1
diff --git a/.zuul.yaml b/.zuul.yaml
2
index fc3eebb..daadbc7 100644
3
--- a/.zuul.yaml
4
+++ b/.zuul.yaml
5
@@ -33,14 +33,6 @@
6
33
        USE_PYTHON3: True
33
        USE_PYTHON3: True
7
34
34
8
35
- job:
35
- job:
9
36
    name: keystone-dsvm-py3-functional-fips
10
37
    parent: keystone-dsvm-py3-functional
11
38
    nodeset: devstack-single-node-centos-8-stream
12
39
    description: |
13
40
      Functional testing for a FIPS enabled Centos 8 system
14
41
    pre-run: playbooks/enable-fips.yaml
15
42
16
43
- job:
17
44
    name: keystone-dsvm-functional-federation-opensuse15
36
    name: keystone-dsvm-functional-federation-opensuse15
18
45
    parent: keystone-dsvm-functional
37
    parent: keystone-dsvm-functional
19
46
    nodeset: devstack-single-node-opensuse-15
38
    nodeset: devstack-single-node-opensuse-15
20
@@ -110,6 +102,15 @@
21
110
      osa_test_repo: openstack/openstack-ansible-os_keystone
102
      osa_test_repo: openstack/openstack-ansible-os_keystone
22
111
103
23
112
- job:
104
- job:
24
105
     name: keystone-tox-protection
25
106
     parent: openstack-tox-py37
26
107
     timeout: 3600
27
108
     vars:
28
109
       tox_envlist: protection
29
110
       bindep_profile: test py37
30
111
       python_version: 3.7
31
112
32
113
- job:
33
113
    name: keystone-dsvm-ldap-domain-specific-driver
114
    name: keystone-dsvm-ldap-domain-specific-driver
34
114
    parent: devstack-tempest
115
    parent: devstack-tempest
35
115
    vars:
116
    vars:
36
@@ -209,7 +210,6 @@
37
209
      - check-requirements
210
      - check-requirements
38
210
      - integrated-gate-py3
211
      - integrated-gate-py3
39
211
      - release-notes-jobs-python3
212
      - release-notes-jobs-python3
40
212
      - openstack-python3-wallaby-jobs-arm64
41
213
    check:
213
    check:
42
214
      jobs:
214
      jobs:
43
215
        - keystone-dsvm-py3-functional:
215
        - keystone-dsvm-py3-functional:
44
@@ -220,9 +220,6 @@
45
220
              - ^etc/.*$
220
              - ^etc/.*$
46
221
              - ^keystone/tests/unit/.*$
221
              - ^keystone/tests/unit/.*$
47
222
              - ^releasenotes/.*$
222
              - ^releasenotes/.*$
48
223
        - keystone-dsvm-py3-functional-fips:
49
224
            voting: false
50
225
            irrelevant-files: *irrelevant-files
51
226
        - keystone-dsvm-py3-functional-federation-ubuntu-focal:
223
        - keystone-dsvm-py3-functional-federation-ubuntu-focal:
52
227
            voting: false
224
            voting: false
53
228
            irrelevant-files: *irrelevant-files
225
            irrelevant-files: *irrelevant-files
54
@@ -248,7 +245,7 @@
55
248
            irrelevant-files: *tempest-irrelevant-files
245
            irrelevant-files: *tempest-irrelevant-files
56
249
        - tempest-ipv6-only:
246
        - tempest-ipv6-only:
57
250
            irrelevant-files: *tempest-irrelevant-files
247
            irrelevant-files: *tempest-irrelevant-files
59
251
        - keystone-protection-functional
248
        - keystone-tox-protection
60
252
    gate:
249
    gate:
61
253
      jobs:
250
      jobs:
62
254
        - keystone-dsvm-py3-functional:
251
        - keystone-dsvm-py3-functional:
63
@@ -261,7 +258,7 @@
64
261
            irrelevant-files: *tempest-irrelevant-files
258
            irrelevant-files: *tempest-irrelevant-files
65
262
        - tempest-ipv6-only:
259
        - tempest-ipv6-only:
66
263
            irrelevant-files: *tempest-irrelevant-files
260
            irrelevant-files: *tempest-irrelevant-files
68
264
        - keystone-protection-functional
261
        - keystone-tox-protection
69
265
    experimental:
262
    experimental:
70
266
      jobs:
263
      jobs:
71
267
        - keystone-tox-patch_cover
264
        - keystone-tox-patch_cover
72
@@ -271,6 +268,8 @@
73
271
            irrelevant-files: *irrelevant-files
268
            irrelevant-files: *irrelevant-files
74
272
        - tempest-pg-full:
269
        - tempest-pg-full:
75
273
            irrelevant-files: *tempest-irrelevant-files
270
            irrelevant-files: *tempest-irrelevant-files
76
271
        - tempest-full-py3-opensuse15:
77
272
            irrelevant-files: *tempest-irrelevant-files
78
274
        - keystone-dsvm-functional-federation-centos7:
273
        - keystone-dsvm-functional-federation-centos7:
79
275
            irrelevant-files: *irrelevant-files
274
            irrelevant-files: *irrelevant-files
80
276
        - keystone-dsvm-functional-federation-ubuntu-xenial:
275
        - keystone-dsvm-functional-federation-ubuntu-xenial:
81
diff --git a/AUTHORS b/AUTHORS
82
index e0e5154..558a789 100644
83
--- a/AUTHORS
84
+++ b/AUTHORS
85
@@ -1,7 +1,6 @@
86
1
Adam Gandelman <adam.gandelman@canonical.com>
1
Adam Gandelman <adam.gandelman@canonical.com>
87
2
Adam Young <ayoung@f17httpd.ayoung530>
2
Adam Young <ayoung@f17httpd.ayoung530>
88
3
Adam Young <ayoung@redhat.com>
3
Adam Young <ayoung@redhat.com>
89
4
Ade Lee <alee@redhat.com>
90
5
Adipudi Praveena <padipudi@padipudi.(none)>
4
Adipudi Praveena <padipudi@padipudi.(none)>
91
6
Adrian Turjak <adriant@catalyst.net.nz>
5
Adrian Turjak <adriant@catalyst.net.nz>
92
7
Ajaya Agrawal <ajku.agr@gmail.com>
6
Ajaya Agrawal <ajku.agr@gmail.com>
93
@@ -177,7 +176,6 @@ Ghe Rivero <ghe@debian.org>
94
177
Gordon Chung <chungg@ca.ibm.com>
176
Gordon Chung <chungg@ca.ibm.com>
95
178
Graham Hayes <graham.hayes@hpe.com>
177
Graham Hayes <graham.hayes@hpe.com>
96
179
Grzegorz Grasza <grzegorz.grasza@intel.com>
178
Grzegorz Grasza <grzegorz.grasza@intel.com>
97
180
Grzegorz Grasza <xek@redhat.com>
98
181
Guang Yee <guang.yee@hpe.com>
179
Guang Yee <guang.yee@hpe.com>
99
182
Guang Yee <guang.yee@suse.com>
180
Guang Yee <guang.yee@suse.com>
100
183
Guo Shan <guoshan@awcloud.com>
181
Guo Shan <guoshan@awcloud.com>
101
@@ -199,7 +197,6 @@ Hervé Beraud <hberaud@redhat.com>
102
199
Hidekazu Nakamura <hid-nakamura@vf.jp.nec.com>
197
Hidekazu Nakamura <hid-nakamura@vf.jp.nec.com>
103
200
Hieu LE <hieulq@vn.fujitsu.com>
198
Hieu LE <hieulq@vn.fujitsu.com>
104
201
Hirofumi Ichihara <ichihara.hirofumi@lab.ntt.co.jp>
199
Hirofumi Ichihara <ichihara.hirofumi@lab.ntt.co.jp>
105
202
Hironori Shiina <shiina.hironori@jp.fujitsu.com>
106
203
Hongbin Lu <hongbin034@gmail.com>
200
Hongbin Lu <hongbin034@gmail.com>
107
204
Hugh Saunders <hugh@wherenow.org>
201
Hugh Saunders <hugh@wherenow.org>
108
205
Hugo Nicodemos <hugonicodemos@gmail.com>
202
Hugo Nicodemos <hugonicodemos@gmail.com>
109
@@ -348,7 +345,6 @@ Matthew Thode <mthode@mthode.org>
110
348
Matthew Treinish <mtreinish@kortar.org>
345
Matthew Treinish <mtreinish@kortar.org>
111
349
Matthew Treinish <treinish@linux.vnet.ibm.com>
346
Matthew Treinish <treinish@linux.vnet.ibm.com>
112
350
Matthieu Huin <mhu@enovance.com>
347
Matthieu Huin <mhu@enovance.com>
113
351
Maurice Escher <maurice.escher@sap.com>
114
352
Michael Basnight <mbasnight@gmail.com>
348
Michael Basnight <mbasnight@gmail.com>
115
353
Michael J Fork <mjfork@us.ibm.com>
349
Michael J Fork <mjfork@us.ibm.com>
116
354
Michael Krotscheck <krotscheck@gmail.com>
350
Michael Krotscheck <krotscheck@gmail.com>
117
@@ -422,7 +418,6 @@ Robert Collins <rbtcollins@hp.com>
118
422
Robert Collins <robertc@robertcollins.net>
418
Robert Collins <robertc@robertcollins.net>
119
423
Robert H. Hyerle <hyerle@hp.com>
419
Robert H. Hyerle <hyerle@hp.com>
120
424
Robin Norwood <robin.norwood@gmail.com>
420
Robin Norwood <robin.norwood@gmail.com>
121
425
Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
122
426
Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com>
421
Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com>
123
427
Rodrigo Duarte <rduartes@redhat.com>
422
Rodrigo Duarte <rduartes@redhat.com>
124
428
Rodrigo Duarte Sousa <rduartes@redhat.com>
423
Rodrigo Duarte Sousa <rduartes@redhat.com>
125
@@ -484,12 +479,10 @@ Sreyansh Jain <taishiroy2904@gmail.com>
126
484
Stanisław Pitucha <stanislaw.pitucha@hp.com>
479
Stanisław Pitucha <stanislaw.pitucha@hp.com>
127
485
Stef T <stelford@internap.com>
480
Stef T <stelford@internap.com>
128
486
Stephen Finucane <sfinucan@redhat.com>
481
Stephen Finucane <sfinucan@redhat.com>
129
487
Stephen Finucane <stephenfin@redhat.com>
130
488
Steve Baker <sbaker@redhat.com>
482
Steve Baker <sbaker@redhat.com>
131
489
Steve Martinelli <s.martinelli@gmail.com>
483
Steve Martinelli <s.martinelli@gmail.com>
132
490
Steve Martinelli <stevemar@ca.ibm.com>
484
Steve Martinelli <stevemar@ca.ibm.com>
133
491
Steven Hardy <shardy@redhat.com>
485
Steven Hardy <shardy@redhat.com>
134
492
Stuart Grace <stuart.grace@bbc.co.uk>
135
493
Stuart McLaren <stuart.mclaren@hp.com>
486
Stuart McLaren <stuart.mclaren@hp.com>
136
494
Suramya Shah <shah.suramya@gmail.com>
487
Suramya Shah <shah.suramya@gmail.com>
137
495
Sushil Kumar <sushil.kumar2@globallogic.com>
488
Sushil Kumar <sushil.kumar2@globallogic.com>
138
@@ -499,7 +492,6 @@ Sylvain Afchain <sylvain.afchain@enovance.com>
139
499
THOMAS J. COCOZZELLO <tjcocozz@us.ibm.com>
492
THOMAS J. COCOZZELLO <tjcocozz@us.ibm.com>
140
500
Tahmina Ahmed <tahmina.csebuet@gmail.com>
493
Tahmina Ahmed <tahmina.csebuet@gmail.com>
141
501
Taishi Roy <taishiroy2904@gmail.com>
494
Taishi Roy <taishiroy2904@gmail.com>
142
502
Takashi Kajinami <tkajinam@redhat.com>
143
503
Takashi NATSUME <natsume.takashi@lab.ntt.co.jp>
495
Takashi NATSUME <natsume.takashi@lab.ntt.co.jp>
144
504
Telles Nobrega <tellesmvn@lsd.ufcg.edu.br>
496
Telles Nobrega <tellesmvn@lsd.ufcg.edu.br>
145
505
Theodore Ilie <theodorex.ilie@intel.com>
497
Theodore Ilie <theodorex.ilie@intel.com>
146
@@ -564,7 +556,6 @@ Yong Sheng Gong <gongysh@cn.ibm.com>
147
564
Yong Sheng Gong <gongysh@unitedstack.com>
556
Yong Sheng Gong <gongysh@unitedstack.com>
148
565
You Ji <jiyou09@gmail.com>
557
You Ji <jiyou09@gmail.com>
149
566
You Yamagata <bi.yamagata@gmail.com>
558
You Yamagata <bi.yamagata@gmail.com>
150
567
YuehuiLei <leiyuehui-s@inspur.com>
151
568
Yuiko Takada <takada-yuiko@mxn.nes.nec.co.jp>
559
Yuiko Takada <takada-yuiko@mxn.nes.nec.co.jp>
152
569
Yun Mao <yunmao@gmail.com>
560
Yun Mao <yunmao@gmail.com>
153
570
Yuriy Taraday <yorik.sar@gmail.com>
561
Yuriy Taraday <yorik.sar@gmail.com>
154
@@ -672,7 +663,6 @@ prashkre <prashkre@in.ibm.com>
155
672
qinglin.cheng <qinglin.cheng@easystack.cn>
663
qinglin.cheng <qinglin.cheng@easystack.cn>
156
673
r-sekine <r-sekine@intellilink.co.jp>
664
r-sekine <r-sekine@intellilink.co.jp>
157
674
rajat29 <rajat.sharma@nectechnologies.in>
665
rajat29 <rajat.sharma@nectechnologies.in>
158
675
ricolin <rico.lin.guanyu@gmail.com>
159
676
rocky <haigang.xu@easystack.cn>
666
rocky <haigang.xu@easystack.cn>
160
677
root <root@newapps.(none)>
667
root <root@newapps.(none)>
161
678
rpedde <ron@pedde.com>
668
rpedde <ron@pedde.com>
162
@@ -699,7 +689,6 @@ wanghui <wang_hui@inspur.com>
163
699
wanglong <wl3617@qq.com>
689
wanglong <wl3617@qq.com>
164
700
wangqiangbj <wangqiangbj@inspur.com>
690
wangqiangbj <wangqiangbj@inspur.com>
165
701
wangxiyuan <wangxiyuan@huawei.com>
691
wangxiyuan <wangxiyuan@huawei.com>
166
702
wangzihao <wangzihao@yovole.com>
167
703
werner mendizabal <nonameentername@gmail.com>
692
werner mendizabal <nonameentername@gmail.com>
168
704
whoami-rajat <rajatdhasmana@gmail.com>
693
whoami-rajat <rajatdhasmana@gmail.com>
169
705
wingwj <wingwj@gmail.com>
694
wingwj <wingwj@gmail.com>
170
@@ -710,7 +699,6 @@ xingzhou <xingzhou@cn.ibm.com>
171
710
xuhaigang <haigang.xu@easystack.cn>
699
xuhaigang <haigang.xu@easystack.cn>
172
711
xurong00037997 <xu.rong@zte.com.cn>
700
xurong00037997 <xu.rong@zte.com.cn>
173
712
yanghuichan <yanghc@fiberhome.com>
701
yanghuichan <yanghc@fiberhome.com>
174
713
yangshaoxue <yang.shaoxue@99cloud.net>
175
714
yangweiwei <yangweiwei@cmss.chinamobile.com>
702
yangweiwei <yangweiwei@cmss.chinamobile.com>
176
715
yangyapeng <yang.yapeng@99cloud.net>
703
yangyapeng <yang.yapeng@99cloud.net>
177
716
yaroslavmt <yaroslavmt@gmail.com>
704
yaroslavmt <yaroslavmt@gmail.com>
178
diff --git a/ChangeLog b/ChangeLog
179
index d5d2a11..2f980e8 100644
180
--- a/ChangeLog
181
+++ b/ChangeLog
182
@@ -1,64 +1,21 @@
183
1
CHANGES
1
CHANGES
184
2
=======
2
=======
185
3
3
202
4
* Add 'WarningsFixture'
4
18.1.0
187
5
* Add support for pysaml2 >= 7.1.0
188
6
* tox: Random fixups
189
7
* Deprecate ineffective [memcache] options
190
8
* Fix response code of 'Revoke Token' in api-ref
191
9
* Accept STS and IAM services from Ceph Obj Gateway
192
10
* Fix oslo policy warning assert in unit tests
193
11
* Temporary exclude the common.sql.core.py from sphinx-apidoc target
194
12
* Remove broken tempest-full-py3-opensuse15 job
195
13
* Fix typos in application credential policies
196
14
* Fix typo in identity provider policies
197
15
* Update master for stable/xena
198
16
* Improve performance on trust deletion
199
17
* Replace deprecated assertDictContainsSubset
200
18
201
19
20.0.0
203
20
------
5
------
204
21
6
205
7
* Fix typos in application credential policies
206
22
* Fix typos in ec2 credential policies
8
* Fix typos in ec2 credential policies
218
23
* Fix oslo policy DeprecatedRule warnings
9
* Fix typo in identity provider policies
208
24
* Update local\_id limit to 255 characters
209
25
* Add FIPS check job
210
26
* Replace deprecated import of ABCs from collections
211
27
* Moving IRC network reference to OFTC
212
28
* Update master for stable/wallaby
213
29
* Remove use of deprecated oslo.db options
214
30
* docs: Fix failing build
215
31
* Make DB queries compatible with SQLAlchemy 1.4.x
216
32
* fix get\_security\_compliance\_domain\_config policy rule typo
217
33
* setup.cfg: Replace dashes with underscores
219
34
* Hide AccountLocked exception from end users
10
* Hide AccountLocked exception from end users
220
35
* Retry update\_user when sqlalchemy raises StaleDataErrors
11
* Retry update\_user when sqlalchemy raises StaleDataErrors
221
36
* Imported Translations from Zanata
222
37
223
38
19.0.0.0rc1
224
39
-----------
225
40
226
41
* Add job for keystone functional protection tests
227
42
* trivial: Update minor wording nit in RBAC persona documentation
228
43
* Clarify top-level personas in RBAC documentation
229
44
* Clarify \`\`reader\`\` role implementation in persona admin guide
230
45
* [goal] Deprecate the JSON formatted policy file
231
46
* Ignore oslo.db deprecating sqlalchemy-migrate warning
232
47
* Add openstack-python3-wallaby-jobs-arm64 job
233
48
* Support bytes type in generate\_public\_ID()
12
* Support bytes type in generate\_public\_ID()
234
49
* Imported Translations from Zanata
235
50
* Drop lower-constraints job
236
51
* fix E741 ambiguous variable name
237
52
* fix E225 missing whitespace around operator
238
53
* Use app cred user ID in policy enforcement
13
* Use app cred user ID in policy enforcement
241
54
* Generalize release note for bug 1878938
14
* Update TOX\_CONSTRAINTS\_FILE for stable/victoria
242
55
* Use enforce\_new\_defaults when setting up keystone protection tests
15
* Drop lower-constraints job
243
16
* Delete system role assignments from system\_assignment table
244
56
* Implement more robust connection handling for asynchronous LDAP calls
17
* Implement more robust connection handling for asynchronous LDAP calls
250
57
* Imported Translations from Zanata
18
* Update .gitreview for stable/victoria
246
58
* Update master for stable/victoria
247
59
* Add vine to lower-constraints
248
60
* Simplify default config test
249
61
* Replace assertItemsEqual with assertCountEqual
251
62
19
252
63
18.0.0
20
18.0.0
253
64
------
21
------
254
@@ -75,9 +32,7 @@ CHANGES
255
75
* Spelling Fix
32
* Spelling Fix
256
76
* NIT: Spelling Fix
33
* NIT: Spelling Fix
257
77
* Properly handle octet (byte) strings when converting LDAP responses
34
* Properly handle octet (byte) strings when converting LDAP responses
258
78
* Add support for functional RBAC tests
259
79
* Fix invalid assertTrue which should be assertEqual
35
* Fix invalid assertTrue which should be assertEqual
260
80
* Delete system role assignments from system\_assignment table
261
81
* Fix api-ref for list endpoints
36
* Fix api-ref for list endpoints
262
82
* Fix lower-constraint for PyMySQL
37
* Fix lower-constraint for PyMySQL
263
83
* Fix doc for package mod\_wsgi on Centos8/RHEL8
38
* Fix doc for package mod\_wsgi on Centos8/RHEL8
264
diff --git a/PKG-INFO b/PKG-INFO
265
index 3b63a18..c4bc751 100644
266
--- a/PKG-INFO
267
+++ b/PKG-INFO
268
@@ -1,11 +1,73 @@
269
1
Metadata-Version: 2.1
1
Metadata-Version: 2.1
270
2
Name: keystone
2
Name: keystone
272
3
Version: 20.1.0.dev27
3
Version: 18.1.0
273
4
Summary: OpenStack Identity
4
Summary: OpenStack Identity
274
5
Home-page: https://docs.openstack.org/keystone/latest
5
Home-page: https://docs.openstack.org/keystone/latest
275
6
Author: OpenStack
6
Author: OpenStack
276
7
Author-email: openstack-discuss@lists.openstack.org
7
Author-email: openstack-discuss@lists.openstack.org
277
8
License: UNKNOWN
8
License: UNKNOWN
278
9
Description: ==================
279
10
        OpenStack Keystone
280
11
        ==================
281
12
        
282
13
        .. image:: https://governance.openstack.org/tc/badges/keystone.svg
283
14
            :target: https://governance.openstack.org/tc/reference/tags/index.html
284
15
        
285
16
        .. Change things from this point on
286
17
        
287
18
        OpenStack Keystone provides authentication, authorization and service discovery
288
19
        mechanisms via HTTP primarily for use by projects in the OpenStack family. It
289
20
        is most commonly deployed as an HTTP interface to existing identity systems,
290
21
        such as LDAP.
291
22
        
292
23
        Developer documentation, the source of which is in ``doc/source/``, is
293
24
        published at:
294
25
        
295
26
            https://docs.openstack.org/keystone/latest
296
27
        
297
28
        The API reference and documentation are available at:
298
29
        
299
30
            https://docs.openstack.org/api-ref/identity
300
31
        
301
32
        The canonical client library is available at:
302
33
        
303
34
            https://opendev.org/openstack/python-keystoneclient
304
35
        
305
36
        Documentation for cloud administrators is available at:
306
37
        
307
38
            https://docs.openstack.org/
308
39
        
309
40
        The source of documentation for cloud administrators is available at:
310
41
        
311
42
            https://opendev.org/openstack/openstack-manuals
312
43
        
313
44
        Information about our team meeting is available at:
314
45
        
315
46
            https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting
316
47
        
317
48
        Release notes is available at:
318
49
        
319
50
            https://docs.openstack.org/releasenotes/keystone
320
51
        
321
52
        Bugs and feature requests are tracked on Launchpad at:
322
53
        
323
54
            https://bugs.launchpad.net/keystone
324
55
        
325
56
        Future design work is tracked at:
326
57
        
327
58
            https://specs.openstack.org/openstack/keystone-specs
328
59
        
329
60
        Contributors are encouraged to join IRC (``#openstack-keystone`` on freenode):
330
61
        
331
62
            https://wiki.openstack.org/wiki/IRC
332
63
        
333
64
        Source for the project:
334
65
        
335
66
            https://opendev.org/openstack/keystone
336
67
        
337
68
        For information on contributing to Keystone, see ``CONTRIBUTING.rst``.
338
69
        
