated_reason=DEPRECATED_REASON, |
3544 | + deprecated_since=versionutils.deprecated.TRAIN), |
3545 | policy.DocumentedRuleDefault( |
3546 | name=base.IDENTITY % 'add_endpoint_to_project', |
3547 | check_str=base.SYSTEM_ADMIN, |
3548 | @@ -82,7 +74,9 @@ project_endpoint_policies = [ |
3549 | operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' |
3550 | 'endpoints/{endpoint_id}'), |
3551 | 'method': 'PUT'}], |
3552 | - deprecated_rule=deprecated_add_endpoint_to_project), |
3553 | + deprecated_rule=deprecated_add_endpoint_to_project, |
3554 | + deprecated_reason=DEPRECATED_REASON, |
3555 | + deprecated_since=versionutils.deprecated.TRAIN), |
3556 | policy.DocumentedRuleDefault( |
3557 | name=base.IDENTITY % 'check_endpoint_in_project', |
3558 | check_str=base.SYSTEM_READER, |
3559 | @@ -94,7 +88,9 @@ project_endpoint_policies = [ |
3560 | {'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' |
3561 | 'endpoints/{endpoint_id}'), |
3562 | 'method': 'HEAD'}], |
3563 | - deprecated_rule=deprecated_check_endpoint_in_project), |
3564 | + deprecated_rule=deprecated_check_endpoint_in_project, |
3565 | + deprecated_reason=DEPRECATED_REASON, |
3566 | + deprecated_since=versionutils.deprecated.TRAIN), |
3567 | policy.DocumentedRuleDefault( |
3568 | name=base.IDENTITY % 'list_endpoints_for_project', |
3569 | check_str=base.SYSTEM_READER, |
3570 | @@ -103,7 +99,9 @@ project_endpoint_policies = [ |
3571 | operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' |
3572 | 'endpoints'), |
3573 | 'method': 'GET'}], |
3574 | - deprecated_rule=deprecated_list_endpoints_for_project), |
3575 | + deprecated_rule=deprecated_list_endpoints_for_project, |
3576 | + deprecated_reason=DEPRECATED_REASON, |
3577 | + deprecated_since=versionutils.deprecated.TRAIN), |
3578 | policy.DocumentedRuleDefault( |
3579 | name=base.IDENTITY % 'remove_endpoint_from_project', |
3580 | check_str=base.SYSTEM_ADMIN, |
3581 | @@ -113,7 +111,9 @@ project_endpoint_policies = [ |
3582 | operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' |
3583 | 'endpoints/{endpoint_id}'), |
3584 | 'method': 'DELETE'}], |
3585 | - deprecated_rule=deprecated_remove_endpoint_from_project), |
3586 | + deprecated_rule=deprecated_remove_endpoint_from_project, |
3587 | + deprecated_reason=DEPRECATED_REASON, |
3588 | + deprecated_since=versionutils.deprecated.TRAIN), |
3589 | ] |
3590 | |
3591 | |
3592 | diff --git a/keystone/common/policies/protocol.py b/keystone/common/policies/protocol.py |
3593 | index 887fc70..de2a729 100644 |
3594 | --- a/keystone/common/policies/protocol.py |
3595 | +++ b/keystone/common/policies/protocol.py |
3596 | @@ -15,42 +15,31 @@ from oslo_policy import policy |
3597 | |
3598 | from keystone.common.policies import base |
3599 | |
3600 | -DEPRECATED_REASON = ( |
3601 | - "The federated protocol API is now aware of system scope and default " |
3602 | - "roles." |
3603 | -) |
3604 | - |
3605 | deprecated_get_protocol = policy.DeprecatedRule( |
3606 | name=base.IDENTITY % 'get_protocol', |
3607 | - check_str=base.RULE_ADMIN_REQUIRED, |
3608 | - deprecated_reason=DEPRECATED_REASON, |
3609 | - deprecated_since=versionutils.deprecated.STEIN |
3610 | + check_str=base.RULE_ADMIN_REQUIRED |
3611 | ) |
3612 | deprecated_list_protocols = policy.DeprecatedRule( |
3613 | name=base.IDENTITY % 'list_protocols', |
3614 | - check_str=base.RULE_ADMIN_REQUIRED, |
3615 | - deprecated_reason=DEPRECATED_REASON, |
3616 | - deprecated_since=versionutils.deprecated.STEIN |
3617 | + check_str=base.RULE_ADMIN_REQUIRED |
3618 | ) |
3619 | deprecated_update_protocol = policy.DeprecatedRule( |
3620 | name=base.IDENTITY % 'update_protocol', |
3621 | - check_str=base.RULE_ADMIN_REQUIRED, |
3622 | - deprecated_reason=DEPRECATED_REASON, |
3623 | - deprecated_since=versionutils.deprecated.STEIN |
3624 | + check_str=base.RULE_ADMIN_REQUIRED |
3625 | ) |
3626 | deprecated_create_protocol = policy.DeprecatedRule( |
3627 | name=base.IDENTITY % 'create_protocol', |
3628 | - check_str=base.RULE_ADMIN_REQUIRED, |
3629 | - deprecated_reason=DEPRECATED_REASON, |
3630 | - deprecated_since=versionutils.deprecated.STEIN |
3631 | + check_str=base.RULE_ADMIN_REQUIRED |
3632 | ) |
3633 | deprecated_delete_protocol = policy.DeprecatedRule( |
3634 | name=base.IDENTITY % 'delete_protocol', |
3635 | - check_str=base.RULE_ADMIN_REQUIRED, |
3636 | - deprecated_reason=DEPRECATED_REASON, |
3637 | - deprecated_since=versionutils.deprecated.STEIN |
3638 | + check_str=base.RULE_ADMIN_REQUIRED |
3639 | ) |
3640 | |
3641 | +DEPRECATED_REASON = ( |
3642 | + "The federated protocol API is now aware of system scope and default " |
3643 | + "roles." |
3644 | +) |
3645 | |
3646 | protocol_policies = [ |
3647 | policy.DocumentedRuleDefault( |
3648 | @@ -64,7 +53,9 @@ protocol_policies = [ |
3649 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' |
3650 | 'protocols/{protocol_id}'), |
3651 | 'method': 'PUT'}], |
3652 | - deprecated_rule=deprecated_create_protocol), |
3653 | + deprecated_rule=deprecated_create_protocol, |
3654 | + deprecated_reason=DEPRECATED_REASON, |
3655 | + deprecated_since=versionutils.deprecated.STEIN), |
3656 | policy.DocumentedRuleDefault( |
3657 | name=base.IDENTITY % 'update_protocol', |
3658 | check_str=base.SYSTEM_ADMIN, |
3659 | @@ -73,7 +64,9 @@ protocol_policies = [ |
3660 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' |
3661 | 'protocols/{protocol_id}'), |
3662 | 'method': 'PATCH'}], |
3663 | - deprecated_rule=deprecated_update_protocol), |
3664 | + deprecated_rule=deprecated_update_protocol, |
3665 | + deprecated_reason=DEPRECATED_REASON, |
3666 | + deprecated_since=versionutils.deprecated.STEIN), |
3667 | policy.DocumentedRuleDefault( |
3668 | name=base.IDENTITY % 'get_protocol', |
3669 | check_str=base.SYSTEM_READER, |
3670 | @@ -82,7 +75,9 @@ protocol_policies = [ |
3671 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' |
3672 | 'protocols/{protocol_id}'), |
3673 | 'method': 'GET'}], |
3674 | - deprecated_rule=deprecated_get_protocol), |
3675 | + deprecated_rule=deprecated_get_protocol, |
3676 | + deprecated_reason=DEPRECATED_REASON, |
3677 | + deprecated_since=versionutils.deprecated.STEIN), |
3678 | policy.DocumentedRuleDefault( |
3679 | name=base.IDENTITY % 'list_protocols', |
3680 | check_str=base.SYSTEM_READER, |
3681 | @@ -91,7 +86,9 @@ protocol_policies = [ |
3682 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' |
3683 | 'protocols'), |
3684 | 'method': 'GET'}], |
3685 | - deprecated_rule=deprecated_list_protocols), |
3686 | + deprecated_rule=deprecated_list_protocols, |
3687 | + deprecated_reason=DEPRECATED_REASON, |
3688 | + deprecated_since=versionutils.deprecated.STEIN), |
3689 | policy.DocumentedRuleDefault( |
3690 | name=base.IDENTITY % 'delete_protocol', |
3691 | check_str=base.SYSTEM_ADMIN, |
3692 | @@ -100,7 +97,9 @@ protocol_policies = [ |
3693 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' |
3694 | 'protocols/{protocol_id}'), |
3695 | 'method': 'DELETE'}], |
3696 | - deprecated_rule=deprecated_delete_protocol) |
3697 | + deprecated_rule=deprecated_delete_protocol, |
3698 | + deprecated_reason=DEPRECATED_REASON, |
3699 | + deprecated_since=versionutils.deprecated.STEIN) |
3700 | ] |
3701 | |
3702 | |
3703 | diff --git a/keystone/common/policies/region.py b/keystone/common/policies/region.py |
3704 | index f13299d..bf60f8f 100644 |
3705 | --- a/keystone/common/policies/region.py |
3706 | +++ b/keystone/common/policies/region.py |
3707 | @@ -15,29 +15,22 @@ from oslo_policy import policy |
3708 | |
3709 | from keystone.common.policies import base |
3710 | |
3711 | -DEPRECATED_REASON = ( |
3712 | - "The region API is now aware of system scope and default roles." |
3713 | -) |
3714 | - |
3715 | deprecated_create_region = policy.DeprecatedRule( |
3716 | name=base.IDENTITY % 'create_region', |
3717 | - check_str=base.RULE_ADMIN_REQUIRED, |
3718 | - deprecated_reason=DEPRECATED_REASON, |
3719 | - deprecated_since=versionutils.deprecated.STEIN |
3720 | + check_str=base.RULE_ADMIN_REQUIRED |
3721 | ) |
3722 | deprecated_update_region = policy.DeprecatedRule( |
3723 | name=base.IDENTITY % 'update_region', |
3724 | - check_str=base.RULE_ADMIN_REQUIRED, |
3725 | - deprecated_reason=DEPRECATED_REASON, |
3726 | - deprecated_since=versionutils.deprecated.STEIN |