339
70
        
340
9
Platform: UNKNOWN
71
Platform: UNKNOWN
341
10
Classifier: Environment :: OpenStack
72
Classifier: Environment :: OpenStack
342
11
Classifier: Intended Audience :: Information Technology
73
Classifier: Intended Audience :: Information Technology
343
@@ -24,69 +86,3 @@ Provides-Extra: ldap
344
24
Provides-Extra: memcache
86
Provides-Extra: memcache
345
25
Provides-Extra: mongodb
87
Provides-Extra: mongodb
346
26
Provides-Extra: test
88
Provides-Extra: test
347
27
License-File: LICENSE
348
28
License-File: AUTHORS
349
29
350
30
==================
351
31
OpenStack Keystone
352
32
==================
353
33
354
34
.. image:: https://governance.openstack.org/tc/badges/keystone.svg
355
35
    :target: https://governance.openstack.org/tc/reference/tags/index.html
356
36
357
37
.. Change things from this point on
358
38
359
39
OpenStack Keystone provides authentication, authorization and service discovery
360
40
mechanisms via HTTP primarily for use by projects in the OpenStack family. It
361
41
is most commonly deployed as an HTTP interface to existing identity systems,
362
42
such as LDAP.
363
43
364
44
Developer documentation, the source of which is in ``doc/source/``, is
365
45
published at:
366
46
367
47
    https://docs.openstack.org/keystone/latest
368
48
369
49
The API reference and documentation are available at:
370
50
371
51
    https://docs.openstack.org/api-ref/identity
372
52
373
53
The canonical client library is available at:
374
54
375
55
    https://opendev.org/openstack/python-keystoneclient
376
56
377
57
Documentation for cloud administrators is available at:
378
58
379
59
    https://docs.openstack.org/
380
60
381
61
The source of documentation for cloud administrators is available at:
382
62
383
63
    https://opendev.org/openstack/openstack-manuals
384
64
385
65
Information about our team meeting is available at:
386
66
387
67
    https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting
388
68
389
69
Release notes is available at:
390
70
391
71
    https://docs.openstack.org/releasenotes/keystone
392
72
393
73
Bugs and feature requests are tracked on Launchpad at:
394
74
395
75
    https://bugs.launchpad.net/keystone
396
76
397
77
Future design work is tracked at:
398
78
399
79
    https://specs.openstack.org/openstack/keystone-specs
400
80
401
81
Contributors are encouraged to join IRC (``#openstack-keystone`` on OFTC):
402
82
403
83
    https://wiki.openstack.org/wiki/IRC
404
84
405
85
Source for the project:
406
86
407
87
    https://opendev.org/openstack/keystone
408
88
409
89
For information on contributing to Keystone, see ``CONTRIBUTING.rst``.
410
90
411
91
412
92
413
diff --git a/README.rst b/README.rst
414
index 520a71e..2a19ff5 100644
415
--- a/README.rst
416
+++ b/README.rst
417
@@ -49,7 +49,7 @@ Future design work is tracked at:
418
49
49
419
50
    https://specs.openstack.org/openstack/keystone-specs
50
    https://specs.openstack.org/openstack/keystone-specs
420
51
51
422
52
Contributors are encouraged to join IRC (``#openstack-keystone`` on OFTC):
52
Contributors are encouraged to join IRC (``#openstack-keystone`` on freenode):
423
53
53
424
54
    https://wiki.openstack.org/wiki/IRC
54
    https://wiki.openstack.org/wiki/IRC
425
55
55
426
diff --git a/api-ref/source/v3/authenticate-v3.inc b/api-ref/source/v3/authenticate-v3.inc
427
index d69972a..11f19cb 100644
428
--- a/api-ref/source/v3/authenticate-v3.inc
429
+++ b/api-ref/source/v3/authenticate-v3.inc
430
@@ -965,7 +965,7 @@ Status Codes
431
965
965
432
966
.. rest_status_code:: success status.yaml
966
.. rest_status_code:: success status.yaml
433
967
967
435
968
   - 204
968
   - 201
436
969
969
437
970
.. rest_status_code:: error status.yaml
970
.. rest_status_code:: error status.yaml
438
971
971
439
diff --git a/devstack/lib/scope.sh b/devstack/lib/scope.sh
440
972
deleted file mode 100644
972
deleted file mode 100644
441
index 255ed69..0000000
442
--- a/devstack/lib/scope.sh
443
+++ /dev/null
444
@@ -1,26 +0,0 @@
445
1
# Copyright 2019 SUSE LLC
446
2
#
447
3
# Licensed under the Apache License, Version 2.0 (the "License"); you may
448
4
# not use this file except in compliance with the License. You may obtain
449
5
# a copy of the License at
450
6
#
451
7
#      http://www.apache.org/licenses/LICENSE-2.0
452
8
#
453
9
# Unless required by applicable law or agreed to in writing, software
454
10
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
455
11
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
456
12
# License for the specific language governing permissions and limitations
457
13
# under the License.
458
14
459
15
function configure_enforce_scope {
460
16
    iniset $KEYSTONE_CONF oslo_policy enforce_scope true
461
17
    iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
462
18
    iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
463
19
    sudo systemctl restart devstack@keystone
464
20
}
465
21
466
22
function configure_protection_tests {
467
23
    iniset $TEMPEST_CONFIG identity-feature-enabled enforce_scope true
468
24
    iniset $TEMPEST_CONFIG auth admin_system true
469
25
    iniset $TEMPEST_CONFIG auth admin_project_name ''
470
26
}
471
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
472
index 8f7a385..924b820 100644
473
--- a/devstack/plugin.sh
474
+++ b/devstack/plugin.sh
475
@@ -15,7 +15,6 @@
476
15
15
477
16
KEYSTONE_PLUGIN=$DEST/keystone/devstack
16
KEYSTONE_PLUGIN=$DEST/keystone/devstack
478
17
source $KEYSTONE_PLUGIN/lib/federation.sh
17
source $KEYSTONE_PLUGIN/lib/federation.sh
479
18
source $KEYSTONE_PLUGIN/lib/scope.sh
480
19
18
481
20
# For more information on Devstack plugins, including a more detailed
19
# For more information on Devstack plugins, including a more detailed
482
21
# explanation on when the different steps are executed please see:
20
# explanation on when the different steps are executed please see:
483
@@ -48,12 +47,6 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then
484
48
    if is_service_enabled keystone-saml2-federation; then
47
    if is_service_enabled keystone-saml2-federation; then
485
49
        configure_tests_settings
48
        configure_tests_settings
486
50
    fi
49
    fi
487
51
    if [[ "$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)" == "True" ]] ; then
488
52
        # devstack and tempest assume enforce_scope is false, so need to wait
489
53
        # until the final phase to turn it on
490
54
        configure_enforce_scope
491
55
        configure_protection_tests
492
56
    fi
493
57
fi
50
fi
494
58
51
495
59
if [[ "$1" == "unstack" ]]; then
52
if [[ "$1" == "unstack" ]]; then
496
diff --git a/doc/source/admin/cli-manage-projects-users-and-roles.rst b/doc/source/admin/cli-manage-projects-users-and-roles.rst
497
index 8d2f837..f27979d 100644
498
--- a/doc/source/admin/cli-manage-projects-users-and-roles.rst
499
+++ b/doc/source/admin/cli-manage-projects-users-and-roles.rst
500
@@ -10,8 +10,8 @@ define which actions users can perform. You assign roles to
501
10
user-project pairs.
10
user-project pairs.
502
11
11
503
12
You can define actions for OpenStack service roles in the
12
You can define actions for OpenStack service roles in the
506
13
``/etc/PROJECT/policy.yaml`` files. For example, define actions for
13
``/etc/PROJECT/policy.json`` files. For example, define actions for
507
14
Compute service roles in the ``/etc/nova/policy.yaml`` file.
14
Compute service roles in the ``/etc/nova/policy.json`` file.
508
15
15
509
16
You can manage projects, users, and roles independently from each other.
16
You can manage projects, users, and roles independently from each other.
510
17
17
511
diff --git a/doc/source/admin/domain-specific-config.inc b/doc/source/admin/domain-specific-config.inc
512
index 2d8f993..3797e30 100644
513
--- a/doc/source/admin/domain-specific-config.inc
514
+++ b/doc/source/admin/domain-specific-config.inc
515
@@ -146,12 +146,6 @@ then the same public ID will be created. This is useful if you are running
516
146
multiple keystones and want to ensure the same ID would be generated whichever
146
multiple keystones and want to ensure the same ID would be generated whichever
517
147
server you hit.
147
server you hit.
518
148
148
519
149
.. NOTE::
520
150
521
151
    In case of the LDAP backend, the names of users and groups are not hashed.
522
152
    As a result, these are length limited to 255 characters. Longer names
523
153
    will result in an error.
524
154
525
155
While keystone will dynamically maintain the identity mapping, including
149
While keystone will dynamically maintain the identity mapping, including
526
156
removing entries when entities are deleted via the keystone, for those entities
150
removing entries when entities are deleted via the keystone, for those entities
527
157
in backends that are managed outside of keystone (e.g. a read-only LDAP),
151
in backends that are managed outside of keystone (e.g. a read-only LDAP),
528
diff --git a/doc/source/admin/identity-concepts.rst b/doc/source/admin/identity-concepts.rst
529
index 0f8cfc5..3d615c0 100644
530
--- a/doc/source/admin/identity-concepts.rst
531
+++ b/doc/source/admin/identity-concepts.rst
532
@@ -122,9 +122,9 @@ Identity user management examples:
533
122
     Individual services assign meaning to roles, typically through
122
     Individual services assign meaning to roles, typically through
534
123
     limiting or granting access to users with the role to the
123
     limiting or granting access to users with the role to the
535
124
     operations that the service supports. Role access is typically
124
     operations that the service supports. Role access is typically
537
125
     configured in the service's ``policy.yaml`` file. For example,
125
     configured in the service's ``policy.json`` file. For example,
538
126
     to limit Compute access to the ``compute-user`` role, edit the
126
     to limit Compute access to the ``compute-user`` role, edit the
540
127
     Compute service's ``policy.yaml`` file to require this role for
127
     Compute service's ``policy.json`` file to require this role for
541
128
     Compute operations.
128
     Compute operations.
542
129
129
543
130
The Identity service assigns a project and a role to a user. You might
130
The Identity service assigns a project and a role to a user. You might
544
@@ -139,25 +139,25 @@ A user can have different roles in different projects. For example, Alice
545
139
might also have the ``admin`` role in the ``Cyberdyne`` project. A user
139
might also have the ``admin`` role in the ``Cyberdyne`` project. A user
546
140
can also have multiple roles in the same project.
140
can also have multiple roles in the same project.
547
141
141
549
142
The ``/etc/[SERVICE_CODENAME]/policy.yaml`` file controls the
142
The ``/etc/[SERVICE_CODENAME]/policy.json`` file controls the
550
143
tasks that users can perform for a given service. For example, the
143
tasks that users can perform for a given service. For example, the
553
144
``/etc/nova/policy.yaml`` file specifies the access policy for the
144
``/etc/nova/policy.json`` file specifies the access policy for the
554
145
Compute service, the ``/etc/glance/policy.yaml`` file specifies
145
Compute service, the ``/etc/glance/policy.json`` file specifies
555
146
the access policy for the Image service, and the
146
the access policy for the Image service, and the
557
147
``/etc/keystone/policy.yaml`` file specifies the access policy for
147
``/etc/keystone/policy.json`` file specifies the access policy for
558
148
the Identity service.
148
the Identity service.
559
149
149
561
150
The default ``policy.yaml`` files in the Compute, Identity, and
150
The default ``policy.json`` files in the Compute, Identity, and
562
151
Image services recognize only the ``admin`` role. Any user with
151
Image services recognize only the ``admin`` role. Any user with
563
152
any role in a project can access all operations that do not require the
152
any role in a project can access all operations that do not require the
564
153
``admin`` role.
153
``admin`` role.
565
154
154
566
155
To restrict users from performing operations in, for example, the
155
To restrict users from performing operations in, for example, the
567
156
Compute service, you must create a role in the Identity service and
156
Compute service, you must create a role in the Identity service and
569
157
then modify the ``/etc/nova/policy.yaml`` file so that this role
157
then modify the ``/etc/nova/policy.json`` file so that this role
570
158
is required for Compute operations.
158
is required for Compute operations.
571
159
159
573
160
For example, the following line in the ``/etc/cinder/policy.yaml``
160
For example, the following line in the ``/etc/cinder/policy.json``
574
161
file does not restrict which users can create volumes:
161
file does not restrict which users can create volumes:
575
162
162
576
163
.. code-block:: none
163
.. code-block:: none
577
diff --git a/doc/source/admin/service-api-protection.rst b/doc/source/admin/service-api-protection.rst
578
index 47886ae..80b8af1 100644
579
--- a/doc/source/admin/service-api-protection.rst
580
+++ b/doc/source/admin/service-api-protection.rst
581
@@ -10,16 +10,14 @@ Like most OpenStack services, keystone protects its API using role-based access
582
10
control (RBAC).
10
control (RBAC).
583
11
11
584
12
Users can access different APIs depending on the roles they have on a project,
12
Users can access different APIs depending on the roles they have on a project,
586
13
domain, or system, which we refer to as scope.
13
domain, or system.
587
14
14
588
15
As of the Rocky release, keystone provides three roles called ``admin``,
15
As of the Rocky release, keystone provides three roles called ``admin``,
589
16
``member``, and ``reader`` by default. Operators can grant these roles to any
16
``member``, and ``reader`` by default. Operators can grant these roles to any
591
17
actor (e.g., group or user) on any scope (e.g., system, domain, or project).
17
actor (e.g., group or user) on any target (e.g., system, domain, or project).
592
18
If you need a refresher on authorization scopes and token types, please refer
18
If you need a refresher on authorization scopes and token types, please refer
593
19
to the `token guide`_. The following sections describe how each default role
19
to the `token guide`_. The following sections describe how each default role
597
20
behaves with keystone's API across different scopes. Additionally, other
20
behaves with keystone's API across different scopes.
595
21
service developers can use this document as a guide for implementing similar
596
22
patterns in their services.
598
23
21
599
24
Default roles and behaviors across scopes allow operators to delegate more
22
Default roles and behaviors across scopes allow operators to delegate more
600
25
functionality to their team, auditors, customers, and users without maintaining
23
functionality to their team, auditors, customers, and users without maintaining
601
@@ -31,10 +29,9 @@ custom policies.
602
31
Roles Definitions
29
Roles Definitions
603
32
-----------------
30
-----------------
604
33
31
609
34
The default roles provided by keystone, via ``keystone-manage boostrap``, are
32
The default roles imply one another. The ``admin`` role implies the ``member``
610
35
related through role implications. The ``admin`` role implies the ``member``
33
role, and the ``member`` role implies the ``reader`` role. This implication
611
36
role, and the ``member`` role implies the ``reader`` role. These implications
34
means users with the ``admin`` role automatically have the ``member`` and
608
37
mean users with the ``admin`` role automatically have the ``member`` and
612
38
``reader`` roles. Additionally, users with the ``member`` role automatically
35
``reader`` roles. Additionally, users with the ``member`` role automatically
613
39
have the ``reader`` role. Implying roles reduces role assignments and forms a
36
have the ``reader`` role. Implying roles reduces role assignments and forms a
614
40
natural hierarchy between the default roles. It also reduces the complexity of
37
natural hierarchy between the default roles. It also reduces the complexity of
615
@@ -54,26 +51,6 @@ Instead of:
616
54
Reader
51
Reader
617
55
======
52
======
618
56
53
619
57
.. warning::
620
58
621
59
   While it's possible to use the ``reader`` role to perform audits, we highly
622
60
   recommend assessing the viability of using ``reader`` for auditing from the
623
61
   perspective of the compliance target you're pursuing.
624
62
625
63
   The ``reader`` role is the least-privileged role within the role hierarchy
626
64
   described here. As such, OpenStack development teams, by default, do not
627
65
   advocate exposing sensitive information to users with the ``reader`` role,
628
66
   regardless of the scope. We have noted the need for a formal, read-only,
629
67
   role that is useful for inspecting all applicable resources within a
630
68
   particular scope, but it shouldn't be implemented as the lowest level of
631
69
   authorization. This work will come in a subsequent release where we support
632
70
   an elevated read-only role, that implies ``reader``, but also exposes
633
71
   sensitive information, where applicable.
634
72
635
73
   This will allow operators to grant third-party auditors a permissive role
636
74
   for viewing sensitive information, specifically for compliance targets that
637
75
   require it.
638
76
639
77
The ``reader`` role provides read-only access to resources within the system, a
54
The ``reader`` role provides read-only access to resources within the system, a
640
78
domain, or a project. Depending on the assignment scope, two users with the
55
domain, or a project. Depending on the assignment scope, two users with the
641
79
``reader`` role can expect different API behaviors. For example, a user with
56
``reader`` role can expect different API behaviors. For example, a user with
642
@@ -87,20 +64,6 @@ roles. For example, to accomplish this without analyzing assignment scope, you
643
87
would need ``system-reader``, ``domain-reader``, and ``project-reader`` roles
64
would need ``system-reader``, ``domain-reader``, and ``project-reader`` roles
644
88
in addition to custom policies for each service.
65
in addition to custom policies for each service.
645
89
66
646
90
It's imperative to note that ``reader`` is the least authoritative role in the
647
91
hierarchy because assignments using ``admin`` or ``member`` ultimately include
648
92
the ``reader`` role. We document this explicitly so that ``reader`` roles are not
649
93
overloaded with read-only access to sensitive information. For example, a deployment
650
94
pursuing a specific compliance target may want to leverage the ``reader`` role
651
95
to perform the audit. If the audit requires the auditor to evaluate sensitive
652
96
information, like license keys or administrative metadata, within a given
653
97
scope, auditors shouldn't expect to perform these operations with the
654
98
``reader`` role. We justify this design decision because sensitive information
655
99
should be explicitly protected, and not implicitly exposed.
656
100
657
101
The ``reader`` role should be implemented and used from the perspective of
658
102
least-privilege, which may or may not fulfill your auditing use case.
659
103
660
104
Member
67
Member
661
105
======
68
======
662
106
69
663
@@ -132,30 +95,9 @@ services are addressing this individually at their own pace).
664
132
   As of the Train release, keystone applies the following personas
95
   As of the Train release, keystone applies the following personas
665
133
   consistently across its API.
96
   consistently across its API.
666
134
97
689
135
---------------
98
---------------------
668
136
System Personas
669
137
---------------
670
138
671
139
This section describes authorization personas typically used for operators and
672
140
deployers. You can find all users with system role assignments using the
673
141
following query:
674
142
675
143
.. code-block:: console
676
144
677
145
    $ openstack role assignment list --names --system all
678
146
    +--------+------------------------+------------------------+---------+--------+--------+-----------+
679
147
    | Role   | User                   | Group                  | Project | Domain | System | Inherited |
680
148
    +--------+------------------------+------------------------+---------+--------+--------+-----------+
681
149
    | admin  |                        | system-admins@Default  |         |        | all    | False     |
682
150
    | admin  | admin@Default          |                        |         |        | all    | False     |
683
151
    | admin  | operator@Default       |                        |         |        | all    | False     |
684
152
    | reader |                        | system-support@Default |         |        | all    | False     |
685
153
    | admin  | operator@Default       |                        |         |        | all    | False     |
686
154
    | member | system-support@Default |                        |         |        | all    | False     |
687
155
    +--------+------------------------+------------------------+---------+--------+--------+-----------+
688
156
690
157
System Administrators
99
System Administrators
692
158
=====================
100
---------------------
693
159
101
694
160
*System administrators* are allowed to manage every resource in keystone.
102
*System administrators* are allowed to manage every resource in keystone.
695
161
System administrators are typically operators and cloud administrators. They
103
System administrators are typically operators and cloud administrators. They
696
@@ -169,7 +111,7 @@ assignments:
697
169
111
698
170
.. code-block:: console
112
.. code-block:: console
699
171
113
701
172
    $ openstack role assignment list --names --system all --role admin
114
    $ openstack role assignment list --names --system all
702
173
    +-------+------------------+-----------------------+---------+--------+--------+-----------+
115
    +-------+------------------+-----------------------+---------+--------+--------+-----------+
703
174
    | Role  | User             | Group                 | Project | Domain | System | Inherited |
116
    | Role  | User             | Group                 | Project | Domain | System | Inherited |
704
175
    +-------+------------------+-----------------------+---------+--------+--------+-----------+
117
    +-------+------------------+-----------------------+---------+--------+--------+-----------+
705
@@ -178,57 +120,38 @@ assignments:
706
178
    | admin | operator@Default |                       |         |        | all    | False     |
120
    | admin | operator@Default |                       |         |        | all    | False     |
707
179
    +-------+------------------+-----------------------+---------+--------+--------+-----------+
121
    +-------+------------------+-----------------------+---------+--------+--------+-----------+
708
180
122
709
123
-------------------------------
710
181
System Members & System Readers
124
System Members & System Readers
712
182
===============================
125
-------------------------------
713
183
126
714
184
In keystone, *system members* and *system readers* are very similar and have
127
In keystone, *system members* and *system readers* are very similar and have
715
185
the same authorization. Users with these roles on the system can view all
128
the same authorization. Users with these roles on the system can view all
718
186
resources within keystone. They can list role assignments, users, projects, and
129
resources within keystone. They can audit role assignments, users, projects,
719
187
group memberships, among other resources.
130
and group memberships, among other resources.
720
188
131
725
189
The *system reader* persona is useful for members of a support team or auditors
132
The *system reader* persona is useful for auditors or members of a support
726
190
if the audit doesn't require access to sensitive information. You can find
133
team. You can find *system members* and *system readers* in your deployment
727
191
*system members* and *system readers* in your deployment with the following
134
with the following assignments:
724
192
assignments:
728
193
135
729
194
.. code-block:: console
136
.. code-block:: console
730
195
137
731
196
    $ openstack role assignment list --names --system all --role member --role reader
138
    $ openstack role assignment list --names --system all --role member --role reader
739
197
    +--------+------------------------+------------------------+---------+--------+--------+-----------+
139
    +--------+------------------------+-------------------------+---------+--------+--------+-----------+
740
198
    | Role   | User                   | Group                  | Project | Domain | System | Inherited |
140
    | Role   | User                   | Group                   | Project | Domain | System | Inherited |
741
199
    +--------+------------------------+------------------------+---------+--------+--------+-----------+
141
    +--------+------------------------+-------------------------+---------+--------+--------+-----------+
742
200
    | reader |                        | system-support@Default |         |        | all    | False     |
142
    | reader |                        | system-auditors@Default |         |        | all    | False     |
743
201
    | admin  | operator@Default       |                        |         |        | all    | False     |
143
    | admin  | operator@Default       |                         |         |        | all    | False     |
744
202
    | member | system-support@Default |                        |         |        | all    | False     |
144
    | member | system-support@Default |                         |         |        | all    | False     |
745
203
    +--------+------------------------+------------------------+---------+--------+--------+-----------+
145
    +--------+------------------------+-------------------------+---------+--------+--------+-----------+
746
204
146
747
205
.. warning::
147
.. warning::
748
206
148
749
207
   Filtering system role assignments is currently broken and is being tracked
149
   Filtering system role assignments is currently broken and is being tracked
750
208
   as a `bug <https://bugs.launchpad.net/keystone/+bug/1846817>`_.
150
   as a `bug <https://bugs.launchpad.net/keystone/+bug/1846817>`_.
751
209
151
772
210
---------------
152
---------------------
753
211
Domain Personas
754
212
---------------
755
213
756
214
This section describes authorization personas for people who manage their own
757
215
domains, which contain projects, users, and groups. You can find all users with
758
216
role assignments on a specific domain using the following query:
759
217
760
218
.. code-block:: console
761
219
762
220
    $ openstack role assignment list --names --domain foobar
763
221
    +--------+-----------------+----------------------+---------+--------+--------+-----------+
764
222
    | Role   | User            | Group                | Project | Domain | System | Inherited |
765
223
    +--------+-----------------+----------------------+---------+--------+--------+-----------+
766
224
    | reader | support@Default |                      |         | foobar |        | False     |
767
225
    | admin  | jsmith@Default  |                      |         | foobar |        | False     |
768
226
    | admin  |                 | foobar-admins@foobar |         | foobar |        | False     |
769
227
    | member | jdoe@foobar     |                      |         | foobar |        | False     |
770
228
    +--------+-----------------+----------------------+---------+--------+--------+-----------+
771
229
773
230
Domain Administrators
153
Domain Administrators
775
231
=====================
154
---------------------
776
232
155
777
233
*Domain administrators* can manage most aspects of the domain or its contents.
156
*Domain administrators* can manage most aspects of the domain or its contents.
778
234
These users can create new projects and users within their domain. They can
157
These users can create new projects and users within their domain. They can
779
@@ -251,18 +174,18 @@ assignment:
780
251
    | admin |                | foobar-admins@foobar |         | foobar |        | False     |
174
    | admin |                | foobar-admins@foobar |         | foobar |        | False     |
781
252
    +-------+----------------+----------------------+---------+--------+--------+-----------+
175
    +-------+----------------+----------------------+---------+--------+--------+-----------+
782
253
176
783
177
-------------------------------
784
254
Domain Members & Domain Readers
178
Domain Members & Domain Readers
786
255
===============================
179
-------------------------------
787
256
180
788
257
Domain members and domain readers have the same relationship as system members
181
Domain members and domain readers have the same relationship as system members
789
258
and system readers. They're allowed to view resources and information about
182
and system readers. They're allowed to view resources and information about
790
259
their domain. They aren't allowed to access system-specific information or
183
their domain. They aren't allowed to access system-specific information or
791
260
information about projects, groups, and users outside their domain.
184
information about projects, groups, and users outside their domain.
792
261
185
797
262
The domain member and domain reader use-cases are great for support teams,
186
The domain member and domain reader use-cases are great for auditing, support,
798
263
monitoring the details of an account, or auditing resources within a domain
187
or monitoring the details of an account. You can find domain members and domain
799
264
assuming the audit doesn't validate sensitive information. You can find domain
188
readers with the following role assignments:
796
265
members and domain readers with the following role assignments:
800
266
189
801
267
.. code-block:: console
190
.. code-block:: console
802
268
191
803
@@ -276,35 +199,16 @@ members and domain readers with the following role assignments:
804
276
    +--------+-----------------+-------+---------+--------+--------+-----------+
199
    +--------+-----------------+-------+---------+--------+--------+-----------+
805
277
    | Role   | User            | Group | Project | Domain | System | Inherited |
200
    | Role   | User            | Group | Project | Domain | System | Inherited |
806
278
    +--------+-----------------+-------+---------+--------+--------+-----------+
201
    +--------+-----------------+-------+---------+--------+--------+-----------+
808
279
    | reader | support@Default |       |         | foobar |        | False     |
202
    | reader | auditor@Default |       |         | foobar |        | False     |
809
280
    +--------+-----------------+-------+---------+--------+--------+-----------+
203
    +--------+-----------------+-------+---------+--------+--------+-----------+
810
281
204
811
282
----------------
812
283
Project Personas
813
284
----------------
814
285
815
286
This section describes authorization personas for users operating within a
816
287
project. These personas are commonly used by end users. You can find all users
817
288
with role assignments on a specific project using the following query:
818
289
819
290
.. code-block:: console
820
291
821
292
    $ openstack role assignment list --names --project production
822
293
    +--------+----------------+----------------------------+-------------------+--------+--------+-----------+
823
294
    | Role   | User           | Group                      | Project           | Domain | System | Inherited |
824
295
    +--------+----------------+----------------------------+-------------------+--------+--------+-----------+
825
296
    | admin  | jsmith@Default |                            | production@foobar |        |        | False     |
826
297
    | admin  |                | production-admins@foobar   | production@foobar |        |        | False     |
827
298
    | member |                | foobar-operators@Default   | production@foobar |        |        | False     |
828
299
    | reader | alice@Default  |                            | production@foobar |        |        | False     |
829
300
    | reader |                | production-support@Default | production@foobar |        |        | False     |
830
301
    +--------+----------------+----------------------------+-------------------+--------+--------+-----------+
831
302
205
832
206
----------------------
833
303
Project Administrators
207
Project Administrators
835
304
======================
208
----------------------
836
305
209
839
306
*Project administrators* can only view and modify data within the project they
210
*Project administrators* can only view and modify data within the project in
840
307
have authorization on. They're able to view information about their projects
211
their role assignment. They're able to view information about their projects
841
308
and set tags on their projects. They're not allowed to view system or domain
212
and set tags on their projects. They're not allowed to view system or domain
842
309
resources, as that would violate the tenancy of their role assignment. Since
213
resources, as that would violate the tenancy of their role assignment. Since
843
310
the majority of the resources in keystone's API are system and domain-specific,
214
the majority of the resources in keystone's API are system and domain-specific,
844
@@ -323,8 +227,9 @@ role assignment:
845
323
    | admin |                | production-admins@foobar | production@foobar |        |        | False     |
227
    | admin |                | production-admins@foobar | production@foobar |        |        | False     |
846
324
    +-------+----------------+--------------------------+-------------------+--------+--------+-----------+
228
    +-------+----------------+--------------------------+-------------------+--------+--------+-----------+
847
325
229
848
230
---------------------------------
849
326
Project Members & Project Readers
231
Project Members & Project Readers
851
327
=================================
232
---------------------------------
852
328
233
853
329
*Project members* and *project readers* can discover information about their
234
*Project members* and *project readers* can discover information about their
854
330
projects. They can access important information like resource limits for their
235
projects. They can access important information like resource limits for their
855
@@ -344,12 +249,12 @@ the following role assignments:
856
344
    | member |      | foobar-operators@Default | production@foobar |        |        | False     |
249
    | member |      | foobar-operators@Default | production@foobar |        |        | False     |
857
345
    +--------+------+--------------------------+-------------------+--------+--------+-----------+
250
    +--------+------+--------------------------+-------------------+--------+--------+-----------+
858
346
    $ openstack role assignment list --names --project production --role reader
251
    $ openstack role assignment list --names --project production --role reader
865
347
    +--------+---------------+----------------------------+-------------------+--------+--------+-----------+
252
    +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+
866
348
    | Role   | User          | Group                      | Project           | Domain | System | Inherited |
253
    | Role   | User            | Group                      | Project           | Domain | System | Inherited |
867
349
    +--------+---------------+----------------------------+-------------------+--------+--------+-----------+
254
    +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+
868
350
    | reader | alice@Default |                            | production@foobar |        |        | False     |
255
    | reader | auditor@Default |                            | production@foobar |        |        | False     |
869
351
    | reader |               | production-support@Default | production@foobar |        |        | False     |
256
    | reader |                 | production-support@Default | production@foobar |        |        | False     |
870
352
    +--------+---------------+----------------------------+-------------------+--------+--------+-----------+
257
    +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+
871
353
258
872
354
----------------
259
----------------
873
355
Writing Policies
260
Writing Policies
874
diff --git a/doc/source/admin/upgrading.rst b/doc/source/admin/upgrading.rst
875
index 709d98d..687dba4 100644
876
--- a/doc/source/admin/upgrading.rst
877
+++ b/doc/source/admin/upgrading.rst
878
@@ -42,7 +42,7 @@ Plan your upgrade:
879
42
  to re-read the release notes for the previous release (or two!).
42
  to re-read the release notes for the previous release (or two!).
880
43
43
881
44
* Prepare your new configuration files, including ``keystone.conf``,
44
* Prepare your new configuration files, including ``keystone.conf``,
883
45
  ``logging.conf``, ``policy.yaml``, ``keystone-paste.ini``, and anything else
45
  ``logging.conf``, ``policy.json``, ``keystone-paste.ini``, and anything else
884
46
  in ``/etc/keystone/``, by customizing the corresponding files from the next
46
  in ``/etc/keystone/``, by customizing the corresponding files from the next
885
47
  release.
47
  release.
886
48
48
887
diff --git a/doc/source/conf.py b/doc/source/conf.py
888
index 45cd82f..819c1d9 100644
889
--- a/doc/source/conf.py
890
+++ b/doc/source/conf.py
891
@@ -55,11 +55,7 @@ apidoc_output_dir = 'api'
892
55
apidoc_excluded_paths = [
55
apidoc_excluded_paths = [
893
56
    'tests/*',
56
    'tests/*',
894
57
    'tests',
57
    'tests',
900
58
    'test',
58
    'test']
896
59
    # TODO(gmann): with new release of SQLAlchemy(1.4.27) TypeDecorator used
897
60
    # in common/sql/core.py file started failing. Remove this oncethe issue of
898
61
    # TypeDecorator is fixed.
899
62
    'common/sql/core.py']
901
63
apidoc_separate_modules = True
59
apidoc_separate_modules = True
902
64
60
903
65
# sphinxcontrib.seqdiag options
61
# sphinxcontrib.seqdiag options
904
diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst
905
index 3f80c5e..daafdea 100644
906
--- a/doc/source/configuration/policy.rst
907
+++ b/doc/source/configuration/policy.rst
908
@@ -2,15 +2,6 @@
909
2
Policy configuration
2
Policy configuration
910
3
====================
3
====================
911
4
4
912
5
.. warning::
913
6
914
7
   JSON formatted policy file is deprecated since Keystone 19.0.0 (Wallaby).
915
8
   This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
916
9
   JSON-formatted policy file to YAML in a backward-compatible way.
917
10
918
11
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
919
12
920
13
921
14
Configuration
5
Configuration
922
15
~~~~~~~~~~~~~
6
~~~~~~~~~~~~~
923
16
7
924
diff --git a/doc/source/contributor/how-can-i-help.rst b/doc/source/contributor/how-can-i-help.rst
925
index 47c2f4a..4e37af0 100644
926
--- a/doc/source/contributor/how-can-i-help.rst
927
+++ b/doc/source/contributor/how-can-i-help.rst
928
@@ -50,7 +50,7 @@ become part of the team:
929
50
  You can also subscribe to email notifications for new bugs.
50
  You can also subscribe to email notifications for new bugs.
930
51
* Subscribe to the openstack-discuss@lists.openstack.org mailing list (filter on
51
* Subscribe to the openstack-discuss@lists.openstack.org mailing list (filter on
931
52
  subject tag ``[keystone]``) and join the #openstack-keystone IRC channel on
52
  subject tag ``[keystone]``) and join the #openstack-keystone IRC channel on
933
53
  OFTC. Help answer user support questions if you or your organization has
53
  freenode. Help answer user support questions if you or your organization has
934
54
  faced and solved a similar problem, or chime in on design discussions that
54
  faced and solved a similar problem, or chime in on design discussions that
935
55
  will affect you and your organization.
55
  will affect you and your organization.
936
56
* Check out the low hanging fruit bugs, submit patches to fix them:
56
* Check out the low hanging fruit bugs, submit patches to fix them:
937
diff --git a/doc/source/getting-started/community.rst b/doc/source/getting-started/community.rst
938
index 4598cd8..47145ad 100644
939
--- a/doc/source/getting-started/community.rst
940
+++ b/doc/source/getting-started/community.rst
941
@@ -34,10 +34,10 @@ from feature designs to documentation to testing to deployment scripts.
942
34
.. _Launchpad: https://launchpad.net/keystone
34
.. _Launchpad: https://launchpad.net/keystone
943
35
.. _wiki: https://wiki.openstack.org/
35
.. _wiki: https://wiki.openstack.org/
944
36
36
947
37
#openstack-keystone on OFTC IRC Network
37
#openstack-keystone on Freenode IRC Network
948
38
---------------------------------------
38
-------------------------------------------
949
39
39
951
40
You can find Keystone folks in `<irc://oftc.net/#openstack-keystone>`_.
40
You can find Keystone folks in `<irc://freenode.net/#openstack-keystone>`_.
952
41
This is usually the best place to ask questions and find your way around. IRC
41
This is usually the best place to ask questions and find your way around. IRC
953
42
stands for Internet Relay Chat and it is a way to chat online in real time.
42
stands for Internet Relay Chat and it is a way to chat online in real time.
954
43
You can also ask a question and come back to the log files to read the answer
43
You can also ask a question and come back to the log files to read the answer
955
diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst
956
index a7cb27c..2975b45 100644
957
--- a/doc/source/getting-started/policy_mapping.rst
958
+++ b/doc/source/getting-started/policy_mapping.rst
959
@@ -2,7 +2,7 @@
960
2
Mapping of policy target to API
2
Mapping of policy target to API
961
3
===============================
3
===============================
962
4
4
964
5
The following table shows the target in the policy.yaml file for each API.
5
The following table shows the target in the policy.json file for each API.
965
6
6
966
7
=========================================================  ===
7
=========================================================  ===
967
8
Target                                                     API
8
Target                                                     API
968
diff --git a/keystone.egg-info/PKG-INFO b/keystone.egg-info/PKG-INFO
969
index 3b63a18..c4bc751 100644
970
--- a/keystone.egg-info/PKG-INFO
971
+++ b/keystone.egg-info/PKG-INFO
972
@@ -1,11 +1,73 @@
973
1
Metadata-Version: 2.1
1
Metadata-Version: 2.1
974
2
Name: keystone
2
Name: keystone
976
3
Version: 20.1.0.dev27
3
Version: 18.1.0
977
4
Summary: OpenStack Identity
4
Summary: OpenStack Identity
978
5
Home-page: https://docs.openstack.org/keystone/latest
5
Home-page: https://docs.openstack.org/keystone/latest
979
6
Author: OpenStack
6
Author: OpenStack
980
7
Author-email: openstack-discuss@lists.openstack.org
7
Author-email: openstack-discuss@lists.openstack.org
981
8
License: UNKNOWN
8
License: UNKNOWN
982
9
Description: ==================
983
10
        OpenStack Keystone
984
11
        ==================
985
12
        