3727 | + check_str=base.RULE_ADMIN_REQUIRED |
3728 | ) |
3729 | deprecated_delete_region = policy.DeprecatedRule( |
3730 | name=base.IDENTITY % 'delete_region', |
3731 | - check_str=base.RULE_ADMIN_REQUIRED, |
3732 | - deprecated_reason=DEPRECATED_REASON, |
3733 | - deprecated_since=versionutils.deprecated.STEIN |
3734 | + check_str=base.RULE_ADMIN_REQUIRED |
3735 | ) |
3736 | |
3737 | +DEPRECATED_REASON = ( |
3738 | + "The region API is now aware of system scope and default roles." |
3739 | +) |
3740 | |
3741 | region_policies = [ |
3742 | policy.DocumentedRuleDefault( |
3743 | @@ -73,7 +66,9 @@ region_policies = [ |
3744 | 'method': 'POST'}, |
3745 | {'path': '/v3/regions/{region_id}', |
3746 | 'method': 'PUT'}], |
3747 | - deprecated_rule=deprecated_create_region), |
3748 | + deprecated_rule=deprecated_create_region, |
3749 | + deprecated_reason=DEPRECATED_REASON, |
3750 | + deprecated_since=versionutils.deprecated.STEIN), |
3751 | policy.DocumentedRuleDefault( |
3752 | name=base.IDENTITY % 'update_region', |
3753 | check_str=base.SYSTEM_ADMIN, |
3754 | @@ -81,7 +76,9 @@ region_policies = [ |
3755 | description='Update region.', |
3756 | operations=[{'path': '/v3/regions/{region_id}', |
3757 | 'method': 'PATCH'}], |
3758 | - deprecated_rule=deprecated_update_region), |
3759 | + deprecated_rule=deprecated_update_region, |
3760 | + deprecated_reason=DEPRECATED_REASON, |
3761 | + deprecated_since=versionutils.deprecated.STEIN), |
3762 | policy.DocumentedRuleDefault( |
3763 | name=base.IDENTITY % 'delete_region', |
3764 | check_str=base.SYSTEM_ADMIN, |
3765 | @@ -89,7 +86,9 @@ region_policies = [ |
3766 | description='Delete region.', |
3767 | operations=[{'path': '/v3/regions/{region_id}', |
3768 | 'method': 'DELETE'}], |
3769 | - deprecated_rule=deprecated_delete_region), |
3770 | + deprecated_rule=deprecated_delete_region, |
3771 | + deprecated_reason=DEPRECATED_REASON, |
3772 | + deprecated_since=versionutils.deprecated.STEIN), |
3773 | ] |
3774 | |
3775 | |
3776 | diff --git a/keystone/common/policies/role.py b/keystone/common/policies/role.py |
3777 | index b372efb..7d6a38e 100644 |
3778 | --- a/keystone/common/policies/role.py |
3779 | +++ b/keystone/common/policies/role.py |
3780 | @@ -15,71 +15,50 @@ from oslo_policy import policy |
3781 | |
3782 | from keystone.common.policies import base |
3783 | |
3784 | -DEPRECATED_REASON = ( |
3785 | - "The role API is now aware of system scope and default roles." |
3786 | -) |
3787 | - |
3788 | deprecated_get_role = policy.DeprecatedRule( |
3789 | name=base.IDENTITY % 'get_role', |
3790 | - check_str=base.RULE_ADMIN_REQUIRED, |
3791 | - deprecated_reason=DEPRECATED_REASON, |
3792 | - deprecated_since=versionutils.deprecated.STEIN |
3793 | + check_str=base.RULE_ADMIN_REQUIRED |
3794 | ) |
3795 | deprecated_list_role = policy.DeprecatedRule( |
3796 | name=base.IDENTITY % 'list_roles', |
3797 | - check_str=base.RULE_ADMIN_REQUIRED, |
3798 | - deprecated_reason=DEPRECATED_REASON, |
3799 | - deprecated_since=versionutils.deprecated.STEIN |
3800 | + check_str=base.RULE_ADMIN_REQUIRED |
3801 | ) |
3802 | deprecated_update_role = policy.DeprecatedRule( |
3803 | name=base.IDENTITY % 'update_role', |
3804 | - check_str=base.RULE_ADMIN_REQUIRED, |
3805 | - deprecated_reason=DEPRECATED_REASON, |
3806 | - deprecated_since=versionutils.deprecated.STEIN |
3807 | + check_str=base.RULE_ADMIN_REQUIRED |
3808 | ) |
3809 | deprecated_create_role = policy.DeprecatedRule( |
3810 | name=base.IDENTITY % 'create_role', |
3811 | - check_str=base.RULE_ADMIN_REQUIRED, |
3812 | - deprecated_reason=DEPRECATED_REASON, |
3813 | - deprecated_since=versionutils.deprecated.STEIN |
3814 | + check_str=base.RULE_ADMIN_REQUIRED |
3815 | ) |
3816 | deprecated_delete_role = policy.DeprecatedRule( |
3817 | name=base.IDENTITY % 'delete_role', |
3818 | - check_str=base.RULE_ADMIN_REQUIRED, |
3819 | - deprecated_reason=DEPRECATED_REASON, |
3820 | - deprecated_since=versionutils.deprecated.STEIN |
3821 | + check_str=base.RULE_ADMIN_REQUIRED |
3822 | ) |
3823 | deprecated_get_domain_role = policy.DeprecatedRule( |
3824 | name=base.IDENTITY % 'get_domain_role', |
3825 | - check_str=base.RULE_ADMIN_REQUIRED, |
3826 | - deprecated_reason=DEPRECATED_REASON, |
3827 | - deprecated_since=versionutils.deprecated.TRAIN |
3828 | + check_str=base.RULE_ADMIN_REQUIRED |
3829 | ) |
3830 | deprecated_list_domain_roles = policy.DeprecatedRule( |
3831 | name=base.IDENTITY % 'list_domain_roles', |
3832 | - check_str=base.RULE_ADMIN_REQUIRED, |
3833 | - deprecated_reason=DEPRECATED_REASON, |
3834 | - deprecated_since=versionutils.deprecated.TRAIN |
3835 | + check_str=base.RULE_ADMIN_REQUIRED |
3836 | ) |
3837 | deprecated_update_domain_role = policy.DeprecatedRule( |
3838 | name=base.IDENTITY % 'update_domain_role', |
3839 | - check_str=base.RULE_ADMIN_REQUIRED, |
3840 | - deprecated_reason=DEPRECATED_REASON, |
3841 | - deprecated_since=versionutils.deprecated.TRAIN |
3842 | + check_str=base.RULE_ADMIN_REQUIRED |
3843 | ) |
3844 | deprecated_create_domain_role = policy.DeprecatedRule( |
3845 | name=base.IDENTITY % 'create_domain_role', |
3846 | - check_str=base.RULE_ADMIN_REQUIRED, |
3847 | - deprecated_reason=DEPRECATED_REASON, |
3848 | - deprecated_since=versionutils.deprecated.TRAIN |
3849 | + check_str=base.RULE_ADMIN_REQUIRED |
3850 | ) |
3851 | deprecated_delete_domain_role = policy.DeprecatedRule( |
3852 | name=base.IDENTITY % 'delete_domain_role', |
3853 | - check_str=base.RULE_ADMIN_REQUIRED, |
3854 | - deprecated_reason=DEPRECATED_REASON, |
3855 | - deprecated_since=versionutils.deprecated.TRAIN |
3856 | + check_str=base.RULE_ADMIN_REQUIRED |
3857 | ) |
3858 | |
3859 | +DEPRECATED_REASON = ( |
3860 | + "The role API is now aware of system scope and default roles." |
3861 | +) |
3862 | |
3863 | role_policies = [ |
3864 | policy.DocumentedRuleDefault( |
3865 | @@ -96,7 +75,9 @@ role_policies = [ |
3866 | 'method': 'GET'}, |
3867 | {'path': '/v3/roles/{role_id}', |
3868 | 'method': 'HEAD'}], |
3869 | - deprecated_rule=deprecated_get_role), |
3870 | + deprecated_rule=deprecated_get_role, |
3871 | + deprecated_reason=DEPRECATED_REASON, |
3872 | + deprecated_since=versionutils.deprecated.STEIN), |
3873 | policy.DocumentedRuleDefault( |
3874 | name=base.IDENTITY % 'list_roles', |
3875 | check_str=base.SYSTEM_READER, |
3876 | @@ -106,7 +87,9 @@ role_policies = [ |
3877 | 'method': 'GET'}, |
3878 | {'path': '/v3/roles', |
3879 | 'method': 'HEAD'}], |
3880 | - deprecated_rule=deprecated_list_role), |
3881 | + deprecated_rule=deprecated_list_role, |
3882 | + deprecated_reason=DEPRECATED_REASON, |
3883 | + deprecated_since=versionutils.deprecated.STEIN), |
3884 | policy.DocumentedRuleDefault( |
3885 | name=base.IDENTITY % 'create_role', |
3886 | check_str=base.SYSTEM_ADMIN, |
3887 | @@ -114,7 +97,9 @@ role_policies = [ |
3888 | description='Create role.', |
3889 | operations=[{'path': '/v3/roles', |
3890 | 'method': 'POST'}], |
3891 | - deprecated_rule=deprecated_create_role), |
3892 | + deprecated_rule=deprecated_create_role, |
3893 | + deprecated_reason=DEPRECATED_REASON, |
3894 | + deprecated_since=versionutils.deprecated.STEIN), |
3895 | policy.DocumentedRuleDefault( |
3896 | name=base.IDENTITY % 'update_role', |
3897 | check_str=base.SYSTEM_ADMIN, |
3898 | @@ -122,7 +107,9 @@ role_policies = [ |
3899 | description='Update role.', |
3900 | operations=[{'path': '/v3/roles/{role_id}', |
3901 | 'method': 'PATCH'}], |
3902 | - deprecated_rule=deprecated_update_role), |
3903 | + deprecated_rule=deprecated_update_role, |
3904 | + deprecated_reason=DEPRECATED_REASON, |
3905 | + deprecated_since=versionutils.deprecated.STEIN), |
3906 | policy.DocumentedRuleDefault( |
3907 | name=base.IDENTITY % 'delete_role', |
3908 | check_str=base.SYSTEM_ADMIN, |
3909 | @@ -130,7 +117,9 @@ role_policies = [ |
3910 | description='Delete role.', |
3911 | operations=[{'path': '/v3/roles/{role_id}', |
3912 | 'method': 'DELETE'}], |
3913 | - deprecated_rule=deprecated_delete_role), |
3914 | + deprecated_rule=deprecated_delete_role, |
3915 | + deprecated_reason=DEPRECATED_REASON, |
3916 | + deprecated_since=versionutils.deprecated.STEIN), |
3917 | policy.DocumentedRuleDefault( |
3918 | name=base.IDENTITY % 'get_domain_role', |
3919 | check_str=base.SYSTEM_READER, |
3920 | @@ -145,7 +134,9 @@ role_policies = [ |
3921 | 'method': 'GET'}, |
3922 | {'path': '/v3/roles/{role_id}', |
3923 | 'method': 'HEAD'}], |
3924 | - deprecated_rule=deprecated_get_domain_role), |
3925 | + deprecated_rule=deprecated_get_domain_role, |
3926 | + deprecated_reason=DEPRECATED_REASON, |
3927 | + deprecated_since=versionutils.deprecated.TRAIN), |
3928 | policy.DocumentedRuleDefault( |
3929 | name=base.IDENTITY % 'list_domain_roles', |
3930 | check_str=base.SYSTEM_READER, |
3931 | @@ -155,7 +146,9 @@ role_policies = [ |
3932 | 'method': 'GET'}, |
3933 | {'path': '/v3/roles?domain_id={domain_id}', |
3934 | 'method': 'HEAD'}], |
3935 | - deprecated_rule=deprecated_list_domain_roles), |
3936 | + deprecated_rule=deprecated_list_domain_roles, |
3937 | + deprecated_reason=DEPRECATED_REASON, |
3938 | + deprecated_since=versionutils.deprecated.TRAIN), |
3939 | policy.DocumentedRuleDefault( |
3940 | name=base.IDENTITY % 'create_domain_role', |
3941 | check_str=base.SYSTEM_ADMIN, |
3942 | @@ -163,7 +156,9 @@ role_policies = [ |
3943 | scope_types=['system'], |
3944 | operations=[{'path': '/v3/roles', |
3945 | 'method': 'POST'}], |
3946 | - deprecated_rule=deprecated_create_domain_role), |
3947 | + deprecated_rule=deprecated_create_domain_role, |
3948 | + deprecated_reason=DEPRECATED_REASON, |
3949 | + deprecated_since=versionutils.deprecated.TRAIN), |
3950 | policy.DocumentedRuleDefault( |
3951 | name=base.IDENTITY % 'update_domain_role', |
3952 | check_str=base.SYSTEM_ADMIN, |
3953 | @@ -171,7 +166,9 @@ role_policies = [ |
3954 | scope_types=['system'], |
3955 | operations=[{'path': '/v3/roles/{role_id}', |
3956 | 'method': 'PATCH'}], |
3957 | - deprecated_rule=deprecated_update_domain_role), |
3958 | + deprecated_rule=deprecated_update_domain_role, |
3959 | + deprecated_reason=DEPRECATED_REASON, |
3960 | + deprecated_since=versionutils.deprecated.TRAIN), |
3961 | policy.DocumentedRuleDefault( |
3962 | name=base.IDENTITY % 'delete_domain_role', |
3963 | check_str=base.SYSTEM_ADMIN, |
3964 | @@ -179,7 +176,9 @@ role_policies = [ |
3965 | scope_types=['system'], |
3966 | operations=[{'path': '/v3/roles/{role_id}', |
3967 | 'method': 'DELETE'}], |
3968 | - deprecated_rule=deprecated_delete_domain_role) |
3969 | + deprecated_rule=deprecated_delete_domain_role, |
3970 | + deprecated_reason=DEPRECATED_REASON, |
3971 | + deprecated_since=versionutils.deprecated.TRAIN) |
3972 | ] |
3973 | |
3974 | |
3975 | diff --git a/keystone/common/policies/role_assignment.py b/keystone/common/policies/role_assignment.py |
3976 | index 5dea3dc..c70f292 100644 |
3977 | --- a/keystone/common/policies/role_assignment.py |
3978 | +++ b/keystone/common/policies/role_assignment.py |
3979 | @@ -25,23 +25,18 @@ SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN = ( |
3980 | '(role:admin and project_id:%(target.project.id)s)' |
3981 | ) |
3982 | |
3983 | -DEPRECATED_REASON = ( |
3984 | - "The assignment API is now aware of system scope and default roles." |
3985 | -) |
3986 | - |
3987 | deprecated_list_role_assignments = policy.DeprecatedRule( |
3988 | name=base.IDENTITY % 'list_role_assignments', |
3989 | - check_str=base.RULE_ADMIN_REQUIRED, |
3990 | - deprecated_reason=DEPRECATED_REASON, |
3991 | - deprecated_since=versionutils.deprecated.STEIN |
3992 | + check_str=base.RULE_ADMIN_REQUIRED |
3993 | ) |
3994 | deprecated_list_role_assignments_for_tree = policy.DeprecatedRule( |
3995 | name=base.IDENTITY % 'list_role_assignments_for_tree', |
3996 | - check_str=base.RULE_ADMIN_REQUIRED, |
3997 | - deprecated_reason=DEPRECATED_REASON, |
3998 | - deprecated_since=versionutils.deprecated.TRAIN |
3999 | + check_str=base.RULE_ADMIN_REQUIRED |
4000 | ) |
4001 | |
4002 | +DEPRECATED_REASON = ( |
4003 | + "The assignment API is now aware of system scope and default roles." |
4004 | +) |
4005 | |
4006 | role_assignment_policies = [ |
4007 | policy.DocumentedRuleDefault( |
4008 | @@ -53,7 +48,9 @@ role_assignment_policies = [ |
4009 | 'method': 'GET'}, |
4010 | {'path': '/v3/role_assignments', |
4011 | 'method': 'HEAD'}], |
4012 | - deprecated_rule=deprecated_list_role_assignments), |
4013 | + deprecated_rule=deprecated_list_role_assignments, |
4014 | + deprecated_reason=DEPRECATED_REASON, |
4015 | + deprecated_since=versionutils.deprecated.STEIN), |
4016 | policy.DocumentedRuleDefault( |
4017 | name=base.IDENTITY % 'list_role_assignments_for_tree', |
4018 | check_str=SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN, |
4019 | @@ -64,7 +61,9 @@ role_assignment_policies = [ |
4020 | 'method': 'GET'}, |
4021 | {'path': '/v3/role_assignments?include_subtree', |
4022 | 'method': 'HEAD'}], |
4023 | - deprecated_rule=deprecated_list_role_assignments_for_tree), |
4024 | + deprecated_rule=deprecated_list_role_assignments_for_tree, |
4025 | + deprecated_reason=DEPRECATED_REASON, |
4026 | + deprecated_since=versionutils.deprecated.TRAIN), |
4027 | |
4028 | ] |
4029 | |
4030 | diff --git a/keystone/common/policies/service.py b/keystone/common/policies/service.py |
4031 | index 0287076..66d3aaa 100644 |
4032 | --- a/keystone/common/policies/service.py |
4033 | +++ b/keystone/common/policies/service.py |
4034 | @@ -15,41 +15,30 @@ from oslo_policy import policy |
4035 | |
4036 | from keystone.common.policies import base |
4037 | |
4038 | -DEPRECATED_REASON = ( |
4039 | - "The service API is now aware of system scope and default roles." |
4040 | -) |
4041 | - |
4042 | deprecated_get_service = policy.DeprecatedRule( |
4043 | name=base.IDENTITY % 'get_service', |
4044 | - check_str=base.RULE_ADMIN_REQUIRED, |
4045 | - deprecated_reason=DEPRECATED_REASON, |
4046 | - deprecated_since=versionutils.deprecated.STEIN |
4047 | + check_str=base.RULE_ADMIN_REQUIRED |
4048 | ) |
4049 | deprecated_list_service = policy.DeprecatedRule( |
4050 | name=base.IDENTITY % 'list_services', |
4051 | - check_str=base.RULE_ADMIN_REQUIRED, |
4052 | - deprecated_reason=DEPRECATED_REASON, |
4053 | - deprecated_since=versionutils.deprecated.STEIN |
4054 | + check_str=base.RULE_ADMIN_REQUIRED |
4055 | ) |
4056 | deprecated_update_service = policy.DeprecatedRule( |
4057 | name=base.IDENTITY % 'update_service', |
4058 | - check_str=base.RULE_ADMIN_REQUIRED, |
4059 | - deprecated_reason=DEPRECATED_REASON, |
4060 | - deprecated_since=versionutils.deprecated.STEIN |
4061 | + check_str=base.RULE_ADMIN_REQUIRED |
4062 | ) |
4063 | deprecated_create_service = policy.DeprecatedRule( |
4064 | name=base.IDENTITY % 'create_service', |
4065 | - check_str=base.RULE_ADMIN_REQUIRED, |
4066 | - deprecated_reason=DEPRECATED_REASON, |
4067 | - deprecated_since=versionutils.deprecated.STEIN |
4068 | + check_str=base.RULE_ADMIN_REQUIRED |
4069 | ) |
4070 | deprecated_delete_service = policy.DeprecatedRule( |
4071 | name=base.IDENTITY % 'delete_service', |
4072 | - check_str=base.RULE_ADMIN_REQUIRED, |
4073 | - deprecated_reason=DEPRECATED_REASON, |
4074 | - deprecated_since=versionutils.deprecated.STEIN |
4075 | + check_str=base.RULE_ADMIN_REQUIRED |
4076 | ) |
4077 | |
4078 | +DEPRECATED_REASON = ( |
4079 | + "The service API is now aware of system scope and default roles." |
4080 | +) |
4081 | |
4082 | service_policies = [ |
4083 | policy.DocumentedRuleDefault( |
4084 | @@ -59,7 +48,9 @@ service_policies = [ |
4085 | description='Show service details.', |
4086 | operations=[{'path': '/v3/services/{service_id}', |
4087 | 'method': 'GET'}], |
4088 | - deprecated_rule=deprecated_get_service), |
4089 | + deprecated_rule=deprecated_get_service, |
4090 | + deprecated_reason=DEPRECATED_REASON, |
4091 | + deprecated_since=versionutils.deprecated.STEIN), |
4092 | policy.DocumentedRuleDefault( |
4093 | name=base.IDENTITY % 'list_services', |
4094 | check_str=base.SYSTEM_READER, |
4095 | @@ -67,7 +58,9 @@ service_policies = [ |
4096 | description='List services.', |
4097 | operations=[{'path': '/v3/services', |
4098 | 'method': 'GET'}], |
4099 | - deprecated_rule=deprecated_list_service), |
4100 | + deprecated_rule=deprecated_list_service, |
4101 | + deprecated_reason=DEPRECATED_REASON, |
4102 | + deprecated_since=versionutils.deprecated.STEIN), |
4103 | policy.DocumentedRuleDefault( |
4104 | name=base.IDENTITY % 'create_service', |
4105 | check_str=base.SYSTEM_ADMIN, |