986
13
        .. image:: https://governance.openstack.org/tc/badges/keystone.svg
987
14
            :target: https://governance.openstack.org/tc/reference/tags/index.html
988
15
        
989
16
        .. Change things from this point on
990
17
        
991
18
        OpenStack Keystone provides authentication, authorization and service discovery
992
19
        mechanisms via HTTP primarily for use by projects in the OpenStack family. It
993
20
        is most commonly deployed as an HTTP interface to existing identity systems,
994
21
        such as LDAP.
995
22
        
996
23
        Developer documentation, the source of which is in ``doc/source/``, is
997
24
        published at:
998
25
        
999
26
            https://docs.openstack.org/keystone/latest
1000
27
        
1001
28
        The API reference and documentation are available at:
1002
29
        
1003
30
            https://docs.openstack.org/api-ref/identity
1004
31
        
1005
32
        The canonical client library is available at:
1006
33
        
1007
34
            https://opendev.org/openstack/python-keystoneclient
1008
35
        
1009
36
        Documentation for cloud administrators is available at:
1010
37
        
1011
38
            https://docs.openstack.org/
1012
39
        
1013
40
        The source of documentation for cloud administrators is available at:
1014
41
        
1015
42
            https://opendev.org/openstack/openstack-manuals
1016
43
        
1017
44
        Information about our team meeting is available at:
1018
45
        
1019
46
            https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting
1020
47
        
1021
48
        Release notes is available at:
1022
49
        
1023
50
            https://docs.openstack.org/releasenotes/keystone
1024
51
        
1025
52
        Bugs and feature requests are tracked on Launchpad at:
1026
53
        
1027
54
            https://bugs.launchpad.net/keystone
1028
55
        
1029
56
        Future design work is tracked at:
1030
57
        
1031
58
            https://specs.openstack.org/openstack/keystone-specs
1032
59
        
1033
60
        Contributors are encouraged to join IRC (``#openstack-keystone`` on freenode):
1034
61
        
1035
62
            https://wiki.openstack.org/wiki/IRC
1036
63
        
1037
64
        Source for the project:
1038
65
        
1039
66
            https://opendev.org/openstack/keystone
1040
67
        
1041
68
        For information on contributing to Keystone, see ``CONTRIBUTING.rst``.
1042
69
        
1043
70
        
1044
9
Platform: UNKNOWN
71
Platform: UNKNOWN
1045
10
Classifier: Environment :: OpenStack
72
Classifier: Environment :: OpenStack
1046
11
Classifier: Intended Audience :: Information Technology
73
Classifier: Intended Audience :: Information Technology
1047
@@ -24,69 +86,3 @@ Provides-Extra: ldap
1048
24
Provides-Extra: memcache
86
Provides-Extra: memcache
1049
25
Provides-Extra: mongodb
87
Provides-Extra: mongodb
1050
26
Provides-Extra: test
88
Provides-Extra: test
1051
27
License-File: LICENSE
1052
28
License-File: AUTHORS
1053
29
1054
30
==================
1055
31
OpenStack Keystone
1056
32
==================
1057
33
1058
34
.. image:: https://governance.openstack.org/tc/badges/keystone.svg
1059
35
    :target: https://governance.openstack.org/tc/reference/tags/index.html
1060
36
1061
37
.. Change things from this point on
1062
38
1063
39
OpenStack Keystone provides authentication, authorization and service discovery
1064
40
mechanisms via HTTP primarily for use by projects in the OpenStack family. It
1065
41
is most commonly deployed as an HTTP interface to existing identity systems,
1066
42
such as LDAP.
1067
43
1068
44
Developer documentation, the source of which is in ``doc/source/``, is
1069
45
published at:
1070
46
1071
47
    https://docs.openstack.org/keystone/latest
1072
48
1073
49
The API reference and documentation are available at:
1074
50
1075
51
    https://docs.openstack.org/api-ref/identity
1076
52
1077
53
The canonical client library is available at:
1078
54
1079
55
    https://opendev.org/openstack/python-keystoneclient
1080
56
1081
57
Documentation for cloud administrators is available at:
1082
58
1083
59
    https://docs.openstack.org/
1084
60
1085
61
The source of documentation for cloud administrators is available at:
1086
62
1087
63
    https://opendev.org/openstack/openstack-manuals
1088
64
1089
65
Information about our team meeting is available at:
1090
66
1091
67
    https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting
1092
68
1093
69
Release notes is available at:
1094
70
1095
71
    https://docs.openstack.org/releasenotes/keystone
1096
72
1097
73
Bugs and feature requests are tracked on Launchpad at:
1098
74
1099
75
    https://bugs.launchpad.net/keystone
1100
76
1101
77
Future design work is tracked at:
1102
78
1103
79
    https://specs.openstack.org/openstack/keystone-specs
1104
80
1105
81
Contributors are encouraged to join IRC (``#openstack-keystone`` on OFTC):
1106
82
1107
83
    https://wiki.openstack.org/wiki/IRC
1108
84
1109
85
Source for the project:
1110
86
1111
87
    https://opendev.org/openstack/keystone
1112
88
1113
89
For information on contributing to Keystone, see ``CONTRIBUTING.rst``.
1114
90
1115
91
1116
92
1117
diff --git a/keystone.egg-info/SOURCES.txt b/keystone.egg-info/SOURCES.txt
1118
index fc8c6b6..b1af601 100644
1119
--- a/keystone.egg-info/SOURCES.txt
1120
+++ b/keystone.egg-info/SOURCES.txt
1121
@@ -315,7 +315,6 @@ devstack/files/federation/shib_apache_alias.txt
1122
315
devstack/files/federation/shib_apache_handler.txt
315
devstack/files/federation/shib_apache_handler.txt
1123
316
devstack/files/federation/shibboleth2.xml
316
devstack/files/federation/shibboleth2.xml
1124
317
devstack/lib/federation.sh
317
devstack/lib/federation.sh
1125
318
devstack/lib/scope.sh
1126
319
doc/Makefile
318
doc/Makefile
1127
320
doc/README.rst
319
doc/README.rst
1128
321
doc/requirements.txt
320
doc/requirements.txt
1129
@@ -473,7 +472,6 @@ keystone.egg-info/SOURCES.txt
1130
473
keystone.egg-info/dependency_links.txt
472
keystone.egg-info/dependency_links.txt
1131
474
keystone.egg-info/entry_points.txt
473
keystone.egg-info/entry_points.txt
1132
475
keystone.egg-info/not-zip-safe
474
keystone.egg-info/not-zip-safe
1133
476
keystone.egg-info/pbr.json
1134
477
keystone.egg-info/requires.txt
475
keystone.egg-info/requires.txt
1135
478
keystone.egg-info/top_level.txt
476
keystone.egg-info/top_level.txt
1136
479
keystone/api/__init__.py
477
keystone/api/__init__.py
1137
@@ -705,7 +703,6 @@ keystone/common/sql/contract_repo/versions/075_placeholder.py
1138
705
keystone/common/sql/contract_repo/versions/076_placeholder.py
703
keystone/common/sql/contract_repo/versions/076_placeholder.py
1139
706
keystone/common/sql/contract_repo/versions/077_placeholder.py
704
keystone/common/sql/contract_repo/versions/077_placeholder.py
1140
707
keystone/common/sql/contract_repo/versions/078_placeholder.py
705
keystone/common/sql/contract_repo/versions/078_placeholder.py
1141
708
keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py
1142
709
keystone/common/sql/contract_repo/versions/__init__.py
706
keystone/common/sql/contract_repo/versions/__init__.py
1143
710
keystone/common/sql/data_migration_repo/README
707
keystone/common/sql/data_migration_repo/README
1144
711
keystone/common/sql/data_migration_repo/__init__.py
708
keystone/common/sql/data_migration_repo/__init__.py
1145
@@ -789,7 +786,6 @@ keystone/common/sql/data_migration_repo/versions/075_placeholder.py
1146
789
keystone/common/sql/data_migration_repo/versions/076_placeholder.py
786
keystone/common/sql/data_migration_repo/versions/076_placeholder.py
1147
790
keystone/common/sql/data_migration_repo/versions/077_placeholder.py
787
keystone/common/sql/data_migration_repo/versions/077_placeholder.py
1148
791
keystone/common/sql/data_migration_repo/versions/078_placeholder.py
788
keystone/common/sql/data_migration_repo/versions/078_placeholder.py
1149
792
keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py
1150
793
keystone/common/sql/data_migration_repo/versions/__init__.py
789
keystone/common/sql/data_migration_repo/versions/__init__.py
1151
794
keystone/common/sql/expand_repo/README
790
keystone/common/sql/expand_repo/README
1152
795
keystone/common/sql/expand_repo/__init__.py
791
keystone/common/sql/expand_repo/__init__.py
1153
@@ -873,7 +869,6 @@ keystone/common/sql/expand_repo/versions/075_placeholder.py
1154
873
keystone/common/sql/expand_repo/versions/076_placeholder.py
869
keystone/common/sql/expand_repo/versions/076_placeholder.py
1155
874
keystone/common/sql/expand_repo/versions/077_placeholder.py
870
keystone/common/sql/expand_repo/versions/077_placeholder.py
1156
875
keystone/common/sql/expand_repo/versions/078_placeholder.py
871
keystone/common/sql/expand_repo/versions/078_placeholder.py
1157
876
keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py
1158
877
keystone/common/sql/expand_repo/versions/__init__.py
872
keystone/common/sql/expand_repo/versions/__init__.py
1159
878
keystone/common/sql/migrate_repo/README
873
keystone/common/sql/migrate_repo/README
1160
879
keystone/common/sql/migrate_repo/__init__.py
874
keystone/common/sql/migrate_repo/__init__.py
1161
@@ -1235,6 +1230,8 @@ keystone/tests/unit/config_files/backend_multi_ldap_sql.conf
1162
1235
keystone/tests/unit/config_files/backend_pool_liveldap.conf
1230
keystone/tests/unit/config_files/backend_pool_liveldap.conf
1163
1236
keystone/tests/unit/config_files/backend_sql.conf
1231
keystone/tests/unit/config_files/backend_sql.conf
1164
1237
keystone/tests/unit/config_files/backend_tls_liveldap.conf
1232
keystone/tests/unit/config_files/backend_tls_liveldap.conf
1165
1233
keystone/tests/unit/config_files/deprecated.conf
1166
1234
keystone/tests/unit/config_files/deprecated_override.conf
1167
1238
keystone/tests/unit/config_files/test_auth_plugin.conf
1235
keystone/tests/unit/config_files/test_auth_plugin.conf
1168
1239
keystone/tests/unit/config_files/domain_configs_default_ldap_one_sql/keystone.domain1.conf
1236
keystone/tests/unit/config_files/domain_configs_default_ldap_one_sql/keystone.domain1.conf
1169
1240
keystone/tests/unit/config_files/domain_configs_multi_ldap/keystone.Default.conf
1237
keystone/tests/unit/config_files/domain_configs_multi_ldap/keystone.Default.conf
1170
@@ -1281,7 +1278,6 @@ keystone/tests/unit/ksfixtures/key_repository.py
1171
1281
keystone/tests/unit/ksfixtures/ldapdb.py
1278
keystone/tests/unit/ksfixtures/ldapdb.py
1172
1282
keystone/tests/unit/ksfixtures/policy.py
1279
keystone/tests/unit/ksfixtures/policy.py
1173
1283
keystone/tests/unit/ksfixtures/temporaryfile.py
1280
keystone/tests/unit/ksfixtures/temporaryfile.py
1174
1284
keystone/tests/unit/ksfixtures/warnings.py
1175
1285
keystone/tests/unit/limit/__init__.py
1281
keystone/tests/unit/limit/__init__.py
1176
1286
keystone/tests/unit/limit/test_backends.py
1282
keystone/tests/unit/limit/test_backends.py
1177
1287
keystone/tests/unit/policy/__init__.py
1283
keystone/tests/unit/policy/__init__.py
1178
@@ -1328,7 +1324,6 @@ keystone/trust/backends/__init__.py
1179
1328
keystone/trust/backends/base.py
1324
keystone/trust/backends/base.py
1180
1329
keystone/trust/backends/sql.py
1325
keystone/trust/backends/sql.py
1181
1330
keystone_tempest_plugin/README.rst
1326
keystone_tempest_plugin/README.rst
1182
1331
playbooks/enable-fips.yaml
1183
1332
rally-jobs/README.rst
1327
rally-jobs/README.rst
1184
1333
rally-jobs/keystone.yaml
1328
rally-jobs/keystone.yaml
1185
1334
releasenotes/notes/.placeholder
1329
releasenotes/notes/.placeholder
1186
@@ -1573,11 +1568,8 @@ releasenotes/notes/bug-1885753-51df25f3ff1d9ae8.yaml
1187
1573
releasenotes/notes/bug-1886017-bc2ad648d57101a2.yaml
1568
releasenotes/notes/bug-1886017-bc2ad648d57101a2.yaml
1188
1574
releasenotes/notes/bug-1889936-78d6853b5212b8f1.yaml
1569
releasenotes/notes/bug-1889936-78d6853b5212b8f1.yaml
1189
1575
releasenotes/notes/bug-1896125-b17a4d12730fe493.yaml
1570
releasenotes/notes/bug-1896125-b17a4d12730fe493.yaml
1190
1576
releasenotes/notes/bug-1897280-e7065c4368a325ad.yaml
1191
1577
releasenotes/notes/bug-1901207-13762f85b8a04481.yaml
1571
releasenotes/notes/bug-1901207-13762f85b8a04481.yaml
1192
1578
releasenotes/notes/bug-1901654-69b9f35d11cd0c75.yaml
1572
releasenotes/notes/bug-1901654-69b9f35d11cd0c75.yaml
1193
1579
releasenotes/notes/bug-1929066-6e741c9182620a37.yaml
1194
1580
releasenotes/notes/bug-1941020-f694395a9bcea72f.yaml
1195
1581
releasenotes/notes/bug1828565-0790c4c60ba34100.yaml
1573
releasenotes/notes/bug1828565-0790c4c60ba34100.yaml
1196
1582
releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml
1574
releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml
1197
1583
releasenotes/notes/bug_1543048_and_1668503-7ead4e15faaab778.yaml
1575
releasenotes/notes/bug_1543048_and_1668503-7ead4e15faaab778.yaml
1198
@@ -1588,7 +1580,6 @@ releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml
1199
1588
releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml
1580
releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml
1200
1589
releasenotes/notes/convert-keystone-to-flask-80d980e239b662b0.yaml
1581
releasenotes/notes/convert-keystone-to-flask-80d980e239b662b0.yaml
1201
1590
releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml
1582
releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml
1202
1591
releasenotes/notes/deprecate-json-formatted-policy-file-95f6307f88358f58.yaml
1203
1592
releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml
1583
releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml
1204
1593
releasenotes/notes/deprecate-policies-api-b104fbd1d2367b1b.yaml
1584
releasenotes/notes/deprecate-policies-api-b104fbd1d2367b1b.yaml
1205
1594
releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml
1585
releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml
1206
@@ -1678,15 +1669,10 @@ releasenotes/source/stein.rst
1207
1678
releasenotes/source/train.rst
1669
releasenotes/source/train.rst
1208
1679
releasenotes/source/unreleased.rst
1670
releasenotes/source/unreleased.rst
1209
1680
releasenotes/source/ussuri.rst
1671
releasenotes/source/ussuri.rst
1210
1681
releasenotes/source/victoria.rst
1211
1682
releasenotes/source/wallaby.rst
1212
1683
releasenotes/source/xena.rst
1213
1684
releasenotes/source/_static/.placeholder
1672
releasenotes/source/_static/.placeholder
1214
1685
releasenotes/source/_templates/.placeholder
1673
releasenotes/source/_templates/.placeholder
1215
1686
releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po
1674
releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po
1216
1687
releasenotes/source/locale/fr/LC_MESSAGES/releasenotes.po
1217
1688
releasenotes/source/locale/ja/LC_MESSAGES/releasenotes.po
1675
releasenotes/source/locale/ja/LC_MESSAGES/releasenotes.po
1218
1689
releasenotes/source/locale/ko_KR/LC_MESSAGES/releasenotes.po
1219
1690
tools/cover.sh
1676
tools/cover.sh
1220
1691
tools/fast8.sh
1677
tools/fast8.sh
1221
1692
tools/sample_data.sh
1678
tools/sample_data.sh
1222
diff --git a/keystone.egg-info/pbr.json b/keystone.egg-info/pbr.json
1223
1693
deleted file mode 100644
1679
deleted file mode 100644
1224
index 7de0b70..0000000
1225
--- a/keystone.egg-info/pbr.json
1226
+++ /dev/null
1227
@@ -1 +0,0 @@
1228
1
{"git_version": "2ddf8f321", "is_release": false}
1229
2
\ No newline at end of file
0
\ No newline at end of file
1230
diff --git a/keystone.egg-info/requires.txt b/keystone.egg-info/requires.txt
1231
index 7ca68f2..b85b25d 100644
1232
--- a/keystone.egg-info/requires.txt
1233
+++ b/keystone.egg-info/requires.txt
1234
@@ -11,16 +11,16 @@ keystonemiddleware>=7.0.0
1235
11
msgpack>=0.5.0
11
msgpack>=0.5.0
1236
12
oauthlib>=0.6.2
12
oauthlib>=0.6.2
1237
13
oslo.cache>=1.26.0
13
oslo.cache>=1.26.0
1239
14
oslo.config>=6.8.0
14
oslo.config>=5.2.0
1240
15
oslo.context>=2.22.0
15
oslo.context>=2.22.0
1241
16
oslo.db>=6.0.0
16
oslo.db>=6.0.0
1242
17
oslo.i18n>=3.15.3
17
oslo.i18n>=3.15.3
1243
18
oslo.log>=3.44.0
18
oslo.log>=3.44.0
1244
19
oslo.messaging>=5.29.0
19
oslo.messaging>=5.29.0
1245
20
oslo.middleware>=3.31.0
20
oslo.middleware>=3.31.0
1247
21
oslo.policy>=3.7.0
21
oslo.policy>=3.0.2
1248
22
oslo.serialization!=2.19.1,>=2.18.0
22
oslo.serialization!=2.19.1,>=2.18.0
1250
23
oslo.upgradecheck>=1.3.0
23
oslo.upgradecheck>=0.1.0
1251
24
oslo.utils>=3.33.0
24
oslo.utils>=3.33.0
1252
25
osprofiler>=1.4.0
25
osprofiler>=1.4.0
1253
26
passlib>=1.7.0
26
passlib>=1.7.0
1254
diff --git a/keystone/api/s3tokens.py b/keystone/api/s3tokens.py
1255
index 4a8439d..73d0b39 100644
1256
--- a/keystone/api/s3tokens.py
1257
+++ b/keystone/api/s3tokens.py
1258
@@ -56,10 +56,7 @@ def _calculate_signature_v4(string_to_sign, secret_key):
1259
56
    if len(parts) != 4 or parts[0] != b'AWS4-HMAC-SHA256':
56
    if len(parts) != 4 or parts[0] != b'AWS4-HMAC-SHA256':
1260
57
        raise exception.Unauthorized(message=_('Invalid EC2 signature.'))
57
        raise exception.Unauthorized(message=_('Invalid EC2 signature.'))
1261
58
    scope = parts[2].split(b'/')
58
    scope = parts[2].split(b'/')
1266
59
    if len(scope) != 4 or scope[3] != b'aws4_request':
59
    if len(scope) != 4 or scope[2] != b's3' or scope[3] != b'aws4_request':
1263
60
        raise exception.Unauthorized(message=_('Invalid EC2 signature.'))
1264
61
    allowed_services = [b's3', b'iam', b'sts']
1265
62
    if scope[2] not in allowed_services:
1267
63
        raise exception.Unauthorized(message=_('Invalid EC2 signature.'))
60
        raise exception.Unauthorized(message=_('Invalid EC2 signature.'))
1268
64
61
1269
65
    def _sign(key, msg):
62
    def _sign(key, msg):
1270
diff --git a/keystone/cmd/status.py b/keystone/cmd/status.py
1271
index 64b2e62..3585c2e 100644
1272
--- a/keystone/cmd/status.py
1273
+++ b/keystone/cmd/status.py
1274
@@ -12,7 +12,6 @@
1275
12
12
1276
13
from oslo_policy import _checks
13
from oslo_policy import _checks
1277
14
from oslo_policy import policy
14
from oslo_policy import policy
1278
15
from oslo_upgradecheck import common_checks
1279
16
from oslo_upgradecheck import upgradecheck
15
from oslo_upgradecheck import upgradecheck
1280
17
16
1281
18
from keystone.common import driver_hints
17
from keystone.common import driver_hints
1282
@@ -87,8 +86,6 @@ class Checks(upgradecheck.UpgradeCommands):
1283
87
         check_trust_policies_are_not_empty),
86
         check_trust_policies_are_not_empty),
1284
88
        ("Check default roles are immutable",
87
        ("Check default roles are immutable",
1285
89
         check_default_roles_are_immutable),
88
         check_default_roles_are_immutable),
1286
90
        ("Policy File JSON to YAML Migration",
1287
91
         (common_checks.check_policy_json, {'conf': CONF})),
1288
92
    )
89
    )
1289
93
90
1290
94
91
1291
diff --git a/keystone/common/policies/application_credential.py b/keystone/common/policies/application_credential.py
1292
index bae998a..e44c661 100644
1293
--- a/keystone/common/policies/application_credential.py
1294
+++ b/keystone/common/policies/application_credential.py
1295
@@ -18,30 +18,23 @@ from keystone.common.policies import base
1296
18
collection_path = '/v3/users/{user_id}/application_credentials'
18
collection_path = '/v3/users/{user_id}/application_credentials'
1297
19
resource_path = collection_path + '/{application_credential_id}'
19
resource_path = collection_path + '/{application_credential_id}'
1298
20
20
1299
21
DEPRECATED_REASON = (
1300
22
    "The application credential API is now aware of system scope and default "
1301
23
    "roles."
1302
24
)
1303
25
1304
26
deprecated_list_application_credentials_for_user = policy.DeprecatedRule(
21
deprecated_list_application_credentials_for_user = policy.DeprecatedRule(
1305
27
    name=base.IDENTITY % 'list_application_credentials',
22
    name=base.IDENTITY % 'list_application_credentials',
1309
28
    check_str=base.RULE_ADMIN_OR_OWNER,
23
    check_str=base.RULE_ADMIN_OR_OWNER
1307
29
    deprecated_reason=DEPRECATED_REASON,
1308
30
    deprecated_since=versionutils.deprecated.TRAIN
1310
31
)
24
)
1311
32
deprecated_get_application_credentials_for_user = policy.DeprecatedRule(
25
deprecated_get_application_credentials_for_user = policy.DeprecatedRule(
1312
33
    name=base.IDENTITY % 'get_application_credential',
26
    name=base.IDENTITY % 'get_application_credential',
1316
34
    check_str=base.RULE_ADMIN_OR_OWNER,
27
    check_str=base.RULE_ADMIN_OR_OWNER
1314
35
    deprecated_reason=DEPRECATED_REASON,
1315
36
    deprecated_since=versionutils.deprecated.TRAIN
1317
37
)
28
)
1318
38
deprecated_delete_application_credentials_for_user = policy.DeprecatedRule(
29
deprecated_delete_application_credentials_for_user = policy.DeprecatedRule(
1319
39
    name=base.IDENTITY % 'delete_application_credential',
30
    name=base.IDENTITY % 'delete_application_credential',
1323
40
    check_str=base.RULE_ADMIN_OR_OWNER,
31
    check_str=base.RULE_ADMIN_OR_OWNER
1321
41
    deprecated_reason=DEPRECATED_REASON,
1322
42
    deprecated_since=versionutils.deprecated.TRAIN
1324
43
)
32
)
1325
44
33
1326
34
DEPRECATED_REASON = (
1327
35
    "The application credential API is now aware of system scope and default "
1328
36
    "roles."
1329
37
)
1330
45
38
1331
46
application_credential_policies = [
39
application_credential_policies = [
1332
47
    policy.DocumentedRuleDefault(
40
    policy.DocumentedRuleDefault(
1333
@@ -53,7 +46,9 @@ application_credential_policies = [
1334
53
                     'method': 'GET'},
46
                     'method': 'GET'},
1335
54
                    {'path': resource_path,
47
                    {'path': resource_path,
1336
55
                     'method': 'HEAD'}],
48
                     'method': 'HEAD'}],
1338
56
        deprecated_rule=deprecated_get_application_credentials_for_user),
49
        deprecated_rule=deprecated_get_application_credentials_for_user,
1339
50
        deprecated_reason=DEPRECATED_REASON,
1340
51
        deprecated_since=versionutils.deprecated.TRAIN),
1341
57
    policy.DocumentedRuleDefault(
52
    policy.DocumentedRuleDefault(
1342
58
        name=base.IDENTITY % 'list_application_credentials',
53
        name=base.IDENTITY % 'list_application_credentials',
1343
59
        check_str=base.RULE_SYSTEM_READER_OR_OWNER,
54
        check_str=base.RULE_SYSTEM_READER_OR_OWNER,
1344
@@ -63,7 +58,9 @@ application_credential_policies = [
1345
63
                     'method': 'GET'},
58
                     'method': 'GET'},
1346
64
                    {'path': collection_path,
59
                    {'path': collection_path,
1347
65
                     'method': 'HEAD'}],
60
                     'method': 'HEAD'}],
1349
66
        deprecated_rule=deprecated_list_application_credentials_for_user),
61
        deprecated_rule=deprecated_list_application_credentials_for_user,
1350
62
        deprecated_reason=DEPRECATED_REASON,
1351
63
        deprecated_since=versionutils.deprecated.TRAIN),
1352
67
    policy.DocumentedRuleDefault(
64
    policy.DocumentedRuleDefault(
1353
68
        name=base.IDENTITY % 'create_application_credential',
65
        name=base.IDENTITY % 'create_application_credential',
1354
69
        check_str=base.RULE_OWNER,
66
        check_str=base.RULE_OWNER,
1355
@@ -78,7 +75,9 @@ application_credential_policies = [
1356
78
        description='Delete an application credential.',
75
        description='Delete an application credential.',
1357
79
        operations=[{'path': resource_path,
76
        operations=[{'path': resource_path,
1358
80
                     'method': 'DELETE'}],
77
                     'method': 'DELETE'}],
1360
81
        deprecated_rule=deprecated_delete_application_credentials_for_user)
78
        deprecated_rule=deprecated_delete_application_credentials_for_user,
1361
79
        deprecated_reason=DEPRECATED_REASON,
1362
80
        deprecated_since=versionutils.deprecated.TRAIN)
1363
82
]
81
]
1364
83
82
1365
84
83
1366
diff --git a/keystone/common/policies/consumer.py b/keystone/common/policies/consumer.py
1367
index 7931bf0..bf9a6bd 100644
1368
--- a/keystone/common/policies/consumer.py
1369
+++ b/keystone/common/policies/consumer.py
1370
@@ -15,41 +15,30 @@ from oslo_policy import policy
1371
15
15
1372
16
from keystone.common.policies import base
16
from keystone.common.policies import base
1373
17
17
1374
18
DEPRECATED_REASON = (
1375
19
    "The OAUTH1 consumer API is now aware of system scope and default roles."
1376
20
)
1377
21
1378
22
deprecated_get_consumer = policy.DeprecatedRule(
18
deprecated_get_consumer = policy.DeprecatedRule(
1379
23
    name=base.IDENTITY % 'get_consumer',
19
    name=base.IDENTITY % 'get_consumer',
1383
24
    check_str=base.RULE_ADMIN_REQUIRED,
20
    check_str=base.RULE_ADMIN_REQUIRED
1381
25
    deprecated_reason=DEPRECATED_REASON,
1382
26
    deprecated_since=versionutils.deprecated.TRAIN
1384
27
)
21
)
1385
28
deprecated_list_consumers = policy.DeprecatedRule(
22
deprecated_list_consumers = policy.DeprecatedRule(
1386
29
    name=base.IDENTITY % 'list_consumers',
23
    name=base.IDENTITY % 'list_consumers',
1390
30
    check_str=base.RULE_ADMIN_REQUIRED,
24
    check_str=base.RULE_ADMIN_REQUIRED
1388
31
    deprecated_reason=DEPRECATED_REASON,
1389
32
    deprecated_since=versionutils.deprecated.TRAIN
1391
33
)
25
)
1392
34
deprecated_create_consumer = policy.DeprecatedRule(
26
deprecated_create_consumer = policy.DeprecatedRule(
1393
35
    name=base.IDENTITY % 'create_consumer',
27
    name=base.IDENTITY % 'create_consumer',
1397
36
    check_str=base.RULE_ADMIN_REQUIRED,
28
    check_str=base.RULE_ADMIN_REQUIRED
1395
37
    deprecated_reason=DEPRECATED_REASON,
1396
38
    deprecated_since=versionutils.deprecated.TRAIN
1398
39
)
29
)
1399
40
deprecated_update_consumer = policy.DeprecatedRule(
30
deprecated_update_consumer = policy.DeprecatedRule(
1400
41
    name=base.IDENTITY % 'update_consumer',
31
    name=base.IDENTITY % 'update_consumer',
1404
42
    check_str=base.RULE_ADMIN_REQUIRED,
32
    check_str=base.RULE_ADMIN_REQUIRED
1402
43
    deprecated_reason=DEPRECATED_REASON,
1403
44
    deprecated_since=versionutils.deprecated.TRAIN
1405
45
)
33
)
1406
46
deprecated_delete_consumer = policy.DeprecatedRule(
34
deprecated_delete_consumer = policy.DeprecatedRule(
1407
47
    name=base.IDENTITY % 'delete_consumer',
35
    name=base.IDENTITY % 'delete_consumer',
1411
48
    check_str=base.RULE_ADMIN_REQUIRED,
36
    check_str=base.RULE_ADMIN_REQUIRED
1409
49
    deprecated_reason=DEPRECATED_REASON,
1410
50
    deprecated_since=versionutils.deprecated.TRAIN
1412
51
)
37
)
1413
52
38
1414
39
DEPRECATED_REASON = (
1415
40
    "The OAUTH1 consumer API is now aware of system scope and default roles."
1416
41
)
1417
53
42
1418
54
consumer_policies = [
43
consumer_policies = [
1419
55
    policy.DocumentedRuleDefault(
44
    policy.DocumentedRuleDefault(
1420
@@ -59,7 +48,9 @@ consumer_policies = [
1421
59
        description='Show OAUTH1 consumer details.',
48
        description='Show OAUTH1 consumer details.',
1422
60
        operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
49
        operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
1423
61
                     'method': 'GET'}],
50
                     'method': 'GET'}],
1425
62
        deprecated_rule=deprecated_get_consumer),
51
        deprecated_rule=deprecated_get_consumer,
1426
52
        deprecated_reason=DEPRECATED_REASON,
1427
53
        deprecated_since=versionutils.deprecated.TRAIN),
1428
63
    policy.DocumentedRuleDefault(
54
    policy.DocumentedRuleDefault(
1429
64
        name=base.IDENTITY % 'list_consumers',
55
        name=base.IDENTITY % 'list_consumers',
1430
65
        check_str=base.SYSTEM_READER,
56
        check_str=base.SYSTEM_READER,
1431
@@ -67,7 +58,9 @@ consumer_policies = [
1432
67
        description='List OAUTH1 consumers.',
58
        description='List OAUTH1 consumers.',
1433
68
        operations=[{'path': '/v3/OS-OAUTH1/consumers',
59
        operations=[{'path': '/v3/OS-OAUTH1/consumers',
1434
69
                     'method': 'GET'}],
60
                     'method': 'GET'}],
1436
70
        deprecated_rule=deprecated_list_consumers),
61
        deprecated_rule=deprecated_list_consumers,
1437
62
        deprecated_reason=DEPRECATED_REASON,
1438
63
        deprecated_since=versionutils.deprecated.TRAIN),
1439
71
    policy.DocumentedRuleDefault(
64
    policy.DocumentedRuleDefault(
1440
72
        name=base.IDENTITY % 'create_consumer',
65
        name=base.IDENTITY % 'create_consumer',
1441
73
        check_str=base.SYSTEM_ADMIN,
66
        check_str=base.SYSTEM_ADMIN,
1442
@@ -75,7 +68,9 @@ consumer_policies = [
1443
75
        description='Create OAUTH1 consumer.',
68
        description='Create OAUTH1 consumer.',
1444
76
        operations=[{'path': '/v3/OS-OAUTH1/consumers',
69
        operations=[{'path': '/v3/OS-OAUTH1/consumers',
1445
77
                     'method': 'POST'}],
70
                     'method': 'POST'}],
1447
78
        deprecated_rule=deprecated_create_consumer),
71
        deprecated_rule=deprecated_create_consumer,
1448
72
        deprecated_reason=DEPRECATED_REASON,
1449
73
        deprecated_since=versionutils.deprecated.TRAIN),
1450
79
    policy.DocumentedRuleDefault(
74
    policy.DocumentedRuleDefault(
1451
80
        name=base.IDENTITY % 'update_consumer',
75
        name=base.IDENTITY % 'update_consumer',
1452
81
        check_str=base.SYSTEM_ADMIN,
76
        check_str=base.SYSTEM_ADMIN,
1453
@@ -83,7 +78,9 @@ consumer_policies = [
1454
83
        description='Update OAUTH1 consumer.',
78
        description='Update OAUTH1 consumer.',
1455
84
        operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
79
        operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
1456
85
                     'method': 'PATCH'}],
80
                     'method': 'PATCH'}],
1458
86
        deprecated_rule=deprecated_update_consumer),
81
        deprecated_rule=deprecated_update_consumer,
1459
82
        deprecated_reason=DEPRECATED_REASON,
1460
83
        deprecated_since=versionutils.deprecated.TRAIN),
1461
87
    policy.DocumentedRuleDefault(
84
    policy.DocumentedRuleDefault(
1462
88
        name=base.IDENTITY % 'delete_consumer',
85
        name=base.IDENTITY % 'delete_consumer',
1463
89
        check_str=base.SYSTEM_ADMIN,
86
        check_str=base.SYSTEM_ADMIN,
1464
@@ -91,7 +88,9 @@ consumer_policies = [
1465
91
        description='Delete OAUTH1 consumer.',
88
        description='Delete OAUTH1 consumer.',
1466
92
        operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
89
        operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
1467
93
                     'method': 'DELETE'}],
90
                     'method': 'DELETE'}],
1469
94
        deprecated_rule=deprecated_delete_consumer),
91
        deprecated_rule=deprecated_delete_consumer,
1470
92
        deprecated_reason=DEPRECATED_REASON,
1471
93
        deprecated_since=versionutils.deprecated.TRAIN),
1472
95
]
94
]
1473
96
95
1474
97
96
1475
diff --git a/keystone/common/policies/credential.py b/keystone/common/policies/credential.py
1476
index 675e318..52a9fa8 100644
1477
--- a/keystone/common/policies/credential.py
1478
+++ b/keystone/common/policies/credential.py
1479
@@ -21,33 +21,23 @@ DEPRECATED_REASON = (
1480
21
21
1481
22
deprecated_get_credential = policy.DeprecatedRule(
22
deprecated_get_credential = policy.DeprecatedRule(
1482
23
    name=base.IDENTITY % 'get_credential',
23
    name=base.IDENTITY % 'get_credential',
1486
24
    check_str=base.RULE_ADMIN_REQUIRED,
24
    check_str=base.RULE_ADMIN_REQUIRED
1484
25
    deprecated_reason=DEPRECATED_REASON,
1485
26
    deprecated_since=versionutils.deprecated.STEIN
1487
27
)
25
)
1488
28
deprecated_list_credentials = policy.DeprecatedRule(
26
deprecated_list_credentials = policy.DeprecatedRule(
1489
29
    name=base.IDENTITY % 'list_credentials',
27
    name=base.IDENTITY % 'list_credentials',
1493
30
    check_str=base.RULE_ADMIN_REQUIRED,
28
    check_str=base.RULE_ADMIN_REQUIRED
1491
31
    deprecated_reason=DEPRECATED_REASON,
1492
32
    deprecated_since=versionutils.deprecated.STEIN
1494
33
)
29
)
1495
34
deprecated_create_credential = policy.DeprecatedRule(
30
deprecated_create_credential = policy.DeprecatedRule(
1496
35
    name=base.IDENTITY % 'create_credential',
31
    name=base.IDENTITY % 'create_credential',
1500
36
    check_str=base.RULE_ADMIN_REQUIRED,
32
    check_str=base.RULE_ADMIN_REQUIRED
1498
37
    deprecated_reason=DEPRECATED_REASON,
1499
38
    deprecated_since=versionutils.deprecated.STEIN
1501
39
)
33
)
1502
40
deprecated_update_credential = policy.DeprecatedRule(
34
deprecated_update_credential = policy.DeprecatedRule(
1503
41
    name=base.IDENTITY % 'update_credential',
35
    name=base.IDENTITY % 'update_credential',
1507
42
    check_str=base.RULE_ADMIN_REQUIRED,
36
    check_str=base.RULE_ADMIN_REQUIRED
1505
43
    deprecated_reason=DEPRECATED_REASON,
1506
44
    deprecated_since=versionutils.deprecated.STEIN
1508
45
)
37
)
1509
46
deprecated_delete_credential = policy.DeprecatedRule(
38
deprecated_delete_credential = policy.DeprecatedRule(
1510
47
    name=base.IDENTITY % 'delete_credential',
39
    name=base.IDENTITY % 'delete_credential',
1514
48
    check_str=base.RULE_ADMIN_REQUIRED,
40
    check_str=base.RULE_ADMIN_REQUIRED
1512
49
    deprecated_reason=DEPRECATED_REASON,
1513
50
    deprecated_since=versionutils.deprecated.STEIN
1515
51
)
41
)
1516
52
42
1517
53
43
1518
@@ -60,6 +50,8 @@ credential_policies = [
1519
60
        operations=[{'path': '/v3/credentials/{credential_id}',
50
        operations=[{'path': '/v3/credentials/{credential_id}',
1520
61
                     'method': 'GET'}],
51
                     'method': 'GET'}],
1521
62
        deprecated_rule=deprecated_get_credential,