4106 | @@ -75,7 +68,9 @@ service_policies = [ |
4107 | description='Create service.', |
4108 | operations=[{'path': '/v3/services', |
4109 | 'method': 'POST'}], |
4110 | - deprecated_rule=deprecated_create_service), |
4111 | + deprecated_rule=deprecated_create_service, |
4112 | + deprecated_reason=DEPRECATED_REASON, |
4113 | + deprecated_since=versionutils.deprecated.STEIN), |
4114 | policy.DocumentedRuleDefault( |
4115 | name=base.IDENTITY % 'update_service', |
4116 | check_str=base.SYSTEM_ADMIN, |
4117 | @@ -83,7 +78,9 @@ service_policies = [ |
4118 | description='Update service.', |
4119 | operations=[{'path': '/v3/services/{service_id}', |
4120 | 'method': 'PATCH'}], |
4121 | - deprecated_rule=deprecated_update_service), |
4122 | + deprecated_rule=deprecated_update_service, |
4123 | + deprecated_reason=DEPRECATED_REASON, |
4124 | + deprecated_since=versionutils.deprecated.STEIN), |
4125 | policy.DocumentedRuleDefault( |
4126 | name=base.IDENTITY % 'delete_service', |
4127 | check_str=base.SYSTEM_ADMIN, |
4128 | @@ -91,7 +88,9 @@ service_policies = [ |
4129 | description='Delete service.', |
4130 | operations=[{'path': '/v3/services/{service_id}', |
4131 | 'method': 'DELETE'}], |
4132 | - deprecated_rule=deprecated_delete_service) |
4133 | + deprecated_rule=deprecated_delete_service, |
4134 | + deprecated_reason=DEPRECATED_REASON, |
4135 | + deprecated_since=versionutils.deprecated.STEIN) |
4136 | ] |
4137 | |
4138 | |
4139 | diff --git a/keystone/common/policies/service_provider.py b/keystone/common/policies/service_provider.py |
4140 | index 657368a..4d0e3cb 100644 |
4141 | --- a/keystone/common/policies/service_provider.py |
4142 | +++ b/keystone/common/policies/service_provider.py |
4143 | @@ -15,41 +15,30 @@ from oslo_policy import policy |
4144 | |
4145 | from keystone.common.policies import base |
4146 | |
4147 | -DEPRECATED_REASON = ( |
4148 | - "The service provider API is now aware of system scope and default roles." |
4149 | -) |
4150 | - |
4151 | deprecated_get_sp = policy.DeprecatedRule( |
4152 | name=base.IDENTITY % 'get_service_provider', |
4153 | - check_str=base.RULE_ADMIN_REQUIRED, |
4154 | - deprecated_reason=DEPRECATED_REASON, |
4155 | - deprecated_since=versionutils.deprecated.STEIN |
4156 | + check_str=base.RULE_ADMIN_REQUIRED |
4157 | ) |
4158 | deprecated_list_sp = policy.DeprecatedRule( |
4159 | name=base.IDENTITY % 'list_service_providers', |
4160 | - check_str=base.RULE_ADMIN_REQUIRED, |
4161 | - deprecated_reason=DEPRECATED_REASON, |
4162 | - deprecated_since=versionutils.deprecated.STEIN |
4163 | + check_str=base.RULE_ADMIN_REQUIRED |
4164 | ) |
4165 | deprecated_update_sp = policy.DeprecatedRule( |
4166 | name=base.IDENTITY % 'update_service_provider', |
4167 | - check_str=base.RULE_ADMIN_REQUIRED, |
4168 | - deprecated_reason=DEPRECATED_REASON, |
4169 | - deprecated_since=versionutils.deprecated.STEIN |
4170 | + check_str=base.RULE_ADMIN_REQUIRED |
4171 | ) |
4172 | deprecated_create_sp = policy.DeprecatedRule( |
4173 | name=base.IDENTITY % 'create_service_provider', |
4174 | - check_str=base.RULE_ADMIN_REQUIRED, |
4175 | - deprecated_reason=DEPRECATED_REASON, |
4176 | - deprecated_since=versionutils.deprecated.STEIN |
4177 | + check_str=base.RULE_ADMIN_REQUIRED |
4178 | ) |
4179 | deprecated_delete_sp = policy.DeprecatedRule( |
4180 | name=base.IDENTITY % 'delete_service_provider', |
4181 | - check_str=base.RULE_ADMIN_REQUIRED, |
4182 | - deprecated_reason=DEPRECATED_REASON, |
4183 | - deprecated_since=versionutils.deprecated.STEIN |
4184 | + check_str=base.RULE_ADMIN_REQUIRED |
4185 | ) |
4186 | |
4187 | +DEPRECATED_REASON = ( |
4188 | + "The service provider API is now aware of system scope and default roles." |
4189 | +) |
4190 | |
4191 | service_provider_policies = [ |
4192 | policy.DocumentedRuleDefault( |
4193 | @@ -66,7 +55,9 @@ service_provider_policies = [ |
4194 | operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' |
4195 | '{service_provider_id}'), |
4196 | 'method': 'PUT'}], |
4197 | - deprecated_rule=deprecated_create_sp), |
4198 | + deprecated_rule=deprecated_create_sp, |
4199 | + deprecated_reason=DEPRECATED_REASON, |
4200 | + deprecated_since=versionutils.deprecated.STEIN), |
4201 | policy.DocumentedRuleDefault( |
4202 | name=base.IDENTITY % 'list_service_providers', |
4203 | check_str=base.SYSTEM_READER, |
4204 | @@ -82,7 +73,9 @@ service_provider_policies = [ |
4205 | 'method': 'HEAD' |
4206 | } |
4207 | ], |
4208 | - deprecated_rule=deprecated_list_sp |
4209 | + deprecated_rule=deprecated_list_sp, |
4210 | + deprecated_reason=DEPRECATED_REASON, |
4211 | + deprecated_since=versionutils.deprecated.STEIN |
4212 | ), |
4213 | policy.DocumentedRuleDefault( |
4214 | name=base.IDENTITY % 'get_service_provider', |
4215 | @@ -101,7 +94,9 @@ service_provider_policies = [ |
4216 | 'method': 'HEAD' |
4217 | } |
4218 | ], |
4219 | - deprecated_rule=deprecated_get_sp |
4220 | + deprecated_rule=deprecated_get_sp, |
4221 | + deprecated_reason=DEPRECATED_REASON, |
4222 | + deprecated_since=versionutils.deprecated.STEIN |
4223 | ), |
4224 | policy.DocumentedRuleDefault( |
4225 | name=base.IDENTITY % 'update_service_provider', |
4226 | @@ -111,7 +106,9 @@ service_provider_policies = [ |
4227 | operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' |
4228 | '{service_provider_id}'), |
4229 | 'method': 'PATCH'}], |
4230 | - deprecated_rule=deprecated_update_sp), |
4231 | + deprecated_rule=deprecated_update_sp, |
4232 | + deprecated_reason=DEPRECATED_REASON, |
4233 | + deprecated_since=versionutils.deprecated.STEIN), |
4234 | policy.DocumentedRuleDefault( |
4235 | name=base.IDENTITY % 'delete_service_provider', |
4236 | check_str=base.SYSTEM_ADMIN, |
4237 | @@ -120,7 +117,9 @@ service_provider_policies = [ |
4238 | operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' |
4239 | '{service_provider_id}'), |
4240 | 'method': 'DELETE'}], |
4241 | - deprecated_rule=deprecated_delete_sp) |
4242 | + deprecated_rule=deprecated_delete_sp, |
4243 | + deprecated_reason=DEPRECATED_REASON, |
4244 | + deprecated_since=versionutils.deprecated.STEIN) |
4245 | ] |
4246 | |
4247 | |
4248 | diff --git a/keystone/common/policies/token.py b/keystone/common/policies/token.py |
4249 | index cb321b0..9fa3c52 100644 |
4250 | --- a/keystone/common/policies/token.py |
4251 | +++ b/keystone/common/policies/token.py |
4252 | @@ -21,21 +21,15 @@ DEPRECATED_REASON = ( |
4253 | |
4254 | deprecated_check_token = policy.DeprecatedRule( |
4255 | name=base.IDENTITY % 'check_token', |
4256 | - check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT, |
4257 | - deprecated_reason=DEPRECATED_REASON, |
4258 | - deprecated_since=versionutils.deprecated.TRAIN |
4259 | + check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT |
4260 | ) |
4261 | deprecated_validate_token = policy.DeprecatedRule( |
4262 | name=base.IDENTITY % 'validate_token', |
4263 | - check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT, |
4264 | - deprecated_reason=DEPRECATED_REASON, |
4265 | - deprecated_since=versionutils.deprecated.TRAIN |
4266 | + check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT |
4267 | ) |
4268 | deprecated_revoke_token = policy.DeprecatedRule( |
4269 | name=base.IDENTITY % 'revoke_token', |
4270 | - check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT, |
4271 | - deprecated_reason=DEPRECATED_REASON, |
4272 | - deprecated_since=versionutils.deprecated.TRAIN |
4273 | + check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT |
4274 | ) |
4275 | |
4276 | SYSTEM_ADMIN_OR_TOKEN_SUBJECT = ( |
4277 | @@ -58,7 +52,9 @@ token_policies = [ |
4278 | description='Check a token.', |
4279 | operations=[{'path': '/v3/auth/tokens', |
4280 | 'method': 'HEAD'}], |
4281 | - deprecated_rule=deprecated_check_token), |
4282 | + deprecated_rule=deprecated_check_token, |
4283 | + deprecated_reason=DEPRECATED_REASON, |
4284 | + deprecated_since=versionutils.deprecated.TRAIN), |
4285 | policy.DocumentedRuleDefault( |
4286 | name=base.IDENTITY % 'validate_token', |
4287 | check_str=SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT, |
4288 | @@ -66,7 +62,9 @@ token_policies = [ |
4289 | description='Validate a token.', |
4290 | operations=[{'path': '/v3/auth/tokens', |
4291 | 'method': 'GET'}], |