52
        deprecated_rule=deprecated_get_credential,
1522
53
        deprecated_reason=DEPRECATED_REASON,
1523
54
        deprecated_since=versionutils.deprecated.STEIN
1524
63
    ),
55
    ),
1525
64
    policy.DocumentedRuleDefault(
56
    policy.DocumentedRuleDefault(
1526
65
        name=base.IDENTITY % 'list_credentials',
57
        name=base.IDENTITY % 'list_credentials',
1527
@@ -69,6 +61,8 @@ credential_policies = [
1528
69
        operations=[{'path': '/v3/credentials',
61
        operations=[{'path': '/v3/credentials',
1529
70
                     'method': 'GET'}],
62
                     'method': 'GET'}],
1530
71
        deprecated_rule=deprecated_list_credentials,
63
        deprecated_rule=deprecated_list_credentials,
1531
64
        deprecated_reason=DEPRECATED_REASON,
1532
65
        deprecated_since=versionutils.deprecated.STEIN
1533
72
    ),
66
    ),
1534
73
    policy.DocumentedRuleDefault(
67
    policy.DocumentedRuleDefault(
1535
74
        name=base.IDENTITY % 'create_credential',
68
        name=base.IDENTITY % 'create_credential',
1536
@@ -78,6 +72,8 @@ credential_policies = [
1537
78
        operations=[{'path': '/v3/credentials',
72
        operations=[{'path': '/v3/credentials',
1538
79
                     'method': 'POST'}],
73
                     'method': 'POST'}],
1539
80
        deprecated_rule=deprecated_create_credential,
74
        deprecated_rule=deprecated_create_credential,
1540
75
        deprecated_reason=DEPRECATED_REASON,
1541
76
        deprecated_since=versionutils.deprecated.STEIN
1542
81
    ),
77
    ),
1543
82
    policy.DocumentedRuleDefault(
78
    policy.DocumentedRuleDefault(
1544
83
        name=base.IDENTITY % 'update_credential',
79
        name=base.IDENTITY % 'update_credential',
1545
@@ -87,6 +83,8 @@ credential_policies = [
1546
87
        operations=[{'path': '/v3/credentials/{credential_id}',
83
        operations=[{'path': '/v3/credentials/{credential_id}',
1547
88
                     'method': 'PATCH'}],
84
                     'method': 'PATCH'}],
1548
89
        deprecated_rule=deprecated_update_credential,
85
        deprecated_rule=deprecated_update_credential,
1549
86
        deprecated_reason=DEPRECATED_REASON,
1550
87
        deprecated_since=versionutils.deprecated.STEIN
1551
90
    ),
88
    ),
1552
91
    policy.DocumentedRuleDefault(
89
    policy.DocumentedRuleDefault(
1553
92
        name=base.IDENTITY % 'delete_credential',
90
        name=base.IDENTITY % 'delete_credential',
1554
@@ -96,6 +94,8 @@ credential_policies = [
1555
96
        operations=[{'path': '/v3/credentials/{credential_id}',
94
        operations=[{'path': '/v3/credentials/{credential_id}',
1556
97
                     'method': 'DELETE'}],
95
                     'method': 'DELETE'}],
1557
98
        deprecated_rule=deprecated_delete_credential,
96
        deprecated_rule=deprecated_delete_credential,
1558
97
        deprecated_reason=DEPRECATED_REASON,
1559
98
        deprecated_since=versionutils.deprecated.STEIN
1560
99
    )
99
    )
1561
100
]
100
]
1562
101
101
1563
diff --git a/keystone/common/policies/domain.py b/keystone/common/policies/domain.py
1564
index cd743ee..7d3e3d7 100644
1565
--- a/keystone/common/policies/domain.py
1566
+++ b/keystone/common/policies/domain.py
1567
@@ -21,33 +21,23 @@ DEPRECATED_REASON = (
1568
21
21
1569
22
deprecated_list_domains = policy.DeprecatedRule(
22
deprecated_list_domains = policy.DeprecatedRule(
1570
23
    name=base.IDENTITY % 'list_domains',
23
    name=base.IDENTITY % 'list_domains',
1574
24
    check_str=base.RULE_ADMIN_REQUIRED,
24
    check_str=base.RULE_ADMIN_REQUIRED
1572
25
    deprecated_reason=DEPRECATED_REASON,
1573
26
    deprecated_since=versionutils.deprecated.STEIN
1575
27
)
25
)
1576
28
deprecated_get_domain = policy.DeprecatedRule(
26
deprecated_get_domain = policy.DeprecatedRule(
1577
29
    name=base.IDENTITY % 'get_domain',
27
    name=base.IDENTITY % 'get_domain',
1581
30
    check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN,
28
    check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN
1579
31
    deprecated_reason=DEPRECATED_REASON,
1580
32
    deprecated_since=versionutils.deprecated.STEIN
1582
33
)
29
)
1583
34
deprecated_update_domain = policy.DeprecatedRule(
30
deprecated_update_domain = policy.DeprecatedRule(
1584
35
    name=base.IDENTITY % 'update_domain',
31
    name=base.IDENTITY % 'update_domain',
1588
36
    check_str=base.RULE_ADMIN_REQUIRED,
32
    check_str=base.RULE_ADMIN_REQUIRED
1586
37
    deprecated_reason=DEPRECATED_REASON,
1587
38
    deprecated_since=versionutils.deprecated.STEIN
1589
39
)
33
)
1590
40
deprecated_create_domain = policy.DeprecatedRule(
34
deprecated_create_domain = policy.DeprecatedRule(
1591
41
    name=base.IDENTITY % 'create_domain',
35
    name=base.IDENTITY % 'create_domain',
1595
42
    check_str=base.RULE_ADMIN_REQUIRED,
36
    check_str=base.RULE_ADMIN_REQUIRED
1593
43
    deprecated_reason=DEPRECATED_REASON,
1594
44
    deprecated_since=versionutils.deprecated.STEIN
1596
45
)
37
)
1597
46
deprecated_delete_domain = policy.DeprecatedRule(
38
deprecated_delete_domain = policy.DeprecatedRule(
1598
47
    name=base.IDENTITY % 'delete_domain',
39
    name=base.IDENTITY % 'delete_domain',
1602
48
    check_str=base.RULE_ADMIN_REQUIRED,
40
    check_str=base.RULE_ADMIN_REQUIRED
1600
49
    deprecated_reason=DEPRECATED_REASON,
1601
50
    deprecated_since=versionutils.deprecated.STEIN
1603
51
)
41
)
1604
52
SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER = (
42
SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER = (
1605
53
    '(role:reader and system_scope:all) or '
43
    '(role:reader and system_scope:all) or '
1606
@@ -66,7 +56,9 @@ domain_policies = [
1607
66
        description='Show domain details.',
56
        description='Show domain details.',
1608
67
        operations=[{'path': '/v3/domains/{domain_id}',
57
        operations=[{'path': '/v3/domains/{domain_id}',
1609
68
                     'method': 'GET'}],
58
                     'method': 'GET'}],
1611
69
        deprecated_rule=deprecated_get_domain),
59
        deprecated_rule=deprecated_get_domain,
1612
60
        deprecated_reason=DEPRECATED_REASON,
1613
61
        deprecated_since=versionutils.deprecated.STEIN),
1614
70
    policy.DocumentedRuleDefault(
62
    policy.DocumentedRuleDefault(
1615
71
        name=base.IDENTITY % 'list_domains',
63
        name=base.IDENTITY % 'list_domains',
1616
72
        check_str=base.SYSTEM_READER,
64
        check_str=base.SYSTEM_READER,
1617
@@ -74,7 +66,9 @@ domain_policies = [
1618
74
        description='List domains.',
66
        description='List domains.',
1619
75
        operations=[{'path': '/v3/domains',
67
        operations=[{'path': '/v3/domains',
1620
76
                     'method': 'GET'}],
68
                     'method': 'GET'}],
1622
77
        deprecated_rule=deprecated_list_domains),
69
        deprecated_rule=deprecated_list_domains,
1623
70
        deprecated_reason=DEPRECATED_REASON,
1624
71
        deprecated_since=versionutils.deprecated.STEIN),
1625
78
    policy.DocumentedRuleDefault(
72
    policy.DocumentedRuleDefault(
1626
79
        name=base.IDENTITY % 'create_domain',
73
        name=base.IDENTITY % 'create_domain',
1627
80
        check_str=base.SYSTEM_ADMIN,
74
        check_str=base.SYSTEM_ADMIN,
1628
@@ -82,7 +76,9 @@ domain_policies = [
1629
82
        description='Create domain.',
76
        description='Create domain.',
1630
83
        operations=[{'path': '/v3/domains',
77
        operations=[{'path': '/v3/domains',
1631
84
                     'method': 'POST'}],
78
                     'method': 'POST'}],
1633
85
        deprecated_rule=deprecated_create_domain),
79
        deprecated_rule=deprecated_create_domain,
1634
80
        deprecated_reason=DEPRECATED_REASON,
1635
81
        deprecated_since=versionutils.deprecated.STEIN),
1636
86
    policy.DocumentedRuleDefault(
82
    policy.DocumentedRuleDefault(
1637
87
        name=base.IDENTITY % 'update_domain',
83
        name=base.IDENTITY % 'update_domain',
1638
88
        check_str=base.SYSTEM_ADMIN,
84
        check_str=base.SYSTEM_ADMIN,
1639
@@ -90,7 +86,9 @@ domain_policies = [
1640
90
        description='Update domain.',
86
        description='Update domain.',
1641
91
        operations=[{'path': '/v3/domains/{domain_id}',
87
        operations=[{'path': '/v3/domains/{domain_id}',
1642
92
                     'method': 'PATCH'}],
88
                     'method': 'PATCH'}],
1644
93
        deprecated_rule=deprecated_update_domain),
89
        deprecated_rule=deprecated_update_domain,
1645
90
        deprecated_reason=DEPRECATED_REASON,
1646
91
        deprecated_since=versionutils.deprecated.STEIN),
1647
94
    policy.DocumentedRuleDefault(
92
    policy.DocumentedRuleDefault(
1648
95
        name=base.IDENTITY % 'delete_domain',
93
        name=base.IDENTITY % 'delete_domain',
1649
96
        check_str=base.SYSTEM_ADMIN,
94
        check_str=base.SYSTEM_ADMIN,
1650
@@ -98,7 +96,9 @@ domain_policies = [
1651
98
        description='Delete domain.',
96
        description='Delete domain.',
1652
99
        operations=[{'path': '/v3/domains/{domain_id}',
97
        operations=[{'path': '/v3/domains/{domain_id}',
1653
100
                     'method': 'DELETE'}],
98
                     'method': 'DELETE'}],
1655
101
        deprecated_rule=deprecated_delete_domain),
99
        deprecated_rule=deprecated_delete_domain,
1656
100
        deprecated_reason=DEPRECATED_REASON,
1657
101
        deprecated_since=versionutils.deprecated.STEIN),
1658
102
]
102
]
1659
103
103
1660
104
104
1661
diff --git a/keystone/common/policies/domain_config.py b/keystone/common/policies/domain_config.py
1662
index b1c8fda..a157f0d 100644
1663
--- a/keystone/common/policies/domain_config.py
1664
+++ b/keystone/common/policies/domain_config.py
1665
@@ -15,46 +15,36 @@ from oslo_policy import policy
1666
15
15
1667
16
from keystone.common.policies import base
16
from keystone.common.policies import base
1668
17
17
1669
18
DEPRECATED_REASON = (
1670
19
    "The domain config API is now aware of system scope and default roles."
1671
20
)
1672
21
1673
22
deprecated_get_domain_config = policy.DeprecatedRule(
18
deprecated_get_domain_config = policy.DeprecatedRule(
1674
23
    name=base.IDENTITY % 'get_domain_config',
19
    name=base.IDENTITY % 'get_domain_config',
1675
24
    check_str=base.RULE_ADMIN_REQUIRED,
20
    check_str=base.RULE_ADMIN_REQUIRED,
1676
25
    deprecated_reason=DEPRECATED_REASON,
1677
26
    deprecated_since=versionutils.deprecated.TRAIN
1678
27
)
21
)
1679
28
22
1680
29
deprecated_get_domain_config_default = policy.DeprecatedRule(
23
deprecated_get_domain_config_default = policy.DeprecatedRule(
1681
30
    name=base.IDENTITY % 'get_domain_config_default',
24
    name=base.IDENTITY % 'get_domain_config_default',
1682
31
    check_str=base.RULE_ADMIN_REQUIRED,
25
    check_str=base.RULE_ADMIN_REQUIRED,
1683
32
    deprecated_reason=DEPRECATED_REASON,
1684
33
    deprecated_since=versionutils.deprecated.TRAIN
1685
34
)
26
)
1686
35
27
1687
36
deprecated_create_domain_config = policy.DeprecatedRule(
28
deprecated_create_domain_config = policy.DeprecatedRule(
1688
37
    name=base.IDENTITY % 'create_domain_config',
29
    name=base.IDENTITY % 'create_domain_config',
1689
38
    check_str=base.RULE_ADMIN_REQUIRED,
30
    check_str=base.RULE_ADMIN_REQUIRED,
1690
39
    deprecated_reason=DEPRECATED_REASON,
1691
40
    deprecated_since=versionutils.deprecated.TRAIN
1692
41
)
31
)
1693
42
32
1694
43
deprecated_update_domain_config = policy.DeprecatedRule(
33
deprecated_update_domain_config = policy.DeprecatedRule(
1695
44
    name=base.IDENTITY % 'update_domain_config',
34
    name=base.IDENTITY % 'update_domain_config',
1696
45
    check_str=base.RULE_ADMIN_REQUIRED,
35
    check_str=base.RULE_ADMIN_REQUIRED,
1697
46
    deprecated_reason=DEPRECATED_REASON,
1698
47
    deprecated_since=versionutils.deprecated.TRAIN
1699
48
)
36
)
1700
49
37
1701
50
deprecated_delete_domain_config = policy.DeprecatedRule(
38
deprecated_delete_domain_config = policy.DeprecatedRule(
1702
51
    name=base.IDENTITY % 'delete_domain_config',
39
    name=base.IDENTITY % 'delete_domain_config',
1703
52
    check_str=base.RULE_ADMIN_REQUIRED,
40
    check_str=base.RULE_ADMIN_REQUIRED,
1704
53
    deprecated_reason=DEPRECATED_REASON,
1705
54
    deprecated_since=versionutils.deprecated.TRAIN
1706
55
)
41
)
1707
56
42
1708
57
43
1709
44
DEPRECATED_REASON = (
1710
45
    "The domain config API is now aware of system scope and default roles."
1711
46
)
1712
47
1713
58
domain_config_policies = [
48
domain_config_policies = [
1714
59
    policy.DocumentedRuleDefault(
49
    policy.DocumentedRuleDefault(
1715
60
        name=base.IDENTITY % 'create_domain_config',
50
        name=base.IDENTITY % 'create_domain_config',
1716
@@ -75,7 +65,9 @@ domain_config_policies = [
1717
75
                'method': 'PUT'
65
                'method': 'PUT'
1718
76
            }
66
            }
1719
77
        ],
67
        ],
1721
78
        deprecated_rule=deprecated_create_domain_config
68
        deprecated_rule=deprecated_create_domain_config,
1722
69
        deprecated_reason=DEPRECATED_REASON,
1723
70
        deprecated_since=versionutils.deprecated.TRAIN
1724
79
    ),
71
    ),
1725
80
    policy.DocumentedRuleDefault(
72
    policy.DocumentedRuleDefault(
1726
81
        name=base.IDENTITY % 'get_domain_config',
73
        name=base.IDENTITY % 'get_domain_config',
1727
@@ -111,6 +103,8 @@ domain_config_policies = [
1728
111
            }
103
            }
1729
112
        ],
104
        ],
1730
113
        deprecated_rule=deprecated_get_domain_config,
105
        deprecated_rule=deprecated_get_domain_config,
1731
106
        deprecated_reason=DEPRECATED_REASON,
1732
107
        deprecated_since=versionutils.deprecated.TRAIN
1733
114
    ),
108
    ),
1734
115
    policy.DocumentedRuleDefault(
109
    policy.DocumentedRuleDefault(
1735
116
        name=base.IDENTITY % 'get_security_compliance_domain_config',
110
        name=base.IDENTITY % 'get_security_compliance_domain_config',
1736
@@ -130,12 +124,12 @@ domain_config_policies = [
1737
130
                'method': 'HEAD'
124
                'method': 'HEAD'
1738
131
            },
125
            },
1739
132
            {
126
            {
1741
133
                'path': ('/v3/domains/{domain_id}/config/'
127
                'path': ('v3/domains/{domain_id}/config/'
1742
134
                         'security_compliance/{option}'),
128
                         'security_compliance/{option}'),
1743
135
                'method': 'GET'
129
                'method': 'GET'
1744
136
            },
130
            },
1745
137
            {
131
            {
1747
138
                'path': ('/v3/domains/{domain_id}/config/'
132
                'path': ('v3/domains/{domain_id}/config/'
1748
139
                         'security_compliance/{option}'),
133
                         'security_compliance/{option}'),
1749
140
                'method': 'HEAD'
134
                'method': 'HEAD'
1750
141
            }
135
            }
1751
@@ -162,6 +156,8 @@ domain_config_policies = [
1752
162
            }
156
            }
1753
163
        ],
157
        ],
1754
164
        deprecated_rule=deprecated_update_domain_config,
158
        deprecated_rule=deprecated_update_domain_config,
1755
159
        deprecated_reason=DEPRECATED_REASON,
1756
160
        deprecated_since=versionutils.deprecated.TRAIN
1757
165
    ),
161
    ),
1758
166
    policy.DocumentedRuleDefault(
162
    policy.DocumentedRuleDefault(
1759
167
        name=base.IDENTITY % 'delete_domain_config',
163
        name=base.IDENTITY % 'delete_domain_config',
1760
@@ -184,6 +180,8 @@ domain_config_policies = [
1761
184
            }
180
            }
1762
185
        ],
181
        ],
1763
186
        deprecated_rule=deprecated_delete_domain_config,
182
        deprecated_rule=deprecated_delete_domain_config,
1764
183
        deprecated_reason=DEPRECATED_REASON,
1765
184
        deprecated_since=versionutils.deprecated.TRAIN
1766
187
    ),
185
    ),
1767
188
    policy.DocumentedRuleDefault(
186
    policy.DocumentedRuleDefault(
1768
189
        name=base.IDENTITY % 'get_domain_config_default',
187
        name=base.IDENTITY % 'get_domain_config_default',
1769
@@ -218,6 +216,8 @@ domain_config_policies = [
1770
218
            }
216
            }
1771
219
        ],
217
        ],
1772
220
        deprecated_rule=deprecated_get_domain_config_default,
218
        deprecated_rule=deprecated_get_domain_config_default,
1773
219
        deprecated_reason=DEPRECATED_REASON,
1774
220
        deprecated_since=versionutils.deprecated.TRAIN
1775
221
    )
221
    )
1776
222
]
222
]
1777
223
223
1778
diff --git a/keystone/common/policies/ec2_credential.py b/keystone/common/policies/ec2_credential.py
1779
index 9e52709..266a80e 100644
1780
--- a/keystone/common/policies/ec2_credential.py
1781
+++ b/keystone/common/policies/ec2_credential.py
1782
@@ -15,35 +15,26 @@ from oslo_policy import policy
1783
15
15
1784
16
from keystone.common.policies import base
16
from keystone.common.policies import base
1785
17
17
1786
18
DEPRECATED_REASON = (
1787
19
    "The EC2 credential API is now aware of system scope and default roles."
1788
20
)
1789
21
1790
22
deprecated_ec2_get_credential = policy.DeprecatedRule(
18
deprecated_ec2_get_credential = policy.DeprecatedRule(
1791
23
    name=base.IDENTITY % 'ec2_get_credential',
19
    name=base.IDENTITY % 'ec2_get_credential',
1795
24
    check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER,
20
    check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER
1793
25
    deprecated_reason=DEPRECATED_REASON,
1794
26
    deprecated_since=versionutils.deprecated.TRAIN
1796
27
)
21
)
1797
28
deprecated_ec2_list_credentials = policy.DeprecatedRule(
22
deprecated_ec2_list_credentials = policy.DeprecatedRule(
1798
29
    name=base.IDENTITY % 'ec2_list_credentials',
23
    name=base.IDENTITY % 'ec2_list_credentials',
1802
30
    check_str=base.RULE_ADMIN_OR_OWNER,
24
    check_str=base.RULE_ADMIN_OR_OWNER
1800
31
    deprecated_reason=DEPRECATED_REASON,
1801
32
    deprecated_since=versionutils.deprecated.TRAIN
1803
33
)
25
)
1804
34
deprecated_ec2_create_credential = policy.DeprecatedRule(
26
deprecated_ec2_create_credential = policy.DeprecatedRule(
1805
35
    name=base.IDENTITY % 'ec2_create_credential',
27
    name=base.IDENTITY % 'ec2_create_credential',
1809
36
    check_str=base.RULE_ADMIN_OR_OWNER,
28
    check_str=base.RULE_ADMIN_OR_OWNER
1807
37
    deprecated_reason=DEPRECATED_REASON,
1808
38
    deprecated_since=versionutils.deprecated.TRAIN
1810
39
)
29
)
1811
40
deprecated_ec2_delete_credential = policy.DeprecatedRule(
30
deprecated_ec2_delete_credential = policy.DeprecatedRule(
1812
41
    name=base.IDENTITY % 'ec2_delete_credential',
31
    name=base.IDENTITY % 'ec2_delete_credential',
1816
42
    check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER,
32
    check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER
1814
43
    deprecated_reason=DEPRECATED_REASON,
1815
44
    deprecated_since=versionutils.deprecated.TRAIN
1817
45
)
33
)
1818
46
34
1819
35
DEPRECATED_REASON = (
1820
36
    "The EC2 credential API is now aware of system scope and default roles."
1821
37
)
1822
47
38
1823
48
ec2_credential_policies = [
39
ec2_credential_policies = [
1824
49
    policy.DocumentedRuleDefault(
40
    policy.DocumentedRuleDefault(
1825
@@ -54,7 +45,9 @@ ec2_credential_policies = [
1826
54
        operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
45
        operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
1827
55
                              '{credential_id}'),
46
                              '{credential_id}'),
1828
56
                     'method': 'GET'}],
47
                     'method': 'GET'}],
1830
57
        deprecated_rule=deprecated_ec2_get_credential
48
        deprecated_rule=deprecated_ec2_get_credential,
1831
49
        deprecated_reason=DEPRECATED_REASON,
1832
50
        deprecated_since=versionutils.deprecated.TRAIN
1833
58
    ),
51
    ),
1834
59
    policy.DocumentedRuleDefault(
52
    policy.DocumentedRuleDefault(
1835
60
        name=base.IDENTITY % 'ec2_list_credentials',
53
        name=base.IDENTITY % 'ec2_list_credentials',
1836
@@ -64,6 +57,8 @@ ec2_credential_policies = [
1837
64
        operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
57
        operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
1838
65
                     'method': 'GET'}],
58
                     'method': 'GET'}],
1839
66
        deprecated_rule=deprecated_ec2_list_credentials,
59
        deprecated_rule=deprecated_ec2_list_credentials,
1840
60
        deprecated_reason=DEPRECATED_REASON,
1841
61
        deprecated_since=versionutils.deprecated.TRAIN
1842
67
    ),
62
    ),
1843
68
    policy.DocumentedRuleDefault(
63
    policy.DocumentedRuleDefault(
1844
69
        name=base.IDENTITY % 'ec2_create_credential',
64
        name=base.IDENTITY % 'ec2_create_credential',
1845
@@ -73,6 +68,8 @@ ec2_credential_policies = [
1846
73
        operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
68
        operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
1847
74
                     'method': 'POST'}],
69
                     'method': 'POST'}],
1848
75
        deprecated_rule=deprecated_ec2_create_credential,
70
        deprecated_rule=deprecated_ec2_create_credential,
1849
71
        deprecated_reason=DEPRECATED_REASON,
1850
72
        deprecated_since=versionutils.deprecated.TRAIN
1851
76
    ),
73
    ),
1852
77
    policy.DocumentedRuleDefault(
74
    policy.DocumentedRuleDefault(
1853
78
        name=base.IDENTITY % 'ec2_delete_credential',
75
        name=base.IDENTITY % 'ec2_delete_credential',
1854
@@ -83,6 +80,8 @@ ec2_credential_policies = [
1855
83
                              '{credential_id}'),
80
                              '{credential_id}'),
1856
84
                     'method': 'DELETE'}],
81
                     'method': 'DELETE'}],
1857
85
        deprecated_rule=deprecated_ec2_delete_credential,
82
        deprecated_rule=deprecated_ec2_delete_credential,
1858
83
        deprecated_reason=DEPRECATED_REASON,
1859
84
        deprecated_since=versionutils.deprecated.TRAIN
1860
86
    )
85
    )
1861
87
]
86
]
1862
88
87
1863
diff --git a/keystone/common/policies/endpoint.py b/keystone/common/policies/endpoint.py
1864
index 7858249..b99a40e 100644
1865
--- a/keystone/common/policies/endpoint.py
1866
+++ b/keystone/common/policies/endpoint.py
1867
@@ -15,34 +15,24 @@ from oslo_policy import policy
1868
15
15
1869
16
from keystone.common.policies import base
16
from keystone.common.policies import base
1870
17
17
1871
18
DEPRECATED_REASON = (
1872
19
    "The endpoint API is now aware of system scope and default roles."
1873
20
)
1874
21
1875
22
deprecated_get_endpoint = policy.DeprecatedRule(
18
deprecated_get_endpoint = policy.DeprecatedRule(
1876
23
    name=base.IDENTITY % 'get_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
19
    name=base.IDENTITY % 'get_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
1877
24
    deprecated_reason=DEPRECATED_REASON,
1878
25
    deprecated_since=versionutils.deprecated.STEIN
1879
26
)
20
)
1880
27
deprecated_list_endpoints = policy.DeprecatedRule(
21
deprecated_list_endpoints = policy.DeprecatedRule(
1881
28
    name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED,
22
    name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED,
1882
29
    deprecated_reason=DEPRECATED_REASON,
1883
30
    deprecated_since=versionutils.deprecated.STEIN
1884
31
)
23
)
1885
32
deprecated_update_endpoint = policy.DeprecatedRule(
24
deprecated_update_endpoint = policy.DeprecatedRule(
1886
33
    name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
25
    name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
1887
34
    deprecated_reason=DEPRECATED_REASON,
1888
35
    deprecated_since=versionutils.deprecated.STEIN
1889
36
)
26
)
1890
37
deprecated_create_endpoint = policy.DeprecatedRule(
27
deprecated_create_endpoint = policy.DeprecatedRule(
1891
38
    name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
28
    name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
1892
39
    deprecated_reason=DEPRECATED_REASON,
1893
40
    deprecated_since=versionutils.deprecated.STEIN
1894
41
)
29
)
1895
42
deprecated_delete_endpoint = policy.DeprecatedRule(
30
deprecated_delete_endpoint = policy.DeprecatedRule(
1896
43
    name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
31
    name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
1899
44
    deprecated_reason=DEPRECATED_REASON,
32
)
1900
45
    deprecated_since=versionutils.deprecated.STEIN
33
1901
34
DEPRECATED_REASON = (
1902
35
    "The endpoint API is now aware of system scope and default roles."
1903
46
)
36
)
1904
47
37
1905
48
38
1906
@@ -54,7 +44,9 @@ endpoint_policies = [
1907
54
        description='Show endpoint details.',
44
        description='Show endpoint details.',
1908
55
        operations=[{'path': '/v3/endpoints/{endpoint_id}',
45
        operations=[{'path': '/v3/endpoints/{endpoint_id}',
1909
56
                     'method': 'GET'}],
46
                     'method': 'GET'}],
1911
57
        deprecated_rule=deprecated_get_endpoint),
47
        deprecated_rule=deprecated_get_endpoint,
1912
48
        deprecated_reason=DEPRECATED_REASON,
1913
49
        deprecated_since=versionutils.deprecated.STEIN),
1914
58
    policy.DocumentedRuleDefault(
50
    policy.DocumentedRuleDefault(
1915
59
        name=base.IDENTITY % 'list_endpoints',
51
        name=base.IDENTITY % 'list_endpoints',
1916
60
        check_str=base.SYSTEM_READER,
52
        check_str=base.SYSTEM_READER,
1917
@@ -62,7 +54,9 @@ endpoint_policies = [
1918
62
        description='List endpoints.',
54
        description='List endpoints.',
1919
63
        operations=[{'path': '/v3/endpoints',
55
        operations=[{'path': '/v3/endpoints',
1920
64
                     'method': 'GET'}],
56
                     'method': 'GET'}],
1922
65
        deprecated_rule=deprecated_list_endpoints),
57
        deprecated_rule=deprecated_list_endpoints,
1923
58
        deprecated_reason=DEPRECATED_REASON,
1924
59
        deprecated_since=versionutils.deprecated.STEIN),
1925
66
    policy.DocumentedRuleDefault(
60
    policy.DocumentedRuleDefault(
1926
67
        name=base.IDENTITY % 'create_endpoint',
61
        name=base.IDENTITY % 'create_endpoint',
1927
68
        check_str=base.SYSTEM_ADMIN,
62
        check_str=base.SYSTEM_ADMIN,
1928
@@ -70,7 +64,9 @@ endpoint_policies = [
1929
70
        description='Create endpoint.',
64
        description='Create endpoint.',
1930
71
        operations=[{'path': '/v3/endpoints',
65
        operations=[{'path': '/v3/endpoints',
1931
72
                     'method': 'POST'}],
66
                     'method': 'POST'}],
1933
73
        deprecated_rule=deprecated_create_endpoint),
67
        deprecated_rule=deprecated_create_endpoint,
1934
68
        deprecated_reason=DEPRECATED_REASON,
1935
69
        deprecated_since=versionutils.deprecated.STEIN),
1936
74
    policy.DocumentedRuleDefault(
70
    policy.DocumentedRuleDefault(
1937
75
        name=base.IDENTITY % 'update_endpoint',
71
        name=base.IDENTITY % 'update_endpoint',
1938
76
        check_str=base.SYSTEM_ADMIN,
72
        check_str=base.SYSTEM_ADMIN,
1939
@@ -78,7 +74,9 @@ endpoint_policies = [
1940
78
        description='Update endpoint.',
74
        description='Update endpoint.',
1941
79
        operations=[{'path': '/v3/endpoints/{endpoint_id}',
75
        operations=[{'path': '/v3/endpoints/{endpoint_id}',
1942
80
                     'method': 'PATCH'}],
76
                     'method': 'PATCH'}],
1944
81
        deprecated_rule=deprecated_update_endpoint),
77
        deprecated_rule=deprecated_update_endpoint,
1945
78
        deprecated_reason=DEPRECATED_REASON,
1946
79
        deprecated_since=versionutils.deprecated.STEIN),
1947
82
    policy.DocumentedRuleDefault(
80
    policy.DocumentedRuleDefault(
1948
83
        name=base.IDENTITY % 'delete_endpoint',
81
        name=base.IDENTITY % 'delete_endpoint',
1949
84
        check_str=base.SYSTEM_ADMIN,
82
        check_str=base.SYSTEM_ADMIN,
1950
@@ -86,7 +84,9 @@ endpoint_policies = [
1951
86
        description='Delete endpoint.',
84
        description='Delete endpoint.',
1952
87
        operations=[{'path': '/v3/endpoints/{endpoint_id}',
85
        operations=[{'path': '/v3/endpoints/{endpoint_id}',
1953
88
                     'method': 'DELETE'}],
86
                     'method': 'DELETE'}],
1955
89
        deprecated_rule=deprecated_delete_endpoint)
87
        deprecated_rule=deprecated_delete_endpoint,
1956
88
        deprecated_reason=DEPRECATED_REASON,
1957
89
        deprecated_since=versionutils.deprecated.STEIN)
1958
90
]
90
]
1959
91
91
1960
92
92
1961
diff --git a/keystone/common/policies/endpoint_group.py b/keystone/common/policies/endpoint_group.py
1962
index 741e0b7..691a6fe 100644
1963
--- a/keystone/common/policies/endpoint_group.py
1964
+++ b/keystone/common/policies/endpoint_group.py
1965
@@ -15,85 +15,64 @@ from oslo_policy import policy
1966
15
15
1967
16
from keystone.common.policies import base
16
from keystone.common.policies import base
1968
17
17
1969
18
DEPRECATED_REASON = (
1970
19
    "The endpoint groups API is now aware of system scope and default roles."
1971
20
)
1972
21
1973
22
deprecated_list_endpoint_groups = policy.DeprecatedRule(
18
deprecated_list_endpoint_groups = policy.DeprecatedRule(
1974
23
    name=base.IDENTITY % 'list_endpoint_groups',
19
    name=base.IDENTITY % 'list_endpoint_groups',
1975
24
    check_str=base.RULE_ADMIN_REQUIRED,
20
    check_str=base.RULE_ADMIN_REQUIRED,
1976
25
    deprecated_reason=DEPRECATED_REASON,
1977
26
    deprecated_since=versionutils.deprecated.TRAIN
1978
27
)
21
)
1979
28
22
1980
29
deprecated_get_endpoint_group = policy.DeprecatedRule(
23
deprecated_get_endpoint_group = policy.DeprecatedRule(
1981
30
    name=base.IDENTITY % 'get_endpoint_group',
24
    name=base.IDENTITY % 'get_endpoint_group',
1982
31
    check_str=base.RULE_ADMIN_REQUIRED,
25
    check_str=base.RULE_ADMIN_REQUIRED,
1983
32
    deprecated_reason=DEPRECATED_REASON,
1984
33
    deprecated_since=versionutils.deprecated.TRAIN
1985
34
)
26
)
1986
35
27
1987
36
deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule(
28
deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule(
1988
37
    name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
29
    name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
1989
38
    check_str=base.RULE_ADMIN_REQUIRED,
30
    check_str=base.RULE_ADMIN_REQUIRED,
1990
39
    deprecated_reason=DEPRECATED_REASON,
1991
40
    deprecated_since=versionutils.deprecated.TRAIN
1992
41
)
31
)
1993
42
32
1994
43
deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule(
33
deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule(
1995
44
    name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
34
    name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
1996
45
    check_str=base.RULE_ADMIN_REQUIRED,
35
    check_str=base.RULE_ADMIN_REQUIRED,
1997
46
    deprecated_reason=DEPRECATED_REASON,
1998
47
    deprecated_since=versionutils.deprecated.TRAIN
1999
48
)
36
)
2000
49
37
2001
50
deprecated_get_endpoint_group_in_project = policy.DeprecatedRule(
38
deprecated_get_endpoint_group_in_project = policy.DeprecatedRule(
2002
51
    name=base.IDENTITY % 'get_endpoint_group_in_project',
39
    name=base.IDENTITY % 'get_endpoint_group_in_project',
2003
52
    check_str=base.RULE_ADMIN_REQUIRED,
40
    check_str=base.RULE_ADMIN_REQUIRED,
2004
53
    deprecated_reason=DEPRECATED_REASON,
2005
54
    deprecated_since=versionutils.deprecated.TRAIN
2006
55
)
41
)
2007
56
42
2008
57
deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule(
43
deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule(
2009
58
    name=base.IDENTITY % 'list_endpoint_groups_for_project',
44
    name=base.IDENTITY % 'list_endpoint_groups_for_project',
2010
59
    check_str=base.RULE_ADMIN_REQUIRED,
45
    check_str=base.RULE_ADMIN_REQUIRED,
2011
60
    deprecated_reason=DEPRECATED_REASON,
2012
61
    deprecated_since=versionutils.deprecated.TRAIN
2013
62
)
46
)
2014
63
47
2015
64
deprecated_create_endpoint_group = policy.DeprecatedRule(
48
deprecated_create_endpoint_group = policy.DeprecatedRule(
2016
65
    name=base.IDENTITY % 'create_endpoint_group',
49
    name=base.IDENTITY % 'create_endpoint_group',
2017
66
    check_str=base.RULE_ADMIN_REQUIRED,
50
    check_str=base.RULE_ADMIN_REQUIRED,
2018
67
    deprecated_reason=DEPRECATED_REASON,
2019
68
    deprecated_since=versionutils.deprecated.TRAIN
2020
69
)
51
)
2021
70
52
2022
71
deprecated_update_endpoint_group = policy.DeprecatedRule(
53
deprecated_update_endpoint_group = policy.DeprecatedRule(
2023
72
    name=base.IDENTITY % 'update_endpoint_group',
54
    name=base.IDENTITY % 'update_endpoint_group',
2024
73
    check_str=base.RULE_ADMIN_REQUIRED,
55
    check_str=base.RULE_ADMIN_REQUIRED,
2025
74
    deprecated_reason=DEPRECATED_REASON,
2026
75
    deprecated_since=versionutils.deprecated.TRAIN
2027
76
)
56
)
2028
77
57
2029
78
deprecated_delete_endpoint_group = policy.DeprecatedRule(
58
deprecated_delete_endpoint_group = policy.DeprecatedRule(
2030
79
    name=base.IDENTITY % 'delete_endpoint_group',
59
    name=base.IDENTITY % 'delete_endpoint_group',
2031
80
    check_str=base.RULE_ADMIN_REQUIRED,
60
    check_str=base.RULE_ADMIN_REQUIRED,
2032
81
    deprecated_reason=DEPRECATED_REASON,
2033
82
    deprecated_since=versionutils.deprecated.TRAIN
2034
83
)
61
)
2035
84
62
2036
85
deprecated_add_endpoint_group_to_project = policy.DeprecatedRule(
63
deprecated_add_endpoint_group_to_project = policy.DeprecatedRule(
2037
86
    name=base.IDENTITY % 'add_endpoint_group_to_project',
64
    name=base.IDENTITY % 'add_endpoint_group_to_project',
2038
87
    check_str=base.RULE_ADMIN_REQUIRED,
65
    check_str=base.RULE_ADMIN_REQUIRED,
2039
88
    deprecated_reason=DEPRECATED_REASON,
2040
89
    deprecated_since=versionutils.deprecated.TRAIN
2041
90
)
66
)
2042
91
67
2043
92
deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule(
68
deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule(
2044
93
    name=base.IDENTITY % 'remove_endpoint_group_from_project',
69
    name=base.IDENTITY % 'remove_endpoint_group_from_project',
2045
94
    check_str=base.RULE_ADMIN_REQUIRED,
70
    check_str=base.RULE_ADMIN_REQUIRED,
2048
95
    deprecated_reason=DEPRECATED_REASON,
71
)
2049
96
    deprecated_since=versionutils.deprecated.TRAIN
72
2050
73
2051
74
DEPRECATED_REASON = (
2052
75
    "The endpoint groups API is now aware of system scope and default roles."
2053
97
)
76
)
2054
98
77
2055
99
78
2056
@@ -105,7 +84,9 @@ group_endpoint_policies = [
2057
105
        description='Create endpoint group.',
84
        description='Create endpoint group.',
2058
106
        operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
85
        operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
2059
107
                     'method': 'POST'}],
86
                     'method': 'POST'}],
2061
108
        deprecated_rule=deprecated_create_endpoint_group),
87
        deprecated_rule=deprecated_create_endpoint_group,
2062
88
        deprecated_reason=DEPRECATED_REASON,
2063
89
        deprecated_since=versionutils.deprecated.TRAIN),
2064
109
    policy.DocumentedRuleDefault(
90
    policy.DocumentedRuleDefault(
2065
110
        name=base.IDENTITY % 'list_endpoint_groups',
91
        name=base.IDENTITY % 'list_endpoint_groups',
2066
111
        check_str=base.SYSTEM_READER,
92
        check_str=base.SYSTEM_READER,
2067
@@ -113,7 +94,9 @@ group_endpoint_policies = [
2068
113
        description='List endpoint groups.',
94
        description='List endpoint groups.',
2069
114
        operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
95
        operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
2070
115
                     'method': 'GET'}],
96
                     'method': 'GET'}],
2072
116
        deprecated_rule=deprecated_list_endpoint_groups),
97
        deprecated_rule=deprecated_list_endpoint_groups,
2073
98
        deprecated_reason=DEPRECATED_REASON,
2074
99
        deprecated_since=versionutils.deprecated.TRAIN),
2075
117
    policy.DocumentedRuleDefault(
100
    policy.DocumentedRuleDefault(
2076
118
        name=base.IDENTITY % 'get_endpoint_group',
101
        name=base.IDENTITY % 'get_endpoint_group',
2077
119
        check_str=base.SYSTEM_READER,
102
        check_str=base.SYSTEM_READER,
2078
@@ -125,7 +108,9 @@ group_endpoint_policies = [
2079
125
                    {'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
108
                    {'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2080
126
                              '{endpoint_group_id}'),
109
                              '{endpoint_group_id}'),
2081
127
                     'method': 'HEAD'}],
110
                     'method': 'HEAD'}],
2083
128
        deprecated_rule=deprecated_get_endpoint_group),
111
        deprecated_rule=deprecated_get_endpoint_group,
2084
112
        deprecated_reason=DEPRECATED_REASON,
2085
113
        deprecated_since=versionutils.deprecated.TRAIN),
2086
129
    policy.DocumentedRuleDefault(
114
    policy.DocumentedRuleDefault(
2087
130
        name=base.IDENTITY % 'update_endpoint_group',
115
        name=base.IDENTITY % 'update_endpoint_group',
2088
131
        check_str=base.SYSTEM_ADMIN,
116
        check_str=base.SYSTEM_ADMIN,
2089
@@ -134,7 +119,9 @@ group_endpoint_policies = [
2090
134
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
119
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2091
135
                              '{endpoint_group_id}'),
120
                              '{endpoint_group_id}'),
2092
136
                     'method': 'PATCH'}],
121
                     'method': 'PATCH'}],
2094
137
        deprecated_rule=deprecated_update_endpoint_group),
122
        deprecated_rule=deprecated_update_endpoint_group,
2095
123
        deprecated_reason=DEPRECATED_REASON,
2096
124
        deprecated_since=versionutils.deprecated.TRAIN),
2097
138
    policy.DocumentedRuleDefault(
125
    policy.DocumentedRuleDefault(
2098
139
        name=base.IDENTITY % 'delete_endpoint_group',
126
        name=base.IDENTITY % 'delete_endpoint_group',
2099
140
        check_str=base.SYSTEM_ADMIN,
127
        check_str=base.SYSTEM_ADMIN,
2100
@@ -143,7 +130,9 @@ group_endpoint_policies = [
2101
143
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
130
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2102
144
                              '{endpoint_group_id}'),
131
                              '{endpoint_group_id}'),
2103
145
                     'method': 'DELETE'}],
132
                     'method': 'DELETE'}],
2105
146
        deprecated_rule=deprecated_delete_endpoint_group),
133
        deprecated_rule=deprecated_delete_endpoint_group,
2106
134
        deprecated_reason=DEPRECATED_REASON,
2107
135
        deprecated_since=versionutils.deprecated.TRAIN),
2108
147
    policy.DocumentedRuleDefault(
136
    policy.DocumentedRuleDefault(
2109
148
        name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
137
        name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
2110
149
        check_str=base.SYSTEM_READER,
138
        check_str=base.SYSTEM_READER,
2111
@@ -153,7 +142,9 @@ group_endpoint_policies = [
2112
153
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
142
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2113
154
                              '{endpoint_group_id}/projects'),
143
                              '{endpoint_group_id}/projects'),
2114
155
                     'method': 'GET'}],
144
                     'method': 'GET'}],
2116
156
        deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group),
145
        deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group,
2117
146
        deprecated_reason=DEPRECATED_REASON,
2118
147
        deprecated_since=versionutils.deprecated.TRAIN),
2119
157
    policy.DocumentedRuleDefault(
148
    policy.DocumentedRuleDefault(
2120
158
        name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
149
        name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
2121
159
        check_str=base.SYSTEM_READER,
150
        check_str=base.SYSTEM_READER,
2122
@@ -162,7 +153,9 @@ group_endpoint_policies = [
2123
162
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
153
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2124
163
                              '{endpoint_group_id}/endpoints'),
154
                              '{endpoint_group_id}/endpoints'),
2125
164
                     'method': 'GET'}],
155
                     'method': 'GET'}],
2127
165
        deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group),
156
        deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group,
2128
157
        deprecated_reason=DEPRECATED_REASON,
2129
158
        deprecated_since=versionutils.deprecated.TRAIN),
2130
166
    policy.DocumentedRuleDefault(
159
    policy.DocumentedRuleDefault(
2131
167
        name=base.IDENTITY % 'get_endpoint_group_in_project',
160
        name=base.IDENTITY % 'get_endpoint_group_in_project',
2132
168
        check_str=base.SYSTEM_READER,
161
        check_str=base.SYSTEM_READER,
2133
@@ -175,7 +168,9 @@ group_endpoint_policies = [
2134
175
                    {'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
168
                    {'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2135
176
                              '{endpoint_group_id}/projects/{project_id}'),
169
                              '{endpoint_group_id}/projects/{project_id}'),
2136
177
                     'method': 'HEAD'}],
170
                     'method': 'HEAD'}],
2138
178
        deprecated_rule=deprecated_get_endpoint_group_in_project),
171
        deprecated_rule=deprecated_get_endpoint_group_in_project,
2139
172
        deprecated_reason=DEPRECATED_REASON,
2140
173
        deprecated_since=versionutils.deprecated.TRAIN),
2141
179
    policy.DocumentedRuleDefault(
174
    policy.DocumentedRuleDefault(
2142
180
        name=base.IDENTITY % 'list_endpoint_groups_for_project',
175
        name=base.IDENTITY % 'list_endpoint_groups_for_project',
2143
181
        check_str=base.SYSTEM_READER,
176
        check_str=base.SYSTEM_READER,
2144
@@ -184,7 +179,9 @@ group_endpoint_policies = [
2145
184
        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
179
        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
2146
185
                              'endpoint_groups'),
180
                              'endpoint_groups'),
2147
186
                     'method': 'GET'}],
181
                     'method': 'GET'}],
2149
187
        deprecated_rule=deprecated_list_endpoint_groups_for_project),
182
        deprecated_rule=deprecated_list_endpoint_groups_for_project,
2150
183
        deprecated_reason=DEPRECATED_REASON,
2151
184
        deprecated_since=versionutils.deprecated.TRAIN),
2152
188
    policy.DocumentedRuleDefault(
185
    policy.DocumentedRuleDefault(
2153
189
        name=base.IDENTITY % 'add_endpoint_group_to_project',
186
        name=base.IDENTITY % 'add_endpoint_group_to_project',
2154
190
        check_str=base.SYSTEM_ADMIN,
187
        check_str=base.SYSTEM_ADMIN,
2155
@@ -193,7 +190,9 @@ group_endpoint_policies = [
2156
193
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
190
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2157
194
                              '{endpoint_group_id}/projects/{project_id}'),
191
                              '{endpoint_group_id}/projects/{project_id}'),
2158
195
                     'method': 'PUT'}],
192
                     'method': 'PUT'}],
2160
196
        deprecated_rule=deprecated_add_endpoint_group_to_project),
193
        deprecated_rule=deprecated_add_endpoint_group_to_project,
2161
194
        deprecated_reason=DEPRECATED_REASON,
2162
195
        deprecated_since=versionutils.deprecated.TRAIN),
2163
197
    policy.DocumentedRuleDefault(
196
    policy.DocumentedRuleDefault(
2164
198
        name=base.IDENTITY % 'remove_endpoint_group_from_project',
197
        name=base.IDENTITY % 'remove_endpoint_group_from_project',
2165
199
        check_str=base.SYSTEM_ADMIN,
198
        check_str=base.SYSTEM_ADMIN,
2166
@@ -202,7 +201,9 @@ group_endpoint_policies = [
2167
202
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
201
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2168
203
                              '{endpoint_group_id}/projects/{project_id}'),
202
                              '{endpoint_group_id}/projects/{project_id}'),
2169
204
                     'method': 'DELETE'}],
203
                     'method': 'DELETE'}],
2171
205
        deprecated_rule=deprecated_remove_endpoint_group_from_project)
204
        deprecated_rule=deprecated_remove_endpoint_group_from_project,
2172
205
        deprecated_reason=DEPRECATED_REASON,
2173
206
        deprecated_since=versionutils.deprecated.TRAIN)
2174
206
]
207
]
2175
207
208
2176
208
209
2177
diff --git a/keystone/common/policies/grant.py b/keystone/common/policies/grant.py
2178
index 0e1b928..09ef1c9 100644
2179
--- a/keystone/common/policies/grant.py
2180
+++ b/keystone/common/policies/grant.py
2181
@@ -66,79 +66,54 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
2182
66
    '(' + DOMAIN_MATCHES_ROLE + ')'
66
    '(' + DOMAIN_MATCHES_ROLE + ')'
2183
67
)
67
)
2184
68
68
2185
69
DEPRECATED_REASON = (
2186
70
    "The assignment API is now aware of system scope and default roles."
2187
71
)
2188
72
2189
73
deprecated_check_system_grant_for_user = policy.DeprecatedRule(
69
deprecated_check_system_grant_for_user = policy.DeprecatedRule(
2190
74
    name=base.IDENTITY % 'check_system_grant_for_user',
70
    name=base.IDENTITY % 'check_system_grant_for_user',
2194
75
    check_str=base.RULE_ADMIN_REQUIRED,
71
    check_str=base.RULE_ADMIN_REQUIRED
2192
76
    deprecated_reason=DEPRECATED_REASON,
2193
77
    deprecated_since=versionutils.deprecated.STEIN
2195
78
)
72
)
2196
79
deprecated_list_system_grants_for_user = policy.DeprecatedRule(
73
deprecated_list_system_grants_for_user = policy.DeprecatedRule(
2197
80
    name=base.IDENTITY % 'list_system_grants_for_user',
74
    name=base.IDENTITY % 'list_system_grants_for_user',
2201
81
    check_str=base.RULE_ADMIN_REQUIRED,
75
    check_str=base.RULE_ADMIN_REQUIRED
2199
82
    deprecated_reason=DEPRECATED_REASON,
2200
83
    deprecated_since=versionutils.deprecated.STEIN
2202
84
)
76
)
2203
85
deprecated_create_system_grant_for_user = policy.DeprecatedRule(
77
deprecated_create_system_grant_for_user = policy.DeprecatedRule(
2204
86
    name=base.IDENTITY % 'create_system_grant_for_user',
78
    name=base.IDENTITY % 'create_system_grant_for_user',
2208
87
    check_str=base.RULE_ADMIN_REQUIRED,
79
    check_str=base.RULE_ADMIN_REQUIRED
2206
88
    deprecated_reason=DEPRECATED_REASON,
2207
89
    deprecated_since=versionutils.deprecated.STEIN
2209
90
)
80
)
2210
91
deprecated_revoke_system_grant_for_user = policy.DeprecatedRule(
81
deprecated_revoke_system_grant_for_user = policy.DeprecatedRule(
2211
92
    name=base.IDENTITY % 'revoke_system_grant_for_user',
82
    name=base.IDENTITY % 'revoke_system_grant_for_user',
2215
93
    check_str=base.RULE_ADMIN_REQUIRED,
83
    check_str=base.RULE_ADMIN_REQUIRED
2213
94
    deprecated_reason=DEPRECATED_REASON,
2214
95
    deprecated_since=versionutils.deprecated.STEIN
2216
96
)
84
)
2217
97
deprecated_check_system_grant_for_group = policy.DeprecatedRule(
85
deprecated_check_system_grant_for_group = policy.DeprecatedRule(
2218
98
    name=base.IDENTITY % 'check_system_grant_for_group',
86
    name=base.IDENTITY % 'check_system_grant_for_group',
2222
99
    check_str=base.RULE_ADMIN_REQUIRED,
87
    check_str=base.RULE_ADMIN_REQUIRED
2220
100
    deprecated_reason=DEPRECATED_REASON,
2221
101
    deprecated_since=versionutils.deprecated.STEIN
2223
102
)
88
)
2224
103
deprecated_list_system_grants_for_group = policy.DeprecatedRule(
89
deprecated_list_system_grants_for_group = policy.DeprecatedRule(
2225
104
    name=base.IDENTITY % 'list_system_grants_for_group',
90
    name=base.IDENTITY % 'list_system_grants_for_group',
2229
105
    check_str=base.RULE_ADMIN_REQUIRED,
91
    check_str=base.RULE_ADMIN_REQUIRED
2227
106
    deprecated_reason=DEPRECATED_REASON,
2228
107
    deprecated_since=versionutils.deprecated.STEIN
2230
108
)
92
)
2231
109
deprecated_create_system_grant_for_group = policy.DeprecatedRule(
93
deprecated_create_system_grant_for_group = policy.DeprecatedRule(
2232
110
    name=base.IDENTITY % 'create_system_grant_for_group',
94
    name=base.IDENTITY % 'create_system_grant_for_group',
2236
111
    check_str=base.RULE_ADMIN_REQUIRED,
95
    check_str=base.RULE_ADMIN_REQUIRED
2234
112
    deprecated_reason=DEPRECATED_REASON,
2235
113
    deprecated_since=versionutils.deprecated.STEIN
2237
114
)
96
)
2238
115
deprecated_revoke_system_grant_for_group = policy.DeprecatedRule(
97
deprecated_revoke_system_grant_for_group = policy.DeprecatedRule(
2239
116
    name=base.IDENTITY % 'revoke_system_grant_for_group',
98
    name=base.IDENTITY % 'revoke_system_grant_for_group',
2243
117
    check_str=base.RULE_ADMIN_REQUIRED,
99
    check_str=base.RULE_ADMIN_REQUIRED
2241
118
    deprecated_reason=DEPRECATED_REASON,
2242
119
    deprecated_since=versionutils.deprecated.STEIN
2244
120
)
100
)
2245
121
deprecated_list_grants = policy.DeprecatedRule(
101
deprecated_list_grants = policy.DeprecatedRule(
2249
122
    name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED,
102
    name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED
2247
123
    deprecated_reason=DEPRECATED_REASON,
2248
124
    deprecated_since=versionutils.deprecated.STEIN
2250
125
)
103
)
2251
126
deprecated_check_grant = policy.DeprecatedRule(
104
deprecated_check_grant = policy.DeprecatedRule(
2255
127
    name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED,
105
    name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED
2253
128
    deprecated_reason=DEPRECATED_REASON,
2254
129
    deprecated_since=versionutils.deprecated.STEIN
2256
130
)
106
)
2257
131
deprecated_create_grant = policy.DeprecatedRule(
107
deprecated_create_grant = policy.DeprecatedRule(
2261
132
    name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED,
108
    name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED
2259
133
    deprecated_reason=DEPRECATED_REASON,
2260
134
    deprecated_since=versionutils.deprecated.STEIN
2262
135
)
109
)
2263
136
deprecated_revoke_grant = policy.DeprecatedRule(
110
deprecated_revoke_grant = policy.DeprecatedRule(
2267
137
    name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED,
111
    name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED
2265
138
    deprecated_reason=DEPRECATED_REASON,
2266
139
    deprecated_since=versionutils.deprecated.STEIN
2268
140
)
112
)
2269
141
113
2270
114
DEPRECATED_REASON = (
2271
115
    "The assignment API is now aware of system scope and default roles."
2272
116
)
2273
142
117
2274
143
resource_paths = [
118
resource_paths = [
2275
144
    '/projects/{project_id}/users/{user_id}/roles/{role_id}',
119
    '/projects/{project_id}/users/{user_id}/roles/{role_id}',
2276
@@ -192,7 +167,9 @@ grant_policies = [
2277
192
                     'are inherited to all projects in the subtree, if '
167
                     'are inherited to all projects in the subtree, if '
2278
193
                     'applicable.'),
168
                     'applicable.'),
2279
194
        operations=list_operations(resource_paths, ['HEAD', 'GET']),
169
        operations=list_operations(resource_paths, ['HEAD', 'GET']),
2281
195
        deprecated_rule=deprecated_check_grant),
170
        deprecated_rule=deprecated_check_grant,
2282
171
        deprecated_reason=DEPRECATED_REASON,
2283
172
        deprecated_since=versionutils.deprecated.STEIN),
2284
196
    policy.DocumentedRuleDefault(
173
    policy.DocumentedRuleDefault(
2285
197
        name=base.IDENTITY % 'list_grants',
174
        name=base.IDENTITY % 'list_grants',
2286
198
        check_str=SYSTEM_READER_OR_DOMAIN_READER_LIST,
175
        check_str=SYSTEM_READER_OR_DOMAIN_READER_LIST,
2287
@@ -204,7 +181,9 @@ grant_policies = [
2288
204
                     'domains, where grants are inherited to all projects '
181
                     'domains, where grants are inherited to all projects '
2289
205
                     'in the specified domain.'),
182
                     'in the specified domain.'),
2290
206
        operations=list_grants_operations,
183
        operations=list_grants_operations,
2292
207
        deprecated_rule=deprecated_list_grants),
184
        deprecated_rule=deprecated_list_grants,
2293
185
        deprecated_reason=DEPRECATED_REASON,
2294
186
        deprecated_since=versionutils.deprecated.STEIN),
2295
208
    policy.DocumentedRuleDefault(
187
    policy.DocumentedRuleDefault(
2296
209
        name=base.IDENTITY % 'create_grant',
188
        name=base.IDENTITY % 'create_grant',
2297
210
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
189
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
2298
@@ -216,7 +195,9 @@ grant_policies = [
2299
216
                     'are inherited to all projects in the subtree, if '
195
                     'are inherited to all projects in the subtree, if '
2300
217
                     'applicable.'),
196
                     'applicable.'),
2301
218
        operations=list_operations(resource_paths, ['PUT']),
197
        operations=list_operations(resource_paths, ['PUT']),
2303
219
        deprecated_rule=deprecated_create_grant),
198
        deprecated_rule=deprecated_create_grant,
2304
199
        deprecated_reason=DEPRECATED_REASON,
2305
200
        deprecated_since=versionutils.deprecated.STEIN),
2306
220
    policy.DocumentedRuleDefault(
201
    policy.DocumentedRuleDefault(
2307
221
        name=base.IDENTITY % 'revoke_grant',
202
        name=base.IDENTITY % 'revoke_grant',
2308
222
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
203
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
2309
@@ -230,7 +211,9 @@ grant_policies = [
2310
230
                     'the target would remove the logical effect of '
211
                     'the target would remove the logical effect of '
2311
231
                     'inheriting it to the target\'s projects subtree.'),
212
                     'inheriting it to the target\'s projects subtree.'),
2312
232
        operations=list_operations(resource_paths, ['DELETE']),
213
        operations=list_operations(resource_paths, ['DELETE']),
2314
233
        deprecated_rule=deprecated_revoke_grant),
214
        deprecated_rule=deprecated_revoke_grant,
2315
215
        deprecated_reason=DEPRECATED_REASON,
2316
216
        deprecated_since=versionutils.deprecated.STEIN),
2317
234
    policy.DocumentedRuleDefault(
217
    policy.DocumentedRuleDefault(
2318
235
        name=base.IDENTITY % 'list_system_grants_for_user',
218
        name=base.IDENTITY % 'list_system_grants_for_user',
2319
236
        check_str=base.SYSTEM_READER,
219
        check_str=base.SYSTEM_READER,
2320
@@ -243,6 +226,8 @@ grant_policies = [
2321
243
            }
226
            }
2322
244
        ],
227
        ],
2323
245
        deprecated_rule=deprecated_list_system_grants_for_user,
228
        deprecated_rule=deprecated_list_system_grants_for_user,
2324
229
        deprecated_reason=DEPRECATED_REASON,
2325
230
        deprecated_since=versionutils.deprecated.STEIN
2326
246
    ),
231
    ),
2327
247
    policy.DocumentedRuleDefault(
232
    policy.DocumentedRuleDefault(
2328
248
        name=base.IDENTITY % 'check_system_grant_for_user',
233
        name=base.IDENTITY % 'check_system_grant_for_user',
2329
@@ -256,6 +241,8 @@ grant_policies = [
2330
256
            }
241
            }
2331
257
        ],
242
        ],
2332
258
        deprecated_rule=deprecated_check_system_grant_for_user,
243
        deprecated_rule=deprecated_check_system_grant_for_user,
2333
244
        deprecated_reason=DEPRECATED_REASON,
2334
245
        deprecated_since=versionutils.deprecated.STEIN
2335
259
    ),
246
    ),
2336
260
    policy.DocumentedRuleDefault(
247
    policy.DocumentedRuleDefault(
2337
261
        name=base.IDENTITY % 'create_system_grant_for_user',
248
        name=base.IDENTITY % 'create_system_grant_for_user',
2338
@@ -269,6 +256,8 @@ grant_policies = [
2339
269
            }
256
            }
2340
270
        ],
257
        ],
2341
271
        deprecated_rule=deprecated_create_system_grant_for_user,
258
        deprecated_rule=deprecated_create_system_grant_for_user,
2342
259
        deprecated_reason=DEPRECATED_REASON,
2343
260
        deprecated_since=versionutils.deprecated.STEIN
2344
272
    ),
261
    ),
2345
273
    policy.DocumentedRuleDefault(
262
    policy.DocumentedRuleDefault(
2346
274
        name=base.IDENTITY % 'revoke_system_grant_for_user',
263
        name=base.IDENTITY % 'revoke_system_grant_for_user',
2347
@@ -282,6 +271,8 @@ grant_policies = [
2348
282
            }
271
            }
2349
283
        ],
272
        ],
2350
284
        deprecated_rule=deprecated_revoke_system_grant_for_user,
273
        deprecated_rule=deprecated_revoke_system_grant_for_user,
2351
274
        deprecated_reason=DEPRECATED_REASON,
2352
275
        deprecated_since=versionutils.deprecated.STEIN
2353
285
    ),
276
    ),
2354
286
    policy.DocumentedRuleDefault(
277
    policy.DocumentedRuleDefault(
2355
287
        name=base.IDENTITY % 'list_system_grants_for_group',
278
        name=base.IDENTITY % 'list_system_grants_for_group',
2356
@@ -295,6 +286,8 @@ grant_policies = [
2357
295
            }
286
            }
2358
296
        ],
287
        ],
2359
297
        deprecated_rule=deprecated_list_system_grants_for_group,
288
        deprecated_rule=deprecated_list_system_grants_for_group,
2360
289
        deprecated_reason=DEPRECATED_REASON,
2361
290
        deprecated_since=versionutils.deprecated.STEIN
2362
298
    ),
291
    ),
2363
299
    policy.DocumentedRuleDefault(
292
    policy.DocumentedRuleDefault(
2364
300
        name=base.IDENTITY % 'check_system_grant_for_group',
293
        name=base.IDENTITY % 'check_system_grant_for_group',
2365
@@ -308,6 +301,8 @@ grant_policies = [
2366
308
            }
301
            }
2367
309
        ],
302
        ],
2368
310
        deprecated_rule=deprecated_check_system_grant_for_group,
303
        deprecated_rule=deprecated_check_system_grant_for_group,
2369
304
        deprecated_reason=DEPRECATED_REASON,
2370
305
        deprecated_since=versionutils.deprecated.STEIN
2371
311
    ),
306
    ),
2372
312
    policy.DocumentedRuleDefault(
307
    policy.DocumentedRuleDefault(
2373
313
        name=base.IDENTITY % 'create_system_grant_for_group',
308
        name=base.IDENTITY % 'create_system_grant_for_group',
2374
@@ -321,6 +316,8 @@ grant_policies = [
2375
321
            }
316
            }
2376
322
        ],
317
        ],
2377
323
        deprecated_rule=deprecated_create_system_grant_for_group,
318
        deprecated_rule=deprecated_create_system_grant_for_group,
2378
319
        deprecated_reason=DEPRECATED_REASON,
2379
320
        deprecated_since=versionutils.deprecated.STEIN
2380
324
    ),
321
    ),
2381
325
    policy.DocumentedRuleDefault(
322
    policy.DocumentedRuleDefault(
2382
326
        name=base.IDENTITY % 'revoke_system_grant_for_group',
323
        name=base.IDENTITY % 'revoke_system_grant_for_group',
2383
@@ -334,6 +331,8 @@ grant_policies = [
2384
334
            }
331
            }
2385
335
        ],
332
        ],
2386
336
        deprecated_rule=deprecated_revoke_system_grant_for_group,
333
        deprecated_rule=deprecated_revoke_system_grant_for_group,
2387
334
        deprecated_reason=DEPRECATED_REASON,
2388
335
        deprecated_since=versionutils.deprecated.STEIN
2389
337
    )
336
    )
2390
338
]
337
]
2391
339
338
2392
diff --git a/keystone/common/policies/group.py b/keystone/common/policies/group.py
2393
index 0106bad..d33da92 100644
2394
--- a/keystone/common/policies/group.py
2395
+++ b/keystone/common/policies/group.py
2396
@@ -51,63 +51,43 @@ DEPRECATED_REASON = (
2397
51
51
2398
52
deprecated_get_group = policy.DeprecatedRule(
52
deprecated_get_group = policy.DeprecatedRule(
2399
53
    name=base.IDENTITY % 'get_group',
53
    name=base.IDENTITY % 'get_group',
2403
54
    check_str=base.RULE_ADMIN_REQUIRED,
54
    check_str=base.RULE_ADMIN_REQUIRED
2401
55
    deprecated_reason=DEPRECATED_REASON,
2402
56
    deprecated_since=versionutils.deprecated.STEIN
2404
57
)
55
)
2405
58
deprecated_list_groups = policy.DeprecatedRule(
56
deprecated_list_groups = policy.DeprecatedRule(
2406
59
    name=base.IDENTITY % 'list_groups',
57
    name=base.IDENTITY % 'list_groups',
2410
60
    check_str=base.RULE_ADMIN_REQUIRED,
58
    check_str=base.RULE_ADMIN_REQUIRED
2408
61
    deprecated_reason=DEPRECATED_REASON,
2409
62
    deprecated_since=versionutils.deprecated.STEIN
2411
63
)
59
)
2412
64
deprecated_list_groups_for_user = policy.DeprecatedRule(
60
deprecated_list_groups_for_user = policy.DeprecatedRule(
2413
65
    name=base.IDENTITY % 'list_groups_for_user',
61
    name=base.IDENTITY % 'list_groups_for_user',
2417
66
    check_str=base.RULE_ADMIN_OR_OWNER,
62
    check_str=base.RULE_ADMIN_OR_OWNER
2415
67
    deprecated_reason=DEPRECATED_REASON,
2416
68
    deprecated_since=versionutils.deprecated.STEIN
2418
69
)
63
)
2419
70
deprecated_list_users_in_group = policy.DeprecatedRule(
64
deprecated_list_users_in_group = policy.DeprecatedRule(
2420
71
    name=base.IDENTITY % 'list_users_in_group',
65
    name=base.IDENTITY % 'list_users_in_group',
2424
72
    check_str=base.RULE_ADMIN_REQUIRED,
66
    check_str=base.RULE_ADMIN_REQUIRED
2422
73
    deprecated_reason=DEPRECATED_REASON,
2423
74
    deprecated_since=versionutils.deprecated.STEIN
2425
75
)
67
)
2426
76
deprecated_check_user_in_group = policy.DeprecatedRule(
68
deprecated_check_user_in_group = policy.DeprecatedRule(
2427
77
    name=base.IDENTITY % 'check_user_in_group',
69
    name=base.IDENTITY % 'check_user_in_group',
2431
78