4292 | - deprecated_rule=deprecated_validate_token), |
4293 | + deprecated_rule=deprecated_validate_token, |
4294 | + deprecated_reason=DEPRECATED_REASON, |
4295 | + deprecated_since=versionutils.deprecated.TRAIN), |
4296 | policy.DocumentedRuleDefault( |
4297 | name=base.IDENTITY % 'revoke_token', |
4298 | check_str=SYSTEM_ADMIN_OR_TOKEN_SUBJECT, |
4299 | @@ -74,7 +72,9 @@ token_policies = [ |
4300 | description='Revoke a token.', |
4301 | operations=[{'path': '/v3/auth/tokens', |
4302 | 'method': 'DELETE'}], |
4303 | - deprecated_rule=deprecated_revoke_token) |
4304 | + deprecated_rule=deprecated_revoke_token, |
4305 | + deprecated_reason=DEPRECATED_REASON, |
4306 | + deprecated_since=versionutils.deprecated.TRAIN) |
4307 | ] |
4308 | |
4309 | |
4310 | diff --git a/keystone/common/policies/trust.py b/keystone/common/policies/trust.py |
4311 | index 7678106..82acb0a 100644 |
4312 | --- a/keystone/common/policies/trust.py |
4313 | +++ b/keystone/common/policies/trust.py |
4314 | @@ -24,39 +24,29 @@ SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR |
4315 | SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE |
4316 | SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR |
4317 | |
4318 | -DEPRECATED_REASON = ( |
4319 | - "The trust API is now aware of system scope and default roles." |
4320 | -) |
4321 | - |
4322 | deprecated_list_trusts = policy.DeprecatedRule( |
4323 | name=base.IDENTITY % 'list_trusts', |
4324 | - check_str=base.RULE_ADMIN_REQUIRED, |
4325 | - deprecated_reason=DEPRECATED_REASON, |
4326 | - deprecated_since=versionutils.deprecated.TRAIN |
4327 | + check_str=base.RULE_ADMIN_REQUIRED |
4328 | ) |
4329 | deprecated_list_roles_for_trust = policy.DeprecatedRule( |
4330 | name=base.IDENTITY % 'list_roles_for_trust', |
4331 | - check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE, |
4332 | - deprecated_reason=DEPRECATED_REASON, |
4333 | - deprecated_since=versionutils.deprecated.TRAIN |
4334 | + check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE |
4335 | ) |
4336 | deprecated_get_role_for_trust = policy.DeprecatedRule( |
4337 | name=base.IDENTITY % 'get_role_for_trust', |
4338 | - check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE, |
4339 | - deprecated_reason=DEPRECATED_REASON, |
4340 | - deprecated_since=versionutils.deprecated.TRAIN |
4341 | + check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE |
4342 | ) |
4343 | deprecated_delete_trust = policy.DeprecatedRule( |
4344 | name=base.IDENTITY % 'delete_trust', |
4345 | - check_str=RULE_TRUSTOR, |
4346 | - deprecated_reason=DEPRECATED_REASON, |
4347 | - deprecated_since=versionutils.deprecated.TRAIN |
4348 | + check_str=RULE_TRUSTOR |
4349 | ) |
4350 | deprecated_get_trust = policy.DeprecatedRule( |
4351 | name=base.IDENTITY % 'get_trust', |
4352 | - check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE, |
4353 | - deprecated_reason=DEPRECATED_REASON, |
4354 | - deprecated_since=versionutils.deprecated.TRAIN |
4355 | + check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE |
4356 | +) |
4357 | + |
4358 | +DEPRECATED_REASON = ( |
4359 | + "The trust API is now aware of system scope and default roles." |
4360 | ) |
4361 | |
4362 | trust_policies = [ |
4363 | @@ -79,7 +69,9 @@ trust_policies = [ |
4364 | 'method': 'GET'}, |
4365 | {'path': '/v3/OS-TRUST/trusts', |
4366 | 'method': 'HEAD'}], |
4367 | - deprecated_rule=deprecated_list_trusts), |
4368 | + deprecated_rule=deprecated_list_trusts, |
4369 | + deprecated_reason=DEPRECATED_REASON, |
4370 | + deprecated_since=versionutils.deprecated.TRAIN), |
4371 | policy.DocumentedRuleDefault( |
4372 | name=base.IDENTITY % 'list_trusts_for_trustor', |
4373 | check_str=SYSTEM_READER_OR_TRUSTOR, |
4374 | @@ -111,7 +103,9 @@ trust_policies = [ |
4375 | 'method': 'GET'}, |
4376 | {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles', |
4377 | 'method': 'HEAD'}], |
4378 | - deprecated_rule=deprecated_list_roles_for_trust), |
4379 | + deprecated_rule=deprecated_list_roles_for_trust, |
4380 | + deprecated_reason=DEPRECATED_REASON, |
4381 | + deprecated_since=versionutils.deprecated.TRAIN), |
4382 | policy.DocumentedRuleDefault( |
4383 | name=base.IDENTITY % 'get_role_for_trust', |
4384 | check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE, |
4385 | @@ -121,7 +115,9 @@ trust_policies = [ |
4386 | 'method': 'GET'}, |
4387 | {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}', |
4388 | 'method': 'HEAD'}], |
4389 | - deprecated_rule=deprecated_get_role_for_trust), |
4390 | + deprecated_rule=deprecated_get_role_for_trust, |
4391 | + deprecated_reason=DEPRECATED_REASON, |
4392 | + deprecated_since=versionutils.deprecated.TRAIN), |
4393 | policy.DocumentedRuleDefault( |
4394 | name=base.IDENTITY % 'delete_trust', |
4395 | check_str=SYSTEM_ADMIN_OR_TRUSTOR, |
4396 | @@ -129,7 +125,9 @@ trust_policies = [ |
4397 | description='Revoke trust.', |
4398 | operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}', |
4399 | 'method': 'DELETE'}], |
4400 | - deprecated_rule=deprecated_delete_trust), |
4401 | + deprecated_rule=deprecated_delete_trust, |
4402 | + deprecated_reason=DEPRECATED_REASON, |
4403 | + deprecated_since=versionutils.deprecated.TRAIN), |
4404 | policy.DocumentedRuleDefault( |
4405 | name=base.IDENTITY % 'get_trust', |
4406 | check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE, |
4407 | @@ -139,7 +137,9 @@ trust_policies = [ |
4408 | 'method': 'GET'}, |
4409 | {'path': '/v3/OS-TRUST/trusts/{trust_id}', |
4410 | 'method': 'HEAD'}], |
4411 | - deprecated_rule=deprecated_get_trust) |
4412 | + deprecated_rule=deprecated_get_trust, |
4413 | + deprecated_reason=DEPRECATED_REASON, |
4414 | + deprecated_since=versionutils.deprecated.TRAIN) |
4415 | ] |
4416 | |
4417 | |
4418 | diff --git a/keystone/common/policies/user.py b/keystone/common/policies/user.py |
4419 | index 0534f70..75a0062 100644 |
4420 | --- a/keystone/common/policies/user.py |
4421 | +++ b/keystone/common/policies/user.py |
4422 | @@ -36,33 +36,23 @@ DEPRECATED_REASON = ( |
4423 | |
4424 | deprecated_get_user = policy.DeprecatedRule( |
4425 | name=base.IDENTITY % 'get_user', |
4426 | - check_str=base.RULE_ADMIN_OR_OWNER, |
4427 | - deprecated_reason=DEPRECATED_REASON, |
4428 | - deprecated_since=versionutils.deprecated.STEIN |
4429 | + check_str=base.RULE_ADMIN_OR_OWNER |
4430 | ) |
4431 | deprecated_list_users = policy.DeprecatedRule( |
4432 | name=base.IDENTITY % 'list_users', |
4433 | - check_str=base.RULE_ADMIN_REQUIRED, |
4434 | - deprecated_reason=DEPRECATED_REASON, |
4435 | - deprecated_since=versionutils.deprecated.STEIN |
4436 | + check_str=base.RULE_ADMIN_REQUIRED |
4437 | ) |
4438 | deprecated_create_user = policy.DeprecatedRule( |
4439 | name=base.IDENTITY % 'create_user', |
4440 | - check_str=base.RULE_ADMIN_REQUIRED, |
4441 | - deprecated_reason=DEPRECATED_REASON, |
4442 | - deprecated_since=versionutils.deprecated.STEIN |
4443 | + check_str=base.RULE_ADMIN_REQUIRED |
4444 | ) |
4445 | deprecated_update_user = policy.DeprecatedRule( |
4446 | name=base.IDENTITY % 'update_user', |
4447 | - check_str=base.RULE_ADMIN_REQUIRED, |
4448 | - deprecated_reason=DEPRECATED_REASON, |
4449 | - deprecated_since=versionutils.deprecated.STEIN |
4450 | + check_str=base.RULE_ADMIN_REQUIRED |
4451 | ) |
4452 | deprecated_delete_user = policy.DeprecatedRule( |
4453 | name=base.IDENTITY % 'delete_user', |
4454 | - check_str=base.RULE_ADMIN_REQUIRED, |
4455 | - deprecated_reason=DEPRECATED_REASON, |
4456 | - deprecated_since=versionutils.deprecated.STEIN |
4457 | + check_str=base.RULE_ADMIN_REQUIRED |
4458 | ) |
4459 | |
4460 | user_policies = [ |
4461 | @@ -75,7 +65,9 @@ user_policies = [ |
4462 | 'method': 'GET'}, |
4463 | {'path': '/v3/users/{user_id}', |
4464 | 'method': 'HEAD'}], |
4465 | - deprecated_rule=deprecated_get_user), |
4466 | + deprecated_rule=deprecated_get_user, |
4467 | + deprecated_reason=DEPRECATED_REASON, |
4468 | + deprecated_since=versionutils.deprecated.STEIN), |
4469 | policy.DocumentedRuleDefault( |
4470 | name=base.IDENTITY % 'list_users', |
4471 | check_str=SYSTEM_READER_OR_DOMAIN_READER, |
4472 | @@ -85,7 +77,9 @@ user_policies = [ |
4473 | 'method': 'GET'}, |
4474 | {'path': '/v3/users', |
4475 | 'method': 'HEAD'}], |
4476 | - deprecated_rule=deprecated_list_users), |