    check_str=base.RULE_ADMIN_REQUIRED,
70
    check_str=base.RULE_ADMIN_REQUIRED
2429
79
    deprecated_reason=DEPRECATED_REASON,
2430
80
    deprecated_since=versionutils.deprecated.STEIN
2432
81
)
71
)
2433
82
deprecated_create_group = policy.DeprecatedRule(
72
deprecated_create_group = policy.DeprecatedRule(
2434
83
    name=base.IDENTITY % 'create_group',
73
    name=base.IDENTITY % 'create_group',
2438
84
    check_str=base.RULE_ADMIN_REQUIRED,
74
    check_str=base.RULE_ADMIN_REQUIRED
2436
85
    deprecated_reason=DEPRECATED_REASON,
2437
86
    deprecated_since=versionutils.deprecated.STEIN
2439
87
)
75
)
2440
88
deprecated_update_group = policy.DeprecatedRule(
76
deprecated_update_group = policy.DeprecatedRule(
2441
89
    name=base.IDENTITY % 'update_group',
77
    name=base.IDENTITY % 'update_group',
2445
90
    check_str=base.RULE_ADMIN_REQUIRED,
78
    check_str=base.RULE_ADMIN_REQUIRED
2443
91
    deprecated_reason=DEPRECATED_REASON,
2444
92
    deprecated_since=versionutils.deprecated.STEIN
2446
93
)
79
)
2447
94
deprecated_delete_group = policy.DeprecatedRule(
80
deprecated_delete_group = policy.DeprecatedRule(
2448
95
    name=base.IDENTITY % 'delete_group',
81
    name=base.IDENTITY % 'delete_group',
2452
96
    check_str=base.RULE_ADMIN_REQUIRED,
82
    check_str=base.RULE_ADMIN_REQUIRED
2450
97
    deprecated_reason=DEPRECATED_REASON,
2451
98
    deprecated_since=versionutils.deprecated.STEIN
2453
99
)
83
)
2454
100
deprecated_remove_user_from_group = policy.DeprecatedRule(
84
deprecated_remove_user_from_group = policy.DeprecatedRule(
2455
101
    name=base.IDENTITY % 'remove_user_from_group',
85
    name=base.IDENTITY % 'remove_user_from_group',
2459
102
    check_str=base.RULE_ADMIN_REQUIRED,
86
    check_str=base.RULE_ADMIN_REQUIRED
2457
103
    deprecated_reason=DEPRECATED_REASON,
2458
104
    deprecated_since=versionutils.deprecated.STEIN
2460
105
)
87
)
2461
106
deprecated_add_user_to_group = policy.DeprecatedRule(
88
deprecated_add_user_to_group = policy.DeprecatedRule(
2462
107
    name=base.IDENTITY % 'add_user_to_group',
89
    name=base.IDENTITY % 'add_user_to_group',
2466
108
    check_str=base.RULE_ADMIN_REQUIRED,
90
    check_str=base.RULE_ADMIN_REQUIRED
2464
109
    deprecated_reason=DEPRECATED_REASON,
2465
110
    deprecated_since=versionutils.deprecated.STEIN
2467
111
)
91
)
2468
112
92
2469
113
group_policies = [
93
group_policies = [
2470
@@ -120,7 +100,9 @@ group_policies = [
2471
120
                     'method': 'GET'},
100
                     'method': 'GET'},
2472
121
                    {'path': '/v3/groups/{group_id}',
101
                    {'path': '/v3/groups/{group_id}',
2473
122
                     'method': 'HEAD'}],
102
                     'method': 'HEAD'}],
2475
123
        deprecated_rule=deprecated_get_group),
103
        deprecated_rule=deprecated_get_group,
2476
104
        deprecated_reason=DEPRECATED_REASON,
2477
105
        deprecated_since=versionutils.deprecated.STEIN),
2478
124
    policy.DocumentedRuleDefault(
106
    policy.DocumentedRuleDefault(
2479
125
        name=base.IDENTITY % 'list_groups',
107
        name=base.IDENTITY % 'list_groups',
2480
126
        check_str=SYSTEM_READER_OR_DOMAIN_READER,
108
        check_str=SYSTEM_READER_OR_DOMAIN_READER,
2481
@@ -130,7 +112,9 @@ group_policies = [
2482
130
                     'method': 'GET'},
112
                     'method': 'GET'},
2483
131
                    {'path': '/v3/groups',
113
                    {'path': '/v3/groups',
2484
132
                     'method': 'HEAD'}],
114
                     'method': 'HEAD'}],
2486
133
        deprecated_rule=deprecated_list_groups),
115
        deprecated_rule=deprecated_list_groups,
2487
116
        deprecated_reason=DEPRECATED_REASON,
2488
117
        deprecated_since=versionutils.deprecated.STEIN),
2489
134
    policy.DocumentedRuleDefault(
118
    policy.DocumentedRuleDefault(
2490
135
        name=base.IDENTITY % 'list_groups_for_user',
119
        name=base.IDENTITY % 'list_groups_for_user',
2491
136
        check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER,
120
        check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER,
2492
@@ -140,7 +124,9 @@ group_policies = [
2493
140
                     'method': 'GET'},
124
                     'method': 'GET'},
2494
141
                    {'path': '/v3/users/{user_id}/groups',
125
                    {'path': '/v3/users/{user_id}/groups',
2495
142
                     'method': 'HEAD'}],
126
                     'method': 'HEAD'}],
2497
143
        deprecated_rule=deprecated_list_groups_for_user),
127
        deprecated_rule=deprecated_list_groups_for_user,
2498
128
        deprecated_reason=DEPRECATED_REASON,
2499
129
        deprecated_since=versionutils.deprecated.STEIN),
2500
144
    policy.DocumentedRuleDefault(
130
    policy.DocumentedRuleDefault(
2501
145
        name=base.IDENTITY % 'create_group',
131
        name=base.IDENTITY % 'create_group',
2502
146
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
132
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
2503
@@ -148,7 +134,9 @@ group_policies = [
2504
148
        description='Create group.',
134
        description='Create group.',
2505
149
        operations=[{'path': '/v3/groups',
135
        operations=[{'path': '/v3/groups',
2506
150
                     'method': 'POST'}],
136
                     'method': 'POST'}],
2508
151
        deprecated_rule=deprecated_create_group),
137
        deprecated_rule=deprecated_create_group,
2509
138
        deprecated_reason=DEPRECATED_REASON,
2510
139
        deprecated_since=versionutils.deprecated.STEIN),
2511
152
    policy.DocumentedRuleDefault(
140
    policy.DocumentedRuleDefault(
2512
153
        name=base.IDENTITY % 'update_group',
141
        name=base.IDENTITY % 'update_group',
2513
154
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
142
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
2514
@@ -156,7 +144,9 @@ group_policies = [
2515
156
        description='Update group.',
144
        description='Update group.',
2516
157
        operations=[{'path': '/v3/groups/{group_id}',
145
        operations=[{'path': '/v3/groups/{group_id}',
2517
158
                     'method': 'PATCH'}],
146
                     'method': 'PATCH'}],
2519
159
        deprecated_rule=deprecated_update_group),
147
        deprecated_rule=deprecated_update_group,
2520
148
        deprecated_reason=DEPRECATED_REASON,
2521
149
        deprecated_since=versionutils.deprecated.STEIN),
2522
160
    policy.DocumentedRuleDefault(
150
    policy.DocumentedRuleDefault(
2523
161
        name=base.IDENTITY % 'delete_group',
151
        name=base.IDENTITY % 'delete_group',
2524
162
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
152
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
2525
@@ -164,7 +154,9 @@ group_policies = [
2526
164
        description='Delete group.',
154
        description='Delete group.',
2527
165
        operations=[{'path': '/v3/groups/{group_id}',
155
        operations=[{'path': '/v3/groups/{group_id}',
2528
166
                     'method': 'DELETE'}],
156
                     'method': 'DELETE'}],
2530
167
        deprecated_rule=deprecated_delete_group),
157
        deprecated_rule=deprecated_delete_group,
2531
158
        deprecated_reason=DEPRECATED_REASON,
2532
159
        deprecated_since=versionutils.deprecated.STEIN),
2533
168
    policy.DocumentedRuleDefault(
160
    policy.DocumentedRuleDefault(
2534
169
        name=base.IDENTITY % 'list_users_in_group',
161
        name=base.IDENTITY % 'list_users_in_group',
2535
170
        check_str=SYSTEM_READER_OR_DOMAIN_READER,
162
        check_str=SYSTEM_READER_OR_DOMAIN_READER,
2536
@@ -174,7 +166,9 @@ group_policies = [
2537
174
                     'method': 'GET'},
166
                     'method': 'GET'},
2538
175
                    {'path': '/v3/groups/{group_id}/users',
167
                    {'path': '/v3/groups/{group_id}/users',
2539
176
                     'method': 'HEAD'}],
168
                     'method': 'HEAD'}],
2541
177
        deprecated_rule=deprecated_list_users_in_group),
169
        deprecated_rule=deprecated_list_users_in_group,
2542
170
        deprecated_reason=DEPRECATED_REASON,
2543
171
        deprecated_since=versionutils.deprecated.STEIN),
2544
178
    policy.DocumentedRuleDefault(
172
    policy.DocumentedRuleDefault(
2545
179
        name=base.IDENTITY % 'remove_user_from_group',
173
        name=base.IDENTITY % 'remove_user_from_group',
2546
180
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
174
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
2547
@@ -182,7 +176,9 @@ group_policies = [
2548
182
        description='Remove user from group.',
176
        description='Remove user from group.',
2549
183
        operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
177
        operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
2550
184
                     'method': 'DELETE'}],
178
                     'method': 'DELETE'}],
2552
185
        deprecated_rule=deprecated_remove_user_from_group),
179
        deprecated_rule=deprecated_remove_user_from_group,
2553
180
        deprecated_reason=DEPRECATED_REASON,
2554
181
        deprecated_since=versionutils.deprecated.STEIN),
2555
186
    policy.DocumentedRuleDefault(
182
    policy.DocumentedRuleDefault(
2556
187
        name=base.IDENTITY % 'check_user_in_group',
183
        name=base.IDENTITY % 'check_user_in_group',
2557
188
        check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER,
184
        check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER,
2558
@@ -192,7 +188,9 @@ group_policies = [
2559
192
                     'method': 'HEAD'},
188
                     'method': 'HEAD'},
2560
193
                    {'path': '/v3/groups/{group_id}/users/{user_id}',
189
                    {'path': '/v3/groups/{group_id}/users/{user_id}',
2561
194
                     'method': 'GET'}],
190
                     'method': 'GET'}],
2563
195
        deprecated_rule=deprecated_check_user_in_group),
191
        deprecated_rule=deprecated_check_user_in_group,
2564
192
        deprecated_reason=DEPRECATED_REASON,
2565
193
        deprecated_since=versionutils.deprecated.STEIN),
2566
196
    policy.DocumentedRuleDefault(
194
    policy.DocumentedRuleDefault(
2567
197
        name=base.IDENTITY % 'add_user_to_group',
195
        name=base.IDENTITY % 'add_user_to_group',
2568
198
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
196
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
2569
@@ -200,7 +198,9 @@ group_policies = [
2570
200
        description='Add user to group.',
198
        description='Add user to group.',
2571
201
        operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
199
        operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
2572
202
                     'method': 'PUT'}],
200
                     'method': 'PUT'}],
2574
203
        deprecated_rule=deprecated_add_user_to_group)
201
        deprecated_rule=deprecated_add_user_to_group,
2575
202
        deprecated_reason=DEPRECATED_REASON,
2576
203
        deprecated_since=versionutils.deprecated.STEIN)
2577
204
]
204
]
2578
205
205
2579
206
206
2580
diff --git a/keystone/common/policies/identity_provider.py b/keystone/common/policies/identity_provider.py
2581
index c1b4d5a..8d6ad46 100644
2582
--- a/keystone/common/policies/identity_provider.py
2583
+++ b/keystone/common/policies/identity_provider.py
2584
@@ -15,41 +15,30 @@ from oslo_policy import policy
2585
15
15
2586
16
from keystone.common.policies import base
16
from keystone.common.policies import base
2587
17
17
2588
18
DEPRECATED_REASON = (
2589
19
    "The identity provider API is now aware of system scope and default roles."
2590
20
)
2591
21
2592
22
deprecated_get_idp = policy.DeprecatedRule(
18
deprecated_get_idp = policy.DeprecatedRule(
2593
23
    name=base.IDENTITY % 'get_identity_provider',
19
    name=base.IDENTITY % 'get_identity_provider',
2597
24
    check_str=base.RULE_ADMIN_REQUIRED,
20
    check_str=base.RULE_ADMIN_REQUIRED
2595
25
    deprecated_reason=DEPRECATED_REASON,
2596
26
    deprecated_since=versionutils.deprecated.STEIN
2598
27
)
21
)
2599
28
deprecated_list_idp = policy.DeprecatedRule(
22
deprecated_list_idp = policy.DeprecatedRule(
2600
29
    name=base.IDENTITY % 'list_identity_providers',
23
    name=base.IDENTITY % 'list_identity_providers',
2604
30
    check_str=base.RULE_ADMIN_REQUIRED,
24
    check_str=base.RULE_ADMIN_REQUIRED
2602
31
    deprecated_reason=DEPRECATED_REASON,
2603
32
    deprecated_since=versionutils.deprecated.STEIN
2605
33
)
25
)
2606
34
deprecated_update_idp = policy.DeprecatedRule(
26
deprecated_update_idp = policy.DeprecatedRule(
2607
35
    name=base.IDENTITY % 'update_identity_provider',
27
    name=base.IDENTITY % 'update_identity_provider',
2611
36
    check_str=base.RULE_ADMIN_REQUIRED,
28
    check_str=base.RULE_ADMIN_REQUIRED
2609
37
    deprecated_reason=DEPRECATED_REASON,
2610
38
    deprecated_since=versionutils.deprecated.STEIN
2612
39
)
29
)
2613
40
deprecated_create_idp = policy.DeprecatedRule(
30
deprecated_create_idp = policy.DeprecatedRule(
2614
41
    name=base.IDENTITY % 'create_identity_provider',
31
    name=base.IDENTITY % 'create_identity_provider',
2618
42
    check_str=base.RULE_ADMIN_REQUIRED,
32
    check_str=base.RULE_ADMIN_REQUIRED
2616
43
    deprecated_reason=DEPRECATED_REASON,
2617
44
    deprecated_since=versionutils.deprecated.STEIN
2619
45
)
33
)
2620
46
deprecated_delete_idp = policy.DeprecatedRule(
34
deprecated_delete_idp = policy.DeprecatedRule(
2621
47
    name=base.IDENTITY % 'delete_identity_provider',
35
    name=base.IDENTITY % 'delete_identity_provider',
2625
48
    check_str=base.RULE_ADMIN_REQUIRED,
36
    check_str=base.RULE_ADMIN_REQUIRED
2623
49
    deprecated_reason=DEPRECATED_REASON,
2624
50
    deprecated_since=versionutils.deprecated.STEIN
2626
51
)
37
)
2627
52
38
2628
39
DEPRECATED_REASON = (
2629
40
    "The identity provider API is now aware of system scope and default roles."
2630
41
)
2631
53
42
2632
54
identity_provider_policies = [
43
identity_provider_policies = [
2633
55
    policy.DocumentedRuleDefault(
44
    policy.DocumentedRuleDefault(
2634
@@ -65,7 +54,9 @@ identity_provider_policies = [
2635
65
        description='Create identity provider.',
54
        description='Create identity provider.',
2636
66
        operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
55
        operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
2637
67
                     'method': 'PUT'}],
56
                     'method': 'PUT'}],
2639
68
        deprecated_rule=deprecated_create_idp),
57
        deprecated_rule=deprecated_create_idp,
2640
58
        deprecated_reason=DEPRECATED_REASON,
2641
59
        deprecated_since=versionutils.deprecated.STEIN),
2642
69
    policy.DocumentedRuleDefault(
60
    policy.DocumentedRuleDefault(
2643
70
        name=base.IDENTITY % 'list_identity_providers',
61
        name=base.IDENTITY % 'list_identity_providers',
2644
71
        check_str=base.SYSTEM_READER,
62
        check_str=base.SYSTEM_READER,
2645
@@ -82,6 +73,8 @@ identity_provider_policies = [
2646
82
            }
73
            }
2647
83
        ],
74
        ],
2648
84
        deprecated_rule=deprecated_list_idp,
75
        deprecated_rule=deprecated_list_idp,
2649
76
        deprecated_reason=DEPRECATED_REASON,
2650
77
        deprecated_since=versionutils.deprecated.STEIN
2651
85
    ),
78
    ),
2652
86
    policy.DocumentedRuleDefault(
79
    policy.DocumentedRuleDefault(
2653
87
        name=base.IDENTITY % 'get_identity_provider',
80
        name=base.IDENTITY % 'get_identity_provider',
2654
@@ -99,6 +92,8 @@ identity_provider_policies = [
2655
99
            }
92
            }
2656
100
        ],
93
        ],
2657
101
        deprecated_rule=deprecated_get_idp,
94
        deprecated_rule=deprecated_get_idp,
2658
95
        deprecated_reason=DEPRECATED_REASON,
2659
96
        deprecated_since=versionutils.deprecated.STEIN
2660
102
    ),
97
    ),
2661
103
    policy.DocumentedRuleDefault(
98
    policy.DocumentedRuleDefault(
2662
104
        name=base.IDENTITY % 'update_identity_provider',
99
        name=base.IDENTITY % 'update_identity_provider',
2663
@@ -107,7 +102,9 @@ identity_provider_policies = [
2664
107
        description='Update identity provider.',
102
        description='Update identity provider.',
2665
108
        operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
103
        operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
2666
109
                     'method': 'PATCH'}],
104
                     'method': 'PATCH'}],
2668
110
        deprecated_rule=deprecated_update_idp),
105
        deprecated_rule=deprecated_update_idp,
2669
106
        deprecated_reason=DEPRECATED_REASON,
2670
107
        deprecated_since=versionutils.deprecated.STEIN),
2671
111
    policy.DocumentedRuleDefault(
108
    policy.DocumentedRuleDefault(
2672
112
        name=base.IDENTITY % 'delete_identity_provider',
109
        name=base.IDENTITY % 'delete_identity_provider',
2673
113
        check_str=base.SYSTEM_ADMIN,
110
        check_str=base.SYSTEM_ADMIN,
2674
@@ -115,7 +112,9 @@ identity_provider_policies = [
2675
115
        description='Delete identity provider.',
112
        description='Delete identity provider.',
2676
116
        operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
113
        operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
2677
117
                     'method': 'DELETE'}],
114
                     'method': 'DELETE'}],
2679
118
        deprecated_rule=deprecated_delete_idp),
115
        deprecated_rule=deprecated_delete_idp,
2680
116
        deprecated_reason=DEPRECATED_REASON,
2681
117
        deprecated_since=versionutils.deprecated.STEIN),
2682
119
]
118
]
2683
120
119
2684
121
120
2685
diff --git a/keystone/common/policies/implied_role.py b/keystone/common/policies/implied_role.py
2686
index 01bcc00..6d164b0 100644
2687
--- a/keystone/common/policies/implied_role.py
2688
+++ b/keystone/common/policies/implied_role.py
2689
@@ -15,45 +15,33 @@ from oslo_policy import policy
2690
15
15
2691
16
from keystone.common.policies import base
16
from keystone.common.policies import base
2692
17
17
2693
18
DEPRECATED_REASON = (
2694
19
    "The implied role API is now aware of system scope and default roles."
2695
20
)
2696
21
2697
22
deprecated_get_implied_role = policy.DeprecatedRule(
18
deprecated_get_implied_role = policy.DeprecatedRule(
2698
23
    name=base.IDENTITY % 'get_implied_role',
19
    name=base.IDENTITY % 'get_implied_role',
2702
24
    check_str=base.RULE_ADMIN_REQUIRED,
20
    check_str=base.RULE_ADMIN_REQUIRED
2700
25
    deprecated_reason=DEPRECATED_REASON,
2701
26
    deprecated_since=versionutils.deprecated.TRAIN
2703
27
)
21
)
2704
28
deprecated_list_implied_roles = policy.DeprecatedRule(
22
deprecated_list_implied_roles = policy.DeprecatedRule(
2705
29
    name=base.IDENTITY % 'list_implied_roles',
23
    name=base.IDENTITY % 'list_implied_roles',
2706
30
    check_str=base.RULE_ADMIN_REQUIRED,
24
    check_str=base.RULE_ADMIN_REQUIRED,
2707
31
    deprecated_reason=DEPRECATED_REASON,
2708
32
    deprecated_since=versionutils.deprecated.TRAIN
2709
33
)
25
)
2710
34
deprecated_list_role_inference_rules = policy.DeprecatedRule(
26
deprecated_list_role_inference_rules = policy.DeprecatedRule(
2711
35
    name=base.IDENTITY % 'list_role_inference_rules',
27
    name=base.IDENTITY % 'list_role_inference_rules',
2712
36
    check_str=base.RULE_ADMIN_REQUIRED,
28
    check_str=base.RULE_ADMIN_REQUIRED,
2713
37
    deprecated_reason=DEPRECATED_REASON,
2714
38
    deprecated_since=versionutils.deprecated.TRAIN
2715
39
)
29
)
2716
40
deprecated_check_implied_role = policy.DeprecatedRule(
30
deprecated_check_implied_role = policy.DeprecatedRule(
2717
41
    name=base.IDENTITY % 'check_implied_role',
31
    name=base.IDENTITY % 'check_implied_role',
2718
42
    check_str=base.RULE_ADMIN_REQUIRED,
32
    check_str=base.RULE_ADMIN_REQUIRED,
2719
43
    deprecated_reason=DEPRECATED_REASON,
2720
44
    deprecated_since=versionutils.deprecated.TRAIN
2721
45
)
33
)
2722
46
deprecated_create_implied_role = policy.DeprecatedRule(
34
deprecated_create_implied_role = policy.DeprecatedRule(
2723
47
    name=base.IDENTITY % 'create_implied_role',
35
    name=base.IDENTITY % 'create_implied_role',
2724
48
    check_str=base.RULE_ADMIN_REQUIRED,
36
    check_str=base.RULE_ADMIN_REQUIRED,
2725
49
    deprecated_reason=DEPRECATED_REASON,
2726
50
    deprecated_since=versionutils.deprecated.TRAIN
2727
51
)
37
)
2728
52
deprecated_delete_implied_role = policy.DeprecatedRule(
38
deprecated_delete_implied_role = policy.DeprecatedRule(
2729
53
    name=base.IDENTITY % 'delete_implied_role',
39
    name=base.IDENTITY % 'delete_implied_role',
2730
54
    check_str=base.RULE_ADMIN_REQUIRED,
40
    check_str=base.RULE_ADMIN_REQUIRED,
2733
55
    deprecated_reason=DEPRECATED_REASON,
41
)
2734
56
    deprecated_since=versionutils.deprecated.TRAIN
42
2735
43
DEPRECATED_REASON = (
2736
44
    "The implied role API is now aware of system scope and default roles."
2737
57
)
45
)
2738
58
46
2739
59
47
2740
@@ -73,7 +61,9 @@ implied_role_policies = [
2741
73
        operations=[
61
        operations=[
2742
74
            {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
62
            {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
2743
75
             'method': 'GET'}],
63
             'method': 'GET'}],
2745
76
        deprecated_rule=deprecated_get_implied_role),
64
        deprecated_rule=deprecated_get_implied_role,
2746
65
        deprecated_reason=DEPRECATED_REASON,
2747
66
        deprecated_since=versionutils.deprecated.TRAIN),
2748
77
    policy.DocumentedRuleDefault(
67
    policy.DocumentedRuleDefault(
2749
78
        name=base.IDENTITY % 'list_implied_roles',
68
        name=base.IDENTITY % 'list_implied_roles',
2750
79
        check_str=base.SYSTEM_READER,
69
        check_str=base.SYSTEM_READER,
2751
@@ -87,7 +77,9 @@ implied_role_policies = [
2752
87
        operations=[
77
        operations=[
2753
88
            {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'GET'},
78
            {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'GET'},
2754
89
            {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'HEAD'}],
79
            {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'HEAD'}],
2756
90
        deprecated_rule=deprecated_list_implied_roles),
80
        deprecated_rule=deprecated_list_implied_roles,
2757
81
        deprecated_reason=DEPRECATED_REASON,
2758
82
        deprecated_since=versionutils.deprecated.TRAIN),
2759
91
    policy.DocumentedRuleDefault(
83
    policy.DocumentedRuleDefault(
2760
92
        name=base.IDENTITY % 'create_implied_role',
84
        name=base.IDENTITY % 'create_implied_role',
2761
93
        check_str=base.SYSTEM_ADMIN,
85
        check_str=base.SYSTEM_ADMIN,
2762
@@ -99,7 +91,9 @@ implied_role_policies = [
2763
99
        operations=[
91
        operations=[
2764
100
            {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
92
            {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
2765
101
             'method': 'PUT'}],
93
             'method': 'PUT'}],
2767
102
        deprecated_rule=deprecated_create_implied_role),
94
        deprecated_rule=deprecated_create_implied_role,
2768
95
        deprecated_reason=DEPRECATED_REASON,
2769
96
        deprecated_since=versionutils.deprecated.TRAIN),
2770
103
    policy.DocumentedRuleDefault(
97
    policy.DocumentedRuleDefault(
2771
104
        name=base.IDENTITY % 'delete_implied_role',
98
        name=base.IDENTITY % 'delete_implied_role',
2772
105
        check_str=base.SYSTEM_ADMIN,
99
        check_str=base.SYSTEM_ADMIN,
2773
@@ -112,7 +106,9 @@ implied_role_policies = [
2774
112
        operations=[
106
        operations=[
2775
113
            {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
107
            {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
2776
114
             'method': 'DELETE'}],
108
             'method': 'DELETE'}],
2778
115
        deprecated_rule=deprecated_delete_implied_role),
109
        deprecated_rule=deprecated_delete_implied_role,
2779
110
        deprecated_reason=DEPRECATED_REASON,
2780
111
        deprecated_since=versionutils.deprecated.TRAIN),
2781
116
    policy.DocumentedRuleDefault(
112
    policy.DocumentedRuleDefault(
2782
117
        name=base.IDENTITY % 'list_role_inference_rules',
113
        name=base.IDENTITY % 'list_role_inference_rules',
2783
118
        check_str=base.SYSTEM_READER,
114
        check_str=base.SYSTEM_READER,
2784
@@ -124,7 +120,9 @@ implied_role_policies = [
2785
124
        operations=[
120
        operations=[
2786
125
            {'path': '/v3/role_inferences', 'method': 'GET'},
121
            {'path': '/v3/role_inferences', 'method': 'GET'},
2787
126
            {'path': '/v3/role_inferences', 'method': 'HEAD'}],
122
            {'path': '/v3/role_inferences', 'method': 'HEAD'}],
2789
127
        deprecated_rule=deprecated_list_role_inference_rules),
123
        deprecated_rule=deprecated_list_role_inference_rules,
2790
124
        deprecated_reason=DEPRECATED_REASON,
2791
125
        deprecated_since=versionutils.deprecated.TRAIN),
2792
128
    policy.DocumentedRuleDefault(
126
    policy.DocumentedRuleDefault(
2793
129
        name=base.IDENTITY % 'check_implied_role',
127
        name=base.IDENTITY % 'check_implied_role',
2794
130
        check_str=base.SYSTEM_READER,
128
        check_str=base.SYSTEM_READER,
2795
@@ -136,7 +134,9 @@ implied_role_policies = [
2796
136
        operations=[
134
        operations=[
2797
137
            {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
135
            {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
2798
138
             'method': 'HEAD'}],
136
             'method': 'HEAD'}],
2800
139
        deprecated_rule=deprecated_check_implied_role),
137
        deprecated_rule=deprecated_check_implied_role,
2801
138
        deprecated_reason=DEPRECATED_REASON,
2802
139
        deprecated_since=versionutils.deprecated.TRAIN),
2803
140
]
140
]
2804
141
141
2805
142
142
2806
diff --git a/keystone/common/policies/mapping.py b/keystone/common/policies/mapping.py
2807
index 6c4f0de..498bc7c 100644
2808
--- a/keystone/common/policies/mapping.py
2809
+++ b/keystone/common/policies/mapping.py
2810
@@ -15,41 +15,30 @@ from oslo_policy import policy
2811
15
15
2812
16
from keystone.common.policies import base
16
from keystone.common.policies import base
2813
17
17
2814
18
DEPRECATED_REASON = (
2815
19
    "The federated mapping API is now aware of system scope and default roles."
2816
20
)
2817
21
2818
22
deprecated_get_mapping = policy.DeprecatedRule(
18
deprecated_get_mapping = policy.DeprecatedRule(
2819
23
    name=base.IDENTITY % 'get_mapping',
19
    name=base.IDENTITY % 'get_mapping',
2823
24
    check_str=base.RULE_ADMIN_REQUIRED,
20
    check_str=base.RULE_ADMIN_REQUIRED
2821
25
    deprecated_reason=DEPRECATED_REASON,
2822
26
    deprecated_since=versionutils.deprecated.STEIN
2824
27
)
21
)
2825
28
deprecated_list_mappings = policy.DeprecatedRule(
22
deprecated_list_mappings = policy.DeprecatedRule(
2826
29
    name=base.IDENTITY % 'list_mappings',
23
    name=base.IDENTITY % 'list_mappings',
2830
30
    check_str=base.RULE_ADMIN_REQUIRED,
24
    check_str=base.RULE_ADMIN_REQUIRED
2828
31
    deprecated_reason=DEPRECATED_REASON,
2829
32
    deprecated_since=versionutils.deprecated.STEIN
2831
33
)
25
)
2832
34
deprecated_update_mapping = policy.DeprecatedRule(
26
deprecated_update_mapping = policy.DeprecatedRule(
2833
35
    name=base.IDENTITY % 'update_mapping',
27
    name=base.IDENTITY % 'update_mapping',
2837
36
    check_str=base.RULE_ADMIN_REQUIRED,
28
    check_str=base.RULE_ADMIN_REQUIRED
2835
37
    deprecated_reason=DEPRECATED_REASON,
2836
38
    deprecated_since=versionutils.deprecated.STEIN
2838
39
)
29
)
2839
40
deprecated_create_mapping = policy.DeprecatedRule(
30
deprecated_create_mapping = policy.DeprecatedRule(
2840
41
    name=base.IDENTITY % 'create_mapping',
31
    name=base.IDENTITY % 'create_mapping',
2844
42
    check_str=base.RULE_ADMIN_REQUIRED,
32
    check_str=base.RULE_ADMIN_REQUIRED
2842
43
    deprecated_reason=DEPRECATED_REASON,
2843
44
    deprecated_since=versionutils.deprecated.STEIN
2845
45
)
33
)
2846
46
deprecated_delete_mapping = policy.DeprecatedRule(
34
deprecated_delete_mapping = policy.DeprecatedRule(
2847
47
    name=base.IDENTITY % 'delete_mapping',
35
    name=base.IDENTITY % 'delete_mapping',
2851
48
    check_str=base.RULE_ADMIN_REQUIRED,
36
    check_str=base.RULE_ADMIN_REQUIRED
2849
49
    deprecated_reason=DEPRECATED_REASON,
2850
50
    deprecated_since=versionutils.deprecated.STEIN
2852
51
)
37
)
2853
52
38
2854
39
DEPRECATED_REASON = (
2855
40
    "The federated mapping API is now aware of system scope and default roles."
2856
41
)
2857
53
42
2858
54
mapping_policies = [
43
mapping_policies = [
2859
55
    policy.DocumentedRuleDefault(
44
    policy.DocumentedRuleDefault(
2860
@@ -66,7 +55,9 @@ mapping_policies = [
2861
66
                     'more sets of rules.'),
55
                     'more sets of rules.'),
2862
67
        operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
56
        operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
2863
68
                     'method': 'PUT'}],
57
                     'method': 'PUT'}],
2865
69
        deprecated_rule=deprecated_create_mapping),
58
        deprecated_rule=deprecated_create_mapping,
2866
59
        deprecated_reason=DEPRECATED_REASON,
2867
60
        deprecated_since=versionutils.deprecated.STEIN),
2868
70
    policy.DocumentedRuleDefault(
61
    policy.DocumentedRuleDefault(
2869
71
        name=base.IDENTITY % 'get_mapping',
62
        name=base.IDENTITY % 'get_mapping',
2870
72
        check_str=base.SYSTEM_READER,
63
        check_str=base.SYSTEM_READER,
2871
@@ -82,7 +73,9 @@ mapping_policies = [
2872
82
                'method': 'HEAD'
73
                'method': 'HEAD'
2873
83
            }
74
            }
2874
84
        ],
75
        ],
2876
85
        deprecated_rule=deprecated_get_mapping
76
        deprecated_rule=deprecated_get_mapping,
2877
77
        deprecated_reason=DEPRECATED_REASON,
2878
78
        deprecated_since=versionutils.deprecated.STEIN
2879
86
    ),
79
    ),
2880
87
    policy.DocumentedRuleDefault(
80
    policy.DocumentedRuleDefault(
2881
88
        name=base.IDENTITY % 'list_mappings',
81
        name=base.IDENTITY % 'list_mappings',
2882
@@ -100,6 +93,8 @@ mapping_policies = [
2883
100
            }
93
            }
2884
101
        ],
94
        ],
2885
102
        deprecated_rule=deprecated_list_mappings,
95
        deprecated_rule=deprecated_list_mappings,
2886
96
        deprecated_reason=DEPRECATED_REASON,
2887
97
        deprecated_since=versionutils.deprecated.STEIN
2888
103
    ),
98
    ),
2889
104
    policy.DocumentedRuleDefault(
99
    policy.DocumentedRuleDefault(
2890
105
        name=base.IDENTITY % 'delete_mapping',
100
        name=base.IDENTITY % 'delete_mapping',
2891