4477 | + deprecated_rule=deprecated_list_users, |
4478 | + deprecated_reason=DEPRECATED_REASON, |
4479 | + deprecated_since=versionutils.deprecated.STEIN), |
4480 | policy.DocumentedRuleDefault( |
4481 | name=base.IDENTITY % 'list_projects_for_user', |
4482 | check_str='', |
4483 | @@ -117,7 +111,9 @@ user_policies = [ |
4484 | description='Create a user.', |
4485 | operations=[{'path': '/v3/users', |
4486 | 'method': 'POST'}], |
4487 | - deprecated_rule=deprecated_create_user), |
4488 | + deprecated_rule=deprecated_create_user, |
4489 | + deprecated_reason=DEPRECATED_REASON, |
4490 | + deprecated_since=versionutils.deprecated.STEIN), |
4491 | policy.DocumentedRuleDefault( |
4492 | name=base.IDENTITY % 'update_user', |
4493 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
4494 | @@ -125,7 +121,9 @@ user_policies = [ |
4495 | description='Update a user, including administrative password resets.', |
4496 | operations=[{'path': '/v3/users/{user_id}', |
4497 | 'method': 'PATCH'}], |
4498 | - deprecated_rule=deprecated_update_user), |
4499 | + deprecated_rule=deprecated_update_user, |
4500 | + deprecated_reason=DEPRECATED_REASON, |
4501 | + deprecated_since=versionutils.deprecated.STEIN), |
4502 | policy.DocumentedRuleDefault( |
4503 | name=base.IDENTITY % 'delete_user', |
4504 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
4505 | @@ -133,7 +131,9 @@ user_policies = [ |
4506 | description='Delete a user.', |
4507 | operations=[{'path': '/v3/users/{user_id}', |
4508 | 'method': 'DELETE'}], |
4509 | - deprecated_rule=deprecated_delete_user) |
4510 | + deprecated_rule=deprecated_delete_user, |
4511 | + deprecated_reason=DEPRECATED_REASON, |
4512 | + deprecated_since=versionutils.deprecated.STEIN) |
4513 | ] |
4514 | |
4515 | |
4516 | diff --git a/keystone/common/rbac_enforcer/enforcer.py b/keystone/common/rbac_enforcer/enforcer.py |
4517 | index 7add048..ca6a8e7 100644 |
4518 | --- a/keystone/common/rbac_enforcer/enforcer.py |
4519 | +++ b/keystone/common/rbac_enforcer/enforcer.py |
4520 | @@ -14,7 +14,6 @@ import functools |
4521 | |
4522 | import flask |
4523 | from oslo_log import log |
4524 | -from oslo_policy import opts |
4525 | from oslo_policy import policy as common_policy |
4526 | from oslo_utils import strutils |
4527 | |
4528 | @@ -40,13 +39,6 @@ _POSSIBLE_TARGET_ACTIONS = frozenset([ |
4529 | _ENFORCEMENT_CHECK_ATTR = 'keystone:RBAC:enforcement_called' |
4530 | |
4531 | |
4532 | -# TODO(gmann): Remove setting the default value of config policy_file |
4533 | -# once oslo_policy change the default value to 'policy.yaml'. |
4534 | -# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 |
4535 | -DEFAULT_POLICY_FILE = 'policy.yaml' |
4536 | -opts.set_defaults(CONF, DEFAULT_POLICY_FILE) |
4537 | - |
4538 | - |
4539 | class RBACEnforcer(object): |
4540 | """Enforce RBAC on API calls.""" |
4541 | |
4542 | diff --git a/keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py b/keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py |
4543 | deleted file mode 100644 |
4544 | index 2b09cbc..0000000 |
4545 | --- a/keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py |
4546 | +++ /dev/null |
4547 | @@ -1,18 +0,0 @@ |
4548 | -# Licensed under the Apache License, Version 2.0 (the "License"); you may |
4549 | -# not use this file except in compliance with the License. You may obtain |
4550 | -# a copy of the License at |
4551 | -# |
4552 | -# http://www.apache.org/licenses/LICENSE-2.0 |
4553 | -# |
4554 | -# Unless required by applicable law or agreed to in writing, software |
4555 | -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
4556 | -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
4557 | -# License for the specific language governing permissions and limitations |
4558 | -# under the License. |
4559 | - |
4560 | -# This is a placeholder for Ussuri backports. Do not use this number for new |
4561 | -# Victoria work. New Victoria work starts after all the placeholders. |
4562 | - |
4563 | - |
4564 | -def upgrade(migrate_engine): |
4565 | - pass |
4566 | diff --git a/keystone/common/sql/core.py b/keystone/common/sql/core.py |
4567 | index 7670c47..ed84e58 100644 |
4568 | --- a/keystone/common/sql/core.py |
4569 | +++ b/keystone/common/sql/core.py |
4570 | @@ -119,11 +119,6 @@ ModelBase.__init__ = initialize_decorator(ModelBase.__init__) |
4571 | class JsonBlob(sql_types.TypeDecorator): |
4572 | |
4573 | impl = sql.Text |
4574 | - # NOTE(ralonsoh): set to True as any other TypeDecorator in SQLAlchemy |
4575 | - # https://docs.sqlalchemy.org/en/14/core/custom_types.html# \ |
4576 | - # sqlalchemy.types.TypeDecorator.cache_ok |
4577 | - cache_ok = True |
4578 | - """This type is safe to cache.""" |
4579 | |
4580 | def process_bind_param(self, value, dialect): |
4581 | return jsonutils.dumps(value) |
4582 | @@ -149,11 +144,6 @@ class DateTimeInt(sql_types.TypeDecorator): |
4583 | |
4584 | impl = sql.BigInteger |
4585 | epoch = datetime.datetime.fromtimestamp(0, tz=pytz.UTC) |
4586 | - # NOTE(ralonsoh): set to True as any other TypeDecorator in SQLAlchemy |
4587 | - # https://docs.sqlalchemy.org/en/14/core/custom_types.html# \ |
4588 | - # sqlalchemy.types.TypeDecorator.cache_ok |
4589 | - cache_ok = True |
4590 | - """This type is safe to cache.""" |
4591 | |
4592 | def process_bind_param(self, value, dialect): |
4593 | if value is None: |
4594 | diff --git a/keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py b/keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py |
4595 | deleted file mode 100644 |
4596 | index 2b09cbc..0000000 |
4597 | --- a/keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py |
4598 | +++ /dev/null |
4599 | @@ -1,18 +0,0 @@ |
4600 | -# Licensed under the Apache License, Version 2.0 (the "License"); you may |
4601 | -# not use this file except in compliance with the License. You may obtain |
4602 | -# a copy of the License at |
4603 | -# |
4604 | -# http://www.apache.org/licenses/LICENSE-2.0 |
4605 | -# |
4606 | -# Unless required by applicable law or agreed to in writing, software |
4607 | -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
4608 | -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
4609 | -# License for the specific language governing permissions and limitations |
4610 | -# under the License. |
4611 | - |
4612 | -# This is a placeholder for Ussuri backports. Do not use this number for new |
4613 | -# Victoria work. New Victoria work starts after all the placeholders. |
4614 | - |
4615 | - |
4616 | -def upgrade(migrate_engine): |
4617 | - pass |
4618 | diff --git a/keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py b/keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py |
4619 | deleted file mode 100644 |
4620 | index 20db838..0000000 |
4621 | --- a/keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py |
4622 | +++ /dev/null |
4623 | @@ -1,24 +0,0 @@ |
4624 | -# Licensed under the Apache License, Version 2.0 (the "License"); you may |
4625 | -# not use this file except in compliance with the License. You may obtain |
4626 | -# a copy of the License at |
4627 | -# |
4628 | -# http://www.apache.org/licenses/LICENSE-2.0 |
4629 | -# |
4630 | -# Unless required by applicable law or agreed to in writing, software |
4631 | -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
4632 | -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
4633 | -# License for the specific language governing permissions and limitations |
4634 | -# under the License. |
4635 | - |
4636 | -import sqlalchemy as sql |
4637 | - |
4638 | - |
4639 | -def upgrade(migrate_engine): |
4640 | - |
4641 | - meta = sql.MetaData() |
4642 | - meta.bind = migrate_engine |
4643 | - |
4644 | - id_mapping_table = sql.Table( |
4645 | - 'id_mapping', meta, autoload=True |
4646 | - ) |
4647 | - id_mapping_table.c.local_id.alter(type=sql.String(255)) |
4648 | diff --git a/keystone/common/utils.py b/keystone/common/utils.py |
4649 | index 7c3e7ae..1314085 100644 |
4650 | --- a/keystone/common/utils.py |
4651 | +++ b/keystone/common/utils.py |
4652 | @@ -16,7 +16,7 @@ |
4653 | # License for the specific language governing permissions and limitations |
4654 | # under the License. |
4655 | |
4656 | -import collections.abc |
4657 | +import collections |
4658 | import grp |
4659 | import hashlib |
4660 | import itertools |
4661 | @@ -81,7 +81,7 @@ def flatten_dict(d, parent_key=''): |
4662 | items = [] |
4663 | for k, v in d.items(): |
4664 | new_key = parent_key + '.' + k if parent_key else k |
4665 | - if isinstance(v, collections.abc.MutableMapping): |
4666 | + if isinstance(v, collections.MutableMapping): |
4667 | items.extend(list(flatten_dict(v, new_key).items())) |
4668 | else: |
4669 | items.append((new_key, v)) |
4670 | diff --git a/keystone/conf/__init__.py b/keystone/conf/__init__.py |
4671 | index 5de0ec1..77c26a1 100644 |
4672 | --- a/keystone/conf/__init__.py |
4673 | +++ b/keystone/conf/__init__.py |
4674 | @@ -18,7 +18,6 @@ from oslo_log import log |
4675 | from oslo_log import versionutils |
4676 | import oslo_messaging |
4677 | from oslo_middleware import cors |
4678 | -from oslo_policy import opts as policy_opts |
4679 | from osprofiler import opts as profiler |
4680 | |
4681 | from keystone.conf import application_credential |
4682 | @@ -186,12 +185,6 @@ def set_external_opts_defaults(): |
4683 | # configure OSprofiler options |
4684 | profiler.set_defaults(CONF, enabled=False, trace_sqlalchemy=False) |
4685 | |
4686 | - # TODO(gmann): Remove setting the default value of config policy_file |
4687 | - # once oslo_policy change the default value to 'policy.yaml'. |
4688 | - # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 |
4689 | - DEFAULT_POLICY_FILE = 'policy.yaml' |
4690 | - policy_opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE) |
4691 | - |
4692 | # Oslo.cache is always enabled by default for request-local caching |
4693 | # TODO(morganfainberg): Fix this to not use internal interface when |
4694 | # oslo.cache has proper interface to set defaults added. This is |
4695 | diff --git a/keystone/conf/memcache.py b/keystone/conf/memcache.py |
4696 | index b4b8c8b..97dc2c9 100644 |
4697 | --- a/keystone/conf/memcache.py |
4698 | +++ b/keystone/conf/memcache.py |
4699 | @@ -19,12 +19,6 @@ from keystone.conf import utils |
4700 | dead_retry = cfg.IntOpt( |
4701 | 'dead_retry', |
4702 | default=5 * 60, |
4703 | - deprecated_for_removal=True, |
4704 | - deprecated_reason='This option has no effect. ' |
4705 | - 'Configure ``keystone.conf [cache] ' |
4706 | - 'memcache_dead_retry`` option to set the ' |
4707 | - 'dead_retry of memcached instead. ', |
4708 | - deprecated_since='Y', |
4709 | help=utils.fmt(""" |
4710 | Number of seconds memcached server is considered dead before it is tried again. |
4711 | This is used by the key value store system. |
4712 | @@ -34,7 +28,7 @@ socket_timeout = cfg.IntOpt( |
4713 | 'socket_timeout', |
4714 | default=3, |
4715 | deprecated_for_removal=True, |
4716 | - deprecated_reason='This option has no effect. ' |
4717 | + deprecated_reason='This option is duplicated with oslo.cache. ' |
4718 | 'Configure ``keystone.conf [cache] ' |
4719 | 'memcache_socket_timeout`` option to set the ' |
4720 | 'socket_timeout of memcached instead. ', |
4721 | @@ -47,12 +41,6 @@ store system. |
4722 | pool_maxsize = cfg.IntOpt( |
4723 | 'pool_maxsize', |
4724 | default=10, |
4725 | - deprecated_for_removal=True, |
4726 | - deprecated_reason='This option has no effect. ' |
4727 | - 'Configure ``keystone.conf [cache] ' |
4728 | - 'memcache_pool_maxsize`` option to set the ' |
4729 | - 'pool_maxsize of memcached instead. ', |
4730 | - deprecated_since='Y', |
4731 | help=utils.fmt(""" |
4732 | Max total number of open connections to every memcached server. This is used by |
4733 | the key value store system. |
4734 | @@ -61,12 +49,6 @@ the key value store system. |
4735 | pool_unused_timeout = cfg.IntOpt( |
4736 | 'pool_unused_timeout', |
4737 | default=60, |
4738 | - deprecated_for_removal=True, |
4739 | - deprecated_reason='This option has no effect. ' |
4740 | - 'Configure ``keystone.conf [cache] ' |
4741 | - 'memcache_pool_unused_timeout`` option to set the ' |
4742 | - 'pool_unused_timeout of memcached instead. ', |
4743 | - deprecated_since='Y', |
4744 | help=utils.fmt(""" |
4745 | Number of seconds a connection to memcached is held unused in the pool before |
4746 | it is closed. This is used by the key value store system. |
4747 | @@ -75,12 +57,6 @@ it is closed. This is used by the key value store system. |
4748 | pool_connection_get_timeout = cfg.IntOpt( |
4749 | 'pool_connection_get_timeout', |
4750 | default=10, |
4751 | - deprecated_for_removal=True, |
4752 | - deprecated_reason='This option has no effect. ' |
4753 | - 'Configure ``keystone.conf [cache] ' |
4754 | - 'memcache_pool_connection_get_timeout`` option to set ' |
4755 | - 'the connection_get_timeout of memcached instead. ', |
4756 | - deprecated_since='Y', |
4757 | help=utils.fmt(""" |
4758 | Number of seconds that an operation will wait to get a memcache client |
4759 | connection. This is used by the key value store system. |
4760 | diff --git a/keystone/federation/idp.py b/keystone/federation/idp.py |
4761 | index 2f1a4fe..fd464f5 100644 |
4762 | --- a/keystone/federation/idp.py |
4763 | +++ b/keystone/federation/idp.py |
4764 | @@ -366,11 +366,7 @@ class SAMLGenerator(object): |
4765 | |
4766 | """ |
4767 | canonicalization_method = xmldsig.CanonicalizationMethod() |
4768 | - # TODO(stephenfin): Drop when we remove support for pysaml < 7.1.0 |
4769 | - if hasattr(xmldsig, 'TRANSFORM_C14N'): # >= 7.1.0 |
4770 | - canonicalization_method.algorithm = xmldsig.TRANSFORM_C14N |
4771 | - else: # < 7.1.0 |
4772 | - canonicalization_method.algorithm = xmldsig.ALG_EXC_C14N |
4773 | + canonicalization_method.algorithm = xmldsig.ALG_EXC_C14N |
4774 | signature_method = xmldsig.SignatureMethod( |
4775 | algorithm=xmldsig.SIG_RSA_SHA1) |
4776 | |
4777 | @@ -378,11 +374,7 @@ class SAMLGenerator(object): |
4778 | envelope_transform = xmldsig.Transform( |
4779 | algorithm=xmldsig.TRANSFORM_ENVELOPED) |
4780 | |
4781 | - # TODO(stephenfin): Drop when we remove support for pysaml < 7.1.0 |
4782 | - if hasattr(xmldsig, 'TRANSFORM_C14N'): # >= 7.1.0 |
4783 | - c14_transform = xmldsig.Transform(algorithm=xmldsig.TRANSFORM_C14N) |
4784 | - else: # < 7.1.0 |
4785 | - c14_transform = xmldsig.Transform(algorithm=xmldsig.ALG_EXC_C14N) |
4786 | + c14_transform = xmldsig.Transform(algorithm=xmldsig.ALG_EXC_C14N) |
4787 | transforms.transform = [envelope_transform, c14_transform] |
4788 | |
4789 | digest_method = xmldsig.DigestMethod(algorithm=xmldsig.DIGEST_SHA1) |
4790 | diff --git a/keystone/identity/mapping_backends/sql.py b/keystone/identity/mapping_backends/sql.py |
4791 | index 6fadd6a..676d144 100644 |
4792 | --- a/keystone/identity/mapping_backends/sql.py |
4793 | +++ b/keystone/identity/mapping_backends/sql.py |
4794 | @@ -21,7 +21,7 @@ class IDMapping(sql.ModelBase, sql.ModelDictMixin): |
4795 | __tablename__ = 'id_mapping' |
4796 | public_id = sql.Column(sql.String(64), primary_key=True) |
4797 | domain_id = sql.Column(sql.String(64), nullable=False) |
4798 | - local_id = sql.Column(sql.String(255), nullable=False) |
4799 | + local_id = sql.Column(sql.String(64), nullable=False) |
4800 | # NOTE(henry-nash): Postgres requires a name to be defined for an Enum |
4801 | entity_type = sql.Column( |
4802 | sql.Enum(identity_mapping.EntityType.USER, |
4803 | diff --git a/keystone/identity/shadow_backends/sql.py b/keystone/identity/shadow_backends/sql.py |
4804 | index 3e04b33..1d817c0 100644 |
4805 | --- a/keystone/identity/shadow_backends/sql.py |
4806 | +++ b/keystone/identity/shadow_backends/sql.py |
4807 | @@ -98,8 +98,7 @@ class ShadowUsers(base.ShadowUsersDriverBase): |
4808 | x for x in hints.filters if x['name'] not in ('idp_id', |
4809 | 'protocol_id', |
4810 | 'unique_id')] |
4811 | - if statements: |
4812 | - query = query.filter(sqlalchemy.and_(*statements)) |
4813 | + query = query.filter(sqlalchemy.and_(*statements)) |
4814 | return query |
4815 | |
4816 | def get_federated_users(self, hints): |
4817 | diff --git a/keystone/locale/en_GB/LC_MESSAGES/keystone.po b/keystone/locale/en_GB/LC_MESSAGES/keystone.po |
4818 | index 191ed55..5e6cdf8 100644 |
4819 | --- a/keystone/locale/en_GB/LC_MESSAGES/keystone.po |
4820 | +++ b/keystone/locale/en_GB/LC_MESSAGES/keystone.po |
4821 | @@ -12,11 +12,11 @@ msgid "" |
4822 | msgstr "" |
4823 | "Project-Id-Version: keystone VERSION\n" |
4824 | "Report-Msgid-Bugs-To: https://bugs.launchpad.net/openstack-i18n/\n" |
4825 | -"POT-Creation-Date: 2021-01-08 19:57+0000\n" |
4826 | +"POT-Creation-Date: 2020-06-18 11:23+0000\n" |
4827 | "MIME-Version: 1.0\n" |
4828 | "Content-Type: text/plain; charset=UTF-8\n" |
4829 | "Content-Transfer-Encoding: 8bit\n" |
4830 | -"PO-Revision-Date: 2020-10-28 02:12+0000\n" |
4831 | +"PO-Revision-Date: 2020-06-15 05:35+0000\n" |
4832 | "Last-Translator: Andi Chandler <andi@gowling.com>\n" |
4833 | "Language: en_GB\n" |
4834 | "Plural-Forms: nplurals=2; plural=(n != 1);\n" |
4835 | @@ -1384,14 +1384,6 @@ msgstr "" |
4836 | |
4837 | #, python-format |
4838 | msgid "" |
4839 | -"Unable to create additional credentials, maximum of %(limit)d already " |
4840 | -"exceeded for user." |
4841 | -msgstr "" |
4842 | -"Unable to create additional credentials, maximum of %(limit)d already " |
4843 | -"exceeded for user." |
4844 | - |
4845 | -#, python-format |
4846 | -msgid "" |
4847 | "Unable to delete immutable %(type)s resource: `%(resource_id)s. Set resource " |
4848 | "option \"immutable\" to false first." |
4849 | msgstr "" |
4850 | @@ -1500,10 +1492,6 @@ msgstr "" |
4851 | "%(group_id)s, Project: %(project_id)s, Domain: %(domain_id)s." |
4852 | |
4853 | #, python-format |
4854 | -msgid "Unexpected evaluation type \"%(eval_type)s\"" |
4855 | -msgstr "Unexpected evaluation type \"%(eval_type)s\"" |
4856 | - |
4857 | -#, python-format |
4858 | msgid "Unexpected status requested for JSON Home response, %s" |
4859 | msgstr "Unexpected status requested for JSON Home response, %s" |
4860 | |
4861 | diff --git a/keystone/models/revoke_model.py b/keystone/models/revoke_model.py |
4862 | index 63425f1..6841559 100644 |
4863 | --- a/keystone/models/revoke_model.py |
4864 | +++ b/keystone/models/revoke_model.py |
4865 | @@ -170,7 +170,7 @@ def matches(event, token_values): |
4866 | # rest of the logic. |
4867 | |
4868 | # The token has two attributes that can match the domain_id. |
4869 | - if event.domain_id is not None and event.domain_id not in ( |
4870 | + if event.domain_id is not None and event.domain_id not in( |
4871 | token_values['identity_domain_id'], |
4872 | token_values['assignment_domain_id'],): |
4873 | return False |
4874 | diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py |
4875 | index 4add564..cdf8966 100644 |
4876 | --- a/keystone/tests/unit/assignment/test_backends.py |
4877 | +++ b/keystone/tests/unit/assignment/test_backends.py |
4878 | @@ -3694,9 +3694,9 @@ class ImpliedRoleTests(AssignmentTestHelperMixin): |
4879 | expected_implied_role_ref = { |
4880 | 'prior_role_id': prior_role_ref['id'], |
4881 | 'implied_role_id': implied_role_ref['id']} |
4882 | - self.assertLessEqual( |
4883 | - expected_implied_role_ref.items(), |
4884 | - implied_role.items()) |
4885 | + self.assertDictContainsSubset( |
4886 | + expected_implied_role_ref, |
4887 | + implied_role) |
4888 | |
4889 | PROVIDERS.role_api.delete_implied_role( |
4890 | prior_role_ref['id'], |
4891 | diff --git a/keystone/tests/unit/catalog/test_backends.py b/keystone/tests/unit/catalog/test_backends.py |
4892 | index 513e5c3..b2989de 100644 |
4893 | --- a/keystone/tests/unit/catalog/test_backends.py |
4894 | +++ b/keystone/tests/unit/catalog/test_backends.py |
4895 | @@ -111,23 +111,20 @@ class CatalogTests(object): |
4896 | PROVIDERS.catalog_api.get_region(region_id) |
4897 | # update the region bypassing catalog_api |
4898 | PROVIDERS.catalog_api.driver.update_region(region_id, updated_region) |
4899 | - self.assertLessEqual( |
4900 | - new_region.items(), |
4901 | - PROVIDERS.catalog_api.get_region(region_id).items() |
4902 | + self.assertDictContainsSubset( |
4903 | + new_region, PROVIDERS.catalog_api.get_region(region_id) |
4904 | ) |
4905 | PROVIDERS.catalog_api.get_region.invalidate( |
4906 | PROVIDERS.catalog_api, region_id |
4907 | ) |
4908 | - self.assertLessEqual( |
4909 | - updated_region.items(), |
4910 | - PROVIDERS.catalog_api.get_region(region_id).items() |
4911 | + self.assertDictContainsSubset( |
4912 | + updated_region, PROVIDERS.catalog_api.get_region(region_id) |
4913 | ) |
4914 | # delete the region |
4915 | PROVIDERS.catalog_api.driver.delete_region(region_id) |
4916 | # still get the old region |
4917 | - self.assertLessEqual( |
4918 | - updated_region.items(), |
4919 | - PROVIDERS.catalog_api.get_region(region_id).items() |
4920 | + self.assertDictContainsSubset( |
4921 | + updated_region, PROVIDERS.catalog_api.get_region(region_id) |
4922 | ) |
4923 | PROVIDERS.catalog_api.get_region.invalidate( |
4924 | PROVIDERS.catalog_api, region_id |
4925 | @@ -345,23 +342,20 @@ class CatalogTests(object): |
4926 | PROVIDERS.catalog_api.driver.update_service( |
4927 | service_id, updated_service |
4928 | ) |
4929 | - self.assertLessEqual( |
4930 | - new_service.items(), |
4931 | - PROVIDERS.catalog_api.get_service(service_id).items() |
4932 | + self.assertDictContainsSubset( |
4933 | + new_service, PROVIDERS.catalog_api.get_service(service_id) |
4934 | ) |
4935 | PROVIDERS.catalog_api.get_service.invalidate( |
4936 | PROVIDERS.catalog_api, service_id |
4937 | ) |
4938 | - self.assertLessEqual( |
4939 | - updated_service.items(), |
4940 | - PROVIDERS.catalog_api.get_service(service_id).items() |
4941 | + self.assertDictContainsSubset( |
4942 | + updated_service, PROVIDERS.catalog_api.get_service(service_id) |
4943 | ) |
4944 | |
4945 | # delete bypassing catalog api |
4946 | PROVIDERS.catalog_api.driver.delete_service(service_id) |
4947 | - self.assertLessEqual( |
4948 | - updated_service.items(), |
4949 | - PROVIDERS.catalog_api.get_service(service_id).items() |
4950 | + self.assertDictContainsSubset( |
4951 | + updated_service, PROVIDERS.catalog_api.get_service(service_id) |
4952 | ) |
4953 | PROVIDERS.catalog_api.get_service.invalidate( |
4954 | PROVIDERS.catalog_api, service_id |
4955 | @@ -422,12 +416,12 @@ class CatalogTests(object): |
4956 | PROVIDERS.catalog_api.get_endpoint(endpoint['id']) |
4957 | # delete the service bypassing catalog api |
4958 | PROVIDERS.catalog_api.driver.delete_service(service['id']) |
4959 | - self.assertLessEqual( |
4960 | - endpoint.items(), |
4961 | - PROVIDERS.catalog_api.get_endpoint(endpoint['id']).items()) |
4962 | - self.assertLessEqual( |
4963 | - service.items(), |
4964 | - PROVIDERS.catalog_api.get_service(service['id']).items()) |
4965 | + self.assertDictContainsSubset(endpoint, |
4966 | + PROVIDERS.catalog_api. |
4967 | + get_endpoint(endpoint['id'])) |
4968 | + self.assertDictContainsSubset(service, |
4969 | + PROVIDERS.catalog_api. |
4970 | + get_service(service['id'])) |
4971 | PROVIDERS.catalog_api.get_endpoint.invalidate( |
4972 | PROVIDERS.catalog_api, endpoint['id'] |
4973 | ) |
4974 | diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py |
4975 | index 2fa9f26..308cc01 100644 |
4976 | --- a/keystone/tests/unit/common/test_notifications.py |
4977 | +++ b/keystone/tests/unit/common/test_notifications.py |
4978 | @@ -1045,7 +1045,7 @@ class TestEventCallbacks(test_v3.RestfulTestCase): |
4979 | Foo() |
4980 | project_ref = unit.new_project_ref(domain_id=self.domain_id) |
4981 | PROVIDERS.resource_api.create_project(project_ref['id'], project_ref) |
4982 | - self.assertCountEqual(['cb1', 'cb0'], callback_called) |
4983 | + self.assertItemsEqual(['cb1', 'cb0'], callback_called) |
4984 | |
4985 | def test_invalid_event_callbacks(self): |
4986 | @notifications.listener |
4987 | diff --git a/keystone/tests/unit/config_files/backend_ldap_sql.conf b/keystone/tests/unit/config_files/backend_ldap_sql.conf |
4988 | index c50d8dd..96a0ffa 100644 |
4989 | --- a/keystone/tests/unit/config_files/backend_ldap_sql.conf |
4990 | +++ b/keystone/tests/unit/config_files/backend_ldap_sql.conf |
4991 | @@ -5,7 +5,7 @@ |
4992 | #connection = mysql+pymysql://keystone:keystone@localhost/keystone?charset=utf8 |
4993 | #To Test PostgreSQL: |
4994 | #connection = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8 |
4995 | -connection_recycle_time = 200 |
4996 | +idle_timeout = 200 |
4997 | |
4998 | [ldap] |
4999 | url = fake://memory |
5000 | diff --git a/keystone/tests/unit/config_files/backend_multi_ldap_sql.conf b/keystone/tests/unit/config_files/backend_multi_ldap_sql.conf |
The diff has been truncated for viewing.