@@ -108,7 +103,9 @@ mapping_policies = [
2892
108
        description='Delete a federated mapping.',
103
        description='Delete a federated mapping.',
2893
109
        operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
104
        operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
2894
110
                     'method': 'DELETE'}],
105
                     'method': 'DELETE'}],
2896
111
        deprecated_rule=deprecated_delete_mapping),
106
        deprecated_rule=deprecated_delete_mapping,
2897
107
        deprecated_reason=DEPRECATED_REASON,
2898
108
        deprecated_since=versionutils.deprecated.STEIN),
2899
112
    policy.DocumentedRuleDefault(
109
    policy.DocumentedRuleDefault(
2900
113
        name=base.IDENTITY % 'update_mapping',
110
        name=base.IDENTITY % 'update_mapping',
2901
114
        check_str=base.SYSTEM_ADMIN,
111
        check_str=base.SYSTEM_ADMIN,
2902
@@ -116,7 +113,9 @@ mapping_policies = [
2903
116
        description='Update a federated mapping.',
113
        description='Update a federated mapping.',
2904
117
        operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
114
        operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
2905
118
                     'method': 'PATCH'}],
115
                     'method': 'PATCH'}],
2907
119
        deprecated_rule=deprecated_update_mapping)
116
        deprecated_rule=deprecated_update_mapping,
2908
117
        deprecated_reason=DEPRECATED_REASON,
2909
118
        deprecated_since=versionutils.deprecated.STEIN)
2910
120
]
119
]
2911
121
120
2912
122
121
2913
diff --git a/keystone/common/policies/policy.py b/keystone/common/policies/policy.py
2914
index 502fa9d..4c912f3 100644
2915
--- a/keystone/common/policies/policy.py
2916
+++ b/keystone/common/policies/policy.py
2917
@@ -15,43 +15,33 @@ from oslo_policy import policy
2918
15
15
2919
16
from keystone.common.policies import base
16
from keystone.common.policies import base
2920
17
17
2921
18
DEPRECATED_REASON = (
2922
19
    "The policy API is now aware of system scope and default roles."
2923
20
)
2924
21
2925
22
deprecated_get_policy = policy.DeprecatedRule(
18
deprecated_get_policy = policy.DeprecatedRule(
2926
23
    name=base.IDENTITY % 'get_policy',
19
    name=base.IDENTITY % 'get_policy',
2927
24
    check_str=base.RULE_ADMIN_REQUIRED,
20
    check_str=base.RULE_ADMIN_REQUIRED,
2928
25
    deprecated_reason=DEPRECATED_REASON,
2929
26
    deprecated_since=versionutils.deprecated.TRAIN
2930
27
)
21
)
2931
28
22
2932
29
deprecated_list_policies = policy.DeprecatedRule(
23
deprecated_list_policies = policy.DeprecatedRule(
2933
30
    name=base.IDENTITY % 'list_policies',
24
    name=base.IDENTITY % 'list_policies',
2934
31
    check_str=base.RULE_ADMIN_REQUIRED,
25
    check_str=base.RULE_ADMIN_REQUIRED,
2935
32
    deprecated_reason=DEPRECATED_REASON,
2936
33
    deprecated_since=versionutils.deprecated.TRAIN
2937
34
)
26
)
2938
35
27
2939
36
deprecated_update_policy = policy.DeprecatedRule(
28
deprecated_update_policy = policy.DeprecatedRule(
2940
37
    name=base.IDENTITY % 'update_policy',
29
    name=base.IDENTITY % 'update_policy',
2941
38
    check_str=base.RULE_ADMIN_REQUIRED,
30
    check_str=base.RULE_ADMIN_REQUIRED,
2942
39
    deprecated_reason=DEPRECATED_REASON,
2943
40
    deprecated_since=versionutils.deprecated.TRAIN
2944
41
)
31
)
2945
42
32
2946
43
deprecated_create_policy = policy.DeprecatedRule(
33
deprecated_create_policy = policy.DeprecatedRule(
2947
44
    name=base.IDENTITY % 'create_policy',
34
    name=base.IDENTITY % 'create_policy',
2948
45
    check_str=base.RULE_ADMIN_REQUIRED,
35
    check_str=base.RULE_ADMIN_REQUIRED,
2949
46
    deprecated_reason=DEPRECATED_REASON,
2950
47
    deprecated_since=versionutils.deprecated.TRAIN
2951
48
)
36
)
2952
49
37
2953
50
deprecated_delete_policy = policy.DeprecatedRule(
38
deprecated_delete_policy = policy.DeprecatedRule(
2954
51
    name=base.IDENTITY % 'delete_policy',
39
    name=base.IDENTITY % 'delete_policy',
2955
52
    check_str=base.RULE_ADMIN_REQUIRED,
40
    check_str=base.RULE_ADMIN_REQUIRED,
2958
53
    deprecated_reason=DEPRECATED_REASON,
41
)
2959
54
    deprecated_since=versionutils.deprecated.TRAIN
42
2960
43
DEPRECATED_REASON = (
2961
44
    "The policy API is now aware of system scope and default roles."
2962
55
)
45
)
2963
56
46
2964
57
47
2965
@@ -65,7 +55,9 @@ policy_policies = [
2966
65
        description='Show policy details.',
55
        description='Show policy details.',
2967
66
        operations=[{'path': '/v3/policies/{policy_id}',
56
        operations=[{'path': '/v3/policies/{policy_id}',
2968
67
                     'method': 'GET'}],
57
                     'method': 'GET'}],
2970
68
        deprecated_rule=deprecated_get_policy),
58
        deprecated_rule=deprecated_get_policy,
2971
59
        deprecated_reason=DEPRECATED_REASON,
2972
60
        deprecated_since=versionutils.deprecated.TRAIN),
2973
69
    policy.DocumentedRuleDefault(
61
    policy.DocumentedRuleDefault(
2974
70
        name=base.IDENTITY % 'list_policies',
62
        name=base.IDENTITY % 'list_policies',
2975
71
        check_str=base.SYSTEM_READER,
63
        check_str=base.SYSTEM_READER,
2976
@@ -73,7 +65,9 @@ policy_policies = [
2977
73
        description='List policies.',
65
        description='List policies.',
2978
74
        operations=[{'path': '/v3/policies',
66
        operations=[{'path': '/v3/policies',
2979
75
                     'method': 'GET'}],
67
                     'method': 'GET'}],
2981
76
        deprecated_rule=deprecated_list_policies),
68
        deprecated_rule=deprecated_list_policies,
2982
69
        deprecated_reason=DEPRECATED_REASON,
2983
70
        deprecated_since=versionutils.deprecated.TRAIN),
2984
77
    policy.DocumentedRuleDefault(
71
    policy.DocumentedRuleDefault(
2985
78
        name=base.IDENTITY % 'create_policy',
72
        name=base.IDENTITY % 'create_policy',
2986
79
        check_str=base.SYSTEM_ADMIN,
73
        check_str=base.SYSTEM_ADMIN,
2987
@@ -81,7 +75,9 @@ policy_policies = [
2988
81
        description='Create policy.',
75
        description='Create policy.',
2989
82
        operations=[{'path': '/v3/policies',
76
        operations=[{'path': '/v3/policies',
2990
83
                     'method': 'POST'}],
77
                     'method': 'POST'}],
2992
84
        deprecated_rule=deprecated_create_policy),
78
        deprecated_rule=deprecated_create_policy,
2993
79
        deprecated_reason=DEPRECATED_REASON,
2994
80
        deprecated_since=versionutils.deprecated.TRAIN),
2995
85
    policy.DocumentedRuleDefault(
81
    policy.DocumentedRuleDefault(
2996
86
        name=base.IDENTITY % 'update_policy',
82
        name=base.IDENTITY % 'update_policy',
2997
87
        check_str=base.SYSTEM_ADMIN,
83
        check_str=base.SYSTEM_ADMIN,
2998
@@ -89,7 +85,9 @@ policy_policies = [
2999
89
        description='Update policy.',
85
        description='Update policy.',
3000
90
        operations=[{'path': '/v3/policies/{policy_id}',
86
        operations=[{'path': '/v3/policies/{policy_id}',
3001
91
                     'method': 'PATCH'}],
87
                     'method': 'PATCH'}],
3003
92
        deprecated_rule=deprecated_update_policy),
88
        deprecated_rule=deprecated_update_policy,
3004
89
        deprecated_reason=DEPRECATED_REASON,
3005
90
        deprecated_since=versionutils.deprecated.TRAIN),
3006
93
    policy.DocumentedRuleDefault(
91
    policy.DocumentedRuleDefault(
3007
94
        name=base.IDENTITY % 'delete_policy',
92
        name=base.IDENTITY % 'delete_policy',
3008
95
        check_str=base.SYSTEM_ADMIN,
93
        check_str=base.SYSTEM_ADMIN,
3009
@@ -97,7 +95,9 @@ policy_policies = [
3010
97
        description='Delete policy.',
95
        description='Delete policy.',
3011
98
        operations=[{'path': '/v3/policies/{policy_id}',
96
        operations=[{'path': '/v3/policies/{policy_id}',
3012
99
                     'method': 'DELETE'}],
97
                     'method': 'DELETE'}],
3014
100
        deprecated_rule=deprecated_delete_policy)
98
        deprecated_rule=deprecated_delete_policy,
3015
99
        deprecated_reason=DEPRECATED_REASON,
3016
100
        deprecated_since=versionutils.deprecated.TRAIN)
3017
101
]
101
]
3018
102
102
3019
103
103
3020
diff --git a/keystone/common/policies/policy_association.py b/keystone/common/policies/policy_association.py
3021
index 1cf6f86..af57900 100644
3022
--- a/keystone/common/policies/policy_association.py
3023
+++ b/keystone/common/policies/policy_association.py
3024
@@ -19,88 +19,65 @@ from keystone.common.policies import base
3025
19
# System-scoped tokens should be required to manage policy associations to
19
# System-scoped tokens should be required to manage policy associations to
3026
20
# existing system-level resources.
20
# existing system-level resources.
3027
21
21
3028
22
DEPRECATED_REASON = (
3029
23
    "The policy association API is now aware of system scope and default "
3030
24
    "roles."
3031
25
)
3032
26
3033
27
deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule(
22
deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule(
3034
28
    name=base.IDENTITY % 'check_policy_association_for_endpoint',
23
    name=base.IDENTITY % 'check_policy_association_for_endpoint',
3035
29
    check_str=base.RULE_ADMIN_REQUIRED,
24
    check_str=base.RULE_ADMIN_REQUIRED,
3036
30
    deprecated_reason=DEPRECATED_REASON,
3037
31
    deprecated_since=versionutils.deprecated.TRAIN
3038
32
)
25
)
3039
33
26
3040
34
deprecated_check_policy_assoc_for_service = policy.DeprecatedRule(
27
deprecated_check_policy_assoc_for_service = policy.DeprecatedRule(
3041
35
    name=base.IDENTITY % 'check_policy_association_for_service',
28
    name=base.IDENTITY % 'check_policy_association_for_service',
3042
36
    check_str=base.RULE_ADMIN_REQUIRED,
29
    check_str=base.RULE_ADMIN_REQUIRED,
3043
37
    deprecated_reason=DEPRECATED_REASON,
3044
38
    deprecated_since=versionutils.deprecated.TRAIN
3045
39
)
30
)
3046
40
31
3047
41
deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule(
32
deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule(
3048
42
    name=base.IDENTITY % 'check_policy_association_for_region_and_service',
33
    name=base.IDENTITY % 'check_policy_association_for_region_and_service',
3049
43
    check_str=base.RULE_ADMIN_REQUIRED,
34
    check_str=base.RULE_ADMIN_REQUIRED,
3050
44
    deprecated_reason=DEPRECATED_REASON,
3051
45
    deprecated_since=versionutils.deprecated.TRAIN
3052
46
)
35
)
3053
47
36
3054
48
deprecated_get_policy_for_endpoint = policy.DeprecatedRule(
37
deprecated_get_policy_for_endpoint = policy.DeprecatedRule(
3055
49
    name=base.IDENTITY % 'get_policy_for_endpoint',
38
    name=base.IDENTITY % 'get_policy_for_endpoint',
3056
50
    check_str=base.RULE_ADMIN_REQUIRED,
39
    check_str=base.RULE_ADMIN_REQUIRED,
3057
51
    deprecated_reason=DEPRECATED_REASON,
3058
52
    deprecated_since=versionutils.deprecated.TRAIN
3059
53
)
40
)
3060
54
41
3061
55
deprecated_list_endpoints_for_policy = policy.DeprecatedRule(
42
deprecated_list_endpoints_for_policy = policy.DeprecatedRule(
3062
56
    name=base.IDENTITY % 'list_endpoints_for_policy',
43
    name=base.IDENTITY % 'list_endpoints_for_policy',
3063
57
    check_str=base.RULE_ADMIN_REQUIRED,
44
    check_str=base.RULE_ADMIN_REQUIRED,
3064
58
    deprecated_reason=DEPRECATED_REASON,
3065
59
    deprecated_since=versionutils.deprecated.TRAIN
3066
60
)
45
)
3067
61
46
3068
62
deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule(
47
deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule(
3069
63
    name=base.IDENTITY % 'create_policy_association_for_endpoint',
48
    name=base.IDENTITY % 'create_policy_association_for_endpoint',
3070
64
    check_str=base.RULE_ADMIN_REQUIRED,
49
    check_str=base.RULE_ADMIN_REQUIRED,
3071
65
    deprecated_reason=DEPRECATED_REASON,
3072
66
    deprecated_since=versionutils.deprecated.TRAIN
3073
67
)
50
)
3074
68
51
3075
69
deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule(
52
deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule(
3076
70
    name=base.IDENTITY % 'delete_policy_association_for_endpoint',
53
    name=base.IDENTITY % 'delete_policy_association_for_endpoint',
3077
71
    check_str=base.RULE_ADMIN_REQUIRED,
54
    check_str=base.RULE_ADMIN_REQUIRED,
3078
72
    deprecated_reason=DEPRECATED_REASON,
3079
73
    deprecated_since=versionutils.deprecated.TRAIN
3080
74
)
55
)
3081
75
56
3082
76
deprecated_create_policy_assoc_for_service = policy.DeprecatedRule(
57
deprecated_create_policy_assoc_for_service = policy.DeprecatedRule(
3083
77
    name=base.IDENTITY % 'create_policy_association_for_service',
58
    name=base.IDENTITY % 'create_policy_association_for_service',
3084
78
    check_str=base.RULE_ADMIN_REQUIRED,
59
    check_str=base.RULE_ADMIN_REQUIRED,
3085
79
    deprecated_reason=DEPRECATED_REASON,
3086
80
    deprecated_since=versionutils.deprecated.TRAIN
3087
81
)
60
)
3088
82
61
3089
83
deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule(
62
deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule(
3090
84
    name=base.IDENTITY % 'delete_policy_association_for_service',
63
    name=base.IDENTITY % 'delete_policy_association_for_service',
3091
85
    check_str=base.RULE_ADMIN_REQUIRED,
64
    check_str=base.RULE_ADMIN_REQUIRED,
3092
86
    deprecated_reason=DEPRECATED_REASON,
3093
87
    deprecated_since=versionutils.deprecated.TRAIN
3094
88
)
65
)
3095
89
66
3096
90
deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule(
67
deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule(
3097
91
    name=base.IDENTITY % 'create_policy_association_for_region_and_service',
68
    name=base.IDENTITY % 'create_policy_association_for_region_and_service',
3098
92
    check_str=base.RULE_ADMIN_REQUIRED,
69
    check_str=base.RULE_ADMIN_REQUIRED,
3099
93
    deprecated_reason=DEPRECATED_REASON,
3100
94
    deprecated_since=versionutils.deprecated.TRAIN
3101
95
)
70
)
3102
96
71
3103
97
deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule(
72
deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule(
3104
98
    name=base.IDENTITY % 'delete_policy_association_for_region_and_service',
73
    name=base.IDENTITY % 'delete_policy_association_for_region_and_service',
3105
99
    check_str=base.RULE_ADMIN_REQUIRED,
74
    check_str=base.RULE_ADMIN_REQUIRED,
3106
100
    deprecated_reason=DEPRECATED_REASON,
3107
101
    deprecated_since=versionutils.deprecated.TRAIN
3108
102
)
75
)
3109
103
76
3110
77
DEPRECATED_REASON = (
3111
78
    "The policy association API is now aware of system scope and default "
3112
79
    "roles."
3113
80
)
3114
104
81
3115
105
policy_association_policies = [
82
policy_association_policies = [
3116
106
    policy.DocumentedRuleDefault(
83
    policy.DocumentedRuleDefault(
3117
@@ -111,7 +88,9 @@ policy_association_policies = [
3118
111
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
88
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3119
112
                              'endpoints/{endpoint_id}'),
89
                              'endpoints/{endpoint_id}'),
3120
113
                     'method': 'PUT'}],
90
                     'method': 'PUT'}],
3122
114
        deprecated_rule=deprecated_create_policy_assoc_for_endpoint),
91
        deprecated_rule=deprecated_create_policy_assoc_for_endpoint,
3123
92
        deprecated_reason=DEPRECATED_REASON,
3124
93
        deprecated_since=versionutils.deprecated.TRAIN),
3125
115
    policy.DocumentedRuleDefault(
94
    policy.DocumentedRuleDefault(
3126
116
        name=base.IDENTITY % 'check_policy_association_for_endpoint',
95
        name=base.IDENTITY % 'check_policy_association_for_endpoint',
3127
117
        check_str=base.SYSTEM_READER,
96
        check_str=base.SYSTEM_READER,
3128
@@ -123,7 +102,9 @@ policy_association_policies = [
3129
123
                    {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
102
                    {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3130
124
                              'endpoints/{endpoint_id}'),
103
                              'endpoints/{endpoint_id}'),
3131
125
                     'method': 'HEAD'}],
104
                     'method': 'HEAD'}],
3133
126
        deprecated_rule=deprecated_check_policy_assoc_for_endpoint),
105
        deprecated_rule=deprecated_check_policy_assoc_for_endpoint,
3134
106
        deprecated_reason=DEPRECATED_REASON,
3135
107
        deprecated_since=versionutils.deprecated.TRAIN),
3136
127
    policy.DocumentedRuleDefault(
108
    policy.DocumentedRuleDefault(
3137
128
        name=base.IDENTITY % 'delete_policy_association_for_endpoint',
109
        name=base.IDENTITY % 'delete_policy_association_for_endpoint',
3138
129
        check_str=base.SYSTEM_ADMIN,
110
        check_str=base.SYSTEM_ADMIN,
3139
@@ -132,7 +113,9 @@ policy_association_policies = [
3140
132
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
113
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3141
133
                              'endpoints/{endpoint_id}'),
114
                              'endpoints/{endpoint_id}'),
3142
134
                     'method': 'DELETE'}],
115
                     'method': 'DELETE'}],
3144
135
        deprecated_rule=deprecated_delete_policy_assoc_for_endpoint),
116
        deprecated_rule=deprecated_delete_policy_assoc_for_endpoint,
3145
117
        deprecated_reason=DEPRECATED_REASON,
3146
118
        deprecated_since=versionutils.deprecated.TRAIN),
3147
136
    policy.DocumentedRuleDefault(
119
    policy.DocumentedRuleDefault(
3148
137
        name=base.IDENTITY % 'create_policy_association_for_service',
120
        name=base.IDENTITY % 'create_policy_association_for_service',
3149
138
        check_str=base.SYSTEM_ADMIN,
121
        check_str=base.SYSTEM_ADMIN,
3150
@@ -141,7 +124,9 @@ policy_association_policies = [
3151
141
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
124
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3152
142
                              'services/{service_id}'),
125
                              'services/{service_id}'),
3153
143
                     'method': 'PUT'}],
126
                     'method': 'PUT'}],
3155
144
        deprecated_rule=deprecated_create_policy_assoc_for_service),
127
        deprecated_rule=deprecated_create_policy_assoc_for_service,
3156
128
        deprecated_reason=DEPRECATED_REASON,
3157
129
        deprecated_since=versionutils.deprecated.TRAIN),
3158
145
    policy.DocumentedRuleDefault(
130
    policy.DocumentedRuleDefault(
3159
146
        name=base.IDENTITY % 'check_policy_association_for_service',
131
        name=base.IDENTITY % 'check_policy_association_for_service',
3160
147
        check_str=base.SYSTEM_READER,
132
        check_str=base.SYSTEM_READER,
3161
@@ -153,7 +138,9 @@ policy_association_policies = [
3162
153
                    {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
138
                    {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3163
154
                              'services/{service_id}'),
139
                              'services/{service_id}'),
3164
155
                     'method': 'HEAD'}],
140
                     'method': 'HEAD'}],
3166
156
        deprecated_rule=deprecated_check_policy_assoc_for_service),
141
        deprecated_rule=deprecated_check_policy_assoc_for_service,
3167
142
        deprecated_reason=DEPRECATED_REASON,
3168
143
        deprecated_since=versionutils.deprecated.TRAIN),
3169
157
    policy.DocumentedRuleDefault(
144
    policy.DocumentedRuleDefault(
3170
158
        name=base.IDENTITY % 'delete_policy_association_for_service',
145
        name=base.IDENTITY % 'delete_policy_association_for_service',
3171
159
        check_str=base.SYSTEM_ADMIN,
146
        check_str=base.SYSTEM_ADMIN,
3172
@@ -162,7 +149,9 @@ policy_association_policies = [
3173
162
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
149
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3174
163
                              'services/{service_id}'),
150
                              'services/{service_id}'),
3175
164
                     'method': 'DELETE'}],
151
                     'method': 'DELETE'}],
3177
165
        deprecated_rule=deprecated_delete_policy_assoc_for_service),
152
        deprecated_rule=deprecated_delete_policy_assoc_for_service,
3178
153
        deprecated_reason=DEPRECATED_REASON,
3179
154
        deprecated_since=versionutils.deprecated.TRAIN),
3180
166
    policy.DocumentedRuleDefault(
155
    policy.DocumentedRuleDefault(
3181
167
        name=base.IDENTITY % (
156
        name=base.IDENTITY % (
3182
168
            'create_policy_association_for_region_and_service'),
157
            'create_policy_association_for_region_and_service'),
3183
@@ -173,7 +162,9 @@ policy_association_policies = [
3184
173
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
162
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3185
174
                              'services/{service_id}/regions/{region_id}'),
163
                              'services/{service_id}/regions/{region_id}'),
3186
175
                     'method': 'PUT'}],
164
                     'method': 'PUT'}],
3188
176
        deprecated_rule=deprecated_create_policy_assoc_for_region_and_service),
165
        deprecated_rule=deprecated_create_policy_assoc_for_region_and_service,
3189
166
        deprecated_reason=DEPRECATED_REASON,
3190
167
        deprecated_since=versionutils.deprecated.TRAIN),
3191
177
    policy.DocumentedRuleDefault(
168
    policy.DocumentedRuleDefault(
3192
178
        name=base.IDENTITY % 'check_policy_association_for_region_and_service',
169
        name=base.IDENTITY % 'check_policy_association_for_region_and_service',
3193
179
        check_str=base.SYSTEM_READER,
170
        check_str=base.SYSTEM_READER,
3194
@@ -185,7 +176,9 @@ policy_association_policies = [
3195
185
                    {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
176
                    {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3196
186
                              'services/{service_id}/regions/{region_id}'),
177
                              'services/{service_id}/regions/{region_id}'),
3197
187
                     'method': 'HEAD'}],
178
                     'method': 'HEAD'}],
3199
188
        deprecated_rule=deprecated_check_policy_assoc_for_region_and_service),
179
        deprecated_rule=deprecated_check_policy_assoc_for_region_and_service,
3200
180
        deprecated_reason=DEPRECATED_REASON,
3201
181
        deprecated_since=versionutils.deprecated.TRAIN),
3202
189
    policy.DocumentedRuleDefault(
182
    policy.DocumentedRuleDefault(
3203
190
        name=base.IDENTITY % (
183
        name=base.IDENTITY % (
3204
191
            'delete_policy_association_for_region_and_service'),
184
            'delete_policy_association_for_region_and_service'),
3205
@@ -195,7 +188,9 @@ policy_association_policies = [
3206
195
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
188
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3207
196
                              'services/{service_id}/regions/{region_id}'),
189
                              'services/{service_id}/regions/{region_id}'),
3208
197
                     'method': 'DELETE'}],
190
                     'method': 'DELETE'}],
3210
198
        deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service),
191
        deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service,
3211
192
        deprecated_reason=DEPRECATED_REASON,
3212
193
        deprecated_since=versionutils.deprecated.TRAIN),
3213
199
    policy.DocumentedRuleDefault(
194
    policy.DocumentedRuleDefault(
3214
200
        name=base.IDENTITY % 'get_policy_for_endpoint',
195
        name=base.IDENTITY % 'get_policy_for_endpoint',
3215
201
        check_str=base.SYSTEM_READER,
196
        check_str=base.SYSTEM_READER,
3216
@@ -207,7 +202,9 @@ policy_association_policies = [
3217
207
                    {'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/'
202
                    {'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/'
3218
208
                              'policy'),
203
                              'policy'),
3219
209
                     'method': 'HEAD'}],
204
                     'method': 'HEAD'}],
3221
210
        deprecated_rule=deprecated_get_policy_for_endpoint),
205
        deprecated_rule=deprecated_get_policy_for_endpoint,
3222
206
        deprecated_reason=DEPRECATED_REASON,
3223
207
        deprecated_since=versionutils.deprecated.TRAIN),
3224
211
    policy.DocumentedRuleDefault(
208
    policy.DocumentedRuleDefault(
3225
212
        name=base.IDENTITY % 'list_endpoints_for_policy',
209
        name=base.IDENTITY % 'list_endpoints_for_policy',
3226
213
        check_str=base.SYSTEM_READER,
210
        check_str=base.SYSTEM_READER,
3227
@@ -216,7 +213,9 @@ policy_association_policies = [
3228
216
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
213
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3229
217
                              'endpoints'),
214
                              'endpoints'),
3230
218
                     'method': 'GET'}],
215
                     'method': 'GET'}],
3232
219
        deprecated_rule=deprecated_list_endpoints_for_policy)
216
        deprecated_rule=deprecated_list_endpoints_for_policy,
3233
217
        deprecated_reason=DEPRECATED_REASON,
3234
218
        deprecated_since=versionutils.deprecated.TRAIN)
3235
220
]
219
]
3236
221
220
3237
222
221
3238
diff --git a/keystone/common/policies/project.py b/keystone/common/policies/project.py
3239
index db7cdee..c7b7c0a 100644
3240
--- a/keystone/common/policies/project.py
3241
+++ b/keystone/common/policies/project.py
3242
@@ -52,84 +52,60 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
3243
52
    '(role:admin and domain_id:%(target.project.domain_id)s)'
52
    '(role:admin and domain_id:%(target.project.domain_id)s)'
3244
53
)
53
)
3245
54
54
3246
55
DEPRECATED_REASON = (
3247
56
    "The project API is now aware of system scope and default roles."
3248
57
)
3249
58
3250
59
deprecated_list_projects = policy.DeprecatedRule(
55
deprecated_list_projects = policy.DeprecatedRule(
3251
60
    name=base.IDENTITY % 'list_projects',
56
    name=base.IDENTITY % 'list_projects',
3255
61
    check_str=base.RULE_ADMIN_REQUIRED,
57
    check_str=base.RULE_ADMIN_REQUIRED
3253
62
    deprecated_reason=DEPRECATED_REASON,
3254
63
    deprecated_since=versionutils.deprecated.STEIN
3256
64
)
58
)
3257
65
deprecated_get_project = policy.DeprecatedRule(
59
deprecated_get_project = policy.DeprecatedRule(
3258
66
    name=base.IDENTITY % 'get_project',
60
    name=base.IDENTITY % 'get_project',
3262
67
    check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
61
    check_str=base.RULE_ADMIN_OR_TARGET_PROJECT
3260
68
    deprecated_reason=DEPRECATED_REASON,
3261
69
    deprecated_since=versionutils.deprecated.STEIN
3263
70
)
62
)
3264
71
deprecated_list_user_projects = policy.DeprecatedRule(
63
deprecated_list_user_projects = policy.DeprecatedRule(
3265
72
    name=base.IDENTITY % 'list_user_projects',
64
    name=base.IDENTITY % 'list_user_projects',
3269
73
    check_str=base.RULE_ADMIN_OR_OWNER,
65
    check_str=base.RULE_ADMIN_OR_OWNER
3267
74
    deprecated_reason=DEPRECATED_REASON,
3268
75
    deprecated_since=versionutils.deprecated.STEIN
3270
76
)
66
)
3271
77
deprecated_create_project = policy.DeprecatedRule(
67
deprecated_create_project = policy.DeprecatedRule(
3272
78
    name=base.IDENTITY % 'create_project',
68
    name=base.IDENTITY % 'create_project',
3276
79
    check_str=base.RULE_ADMIN_REQUIRED,
69
    check_str=base.RULE_ADMIN_REQUIRED
3274
80
    deprecated_reason=DEPRECATED_REASON,
3275
81
    deprecated_since=versionutils.deprecated.STEIN
3277
82
)
70
)
3278
83
deprecated_update_project = policy.DeprecatedRule(
71
deprecated_update_project = policy.DeprecatedRule(
3279
84
    name=base.IDENTITY % 'update_project',
72
    name=base.IDENTITY % 'update_project',
3283
85
    check_str=base.RULE_ADMIN_REQUIRED,
73
    check_str=base.RULE_ADMIN_REQUIRED
3281
86
    deprecated_reason=DEPRECATED_REASON,
3282
87
    deprecated_since=versionutils.deprecated.STEIN
3284
88
)
74
)
3285
89
deprecated_delete_project = policy.DeprecatedRule(
75
deprecated_delete_project = policy.DeprecatedRule(
3286
90
    name=base.IDENTITY % 'delete_project',
76
    name=base.IDENTITY % 'delete_project',
3290
91
    check_str=base.RULE_ADMIN_REQUIRED,
77
    check_str=base.RULE_ADMIN_REQUIRED
3288
92
    deprecated_reason=DEPRECATED_REASON,
3289
93
    deprecated_since=versionutils.deprecated.STEIN
3291
94
)
78
)
3292
95
deprecated_list_project_tags = policy.DeprecatedRule(
79
deprecated_list_project_tags = policy.DeprecatedRule(
3293
96
    name=base.IDENTITY % 'list_project_tags',
80
    name=base.IDENTITY % 'list_project_tags',
3297
97
    check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
81
    check_str=base.RULE_ADMIN_OR_TARGET_PROJECT
3295
98
    deprecated_reason=DEPRECATED_REASON,
3296
99
    deprecated_since=versionutils.deprecated.TRAIN
3298
100
)
82
)
3299
101
deprecated_get_project_tag = policy.DeprecatedRule(
83
deprecated_get_project_tag = policy.DeprecatedRule(
3300
102
    name=base.IDENTITY % 'get_project_tag',
84
    name=base.IDENTITY % 'get_project_tag',
3304
103
    check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
85
    check_str=base.RULE_ADMIN_OR_TARGET_PROJECT
3302
104
    deprecated_reason=DEPRECATED_REASON,
3303
105
    deprecated_since=versionutils.deprecated.TRAIN
3305
106
)
86
)
3306
107
deprecated_update_project_tag = policy.DeprecatedRule(
87
deprecated_update_project_tag = policy.DeprecatedRule(
3307
108
    name=base.IDENTITY % 'update_project_tags',
88
    name=base.IDENTITY % 'update_project_tags',
3311
109
    check_str=base.RULE_ADMIN_REQUIRED,
89
    check_str=base.RULE_ADMIN_REQUIRED
3309
110
    deprecated_reason=DEPRECATED_REASON,
3310
111
    deprecated_since=versionutils.deprecated.TRAIN
3312
112
)
90
)
3313
113
deprecated_create_project_tag = policy.DeprecatedRule(
91
deprecated_create_project_tag = policy.DeprecatedRule(
3314
114
    name=base.IDENTITY % 'create_project_tag',
92
    name=base.IDENTITY % 'create_project_tag',
3318
115
    check_str=base.RULE_ADMIN_REQUIRED,
93
    check_str=base.RULE_ADMIN_REQUIRED
3316
116
    deprecated_reason=DEPRECATED_REASON,
3317
117
    deprecated_since=versionutils.deprecated.TRAIN
3319
118
)
94
)
3320
119
deprecated_delete_project_tag = policy.DeprecatedRule(
95
deprecated_delete_project_tag = policy.DeprecatedRule(
3321
120
    name=base.IDENTITY % 'delete_project_tag',
96
    name=base.IDENTITY % 'delete_project_tag',
3325
121
    check_str=base.RULE_ADMIN_REQUIRED,
97
    check_str=base.RULE_ADMIN_REQUIRED
3323
122
    deprecated_reason=DEPRECATED_REASON,
3324
123
    deprecated_since=versionutils.deprecated.TRAIN
3326
124
)
98
)
3327
125
deprecated_delete_project_tags = policy.DeprecatedRule(
99
deprecated_delete_project_tags = policy.DeprecatedRule(
3328
126
    name=base.IDENTITY % 'delete_project_tags',
100
    name=base.IDENTITY % 'delete_project_tags',
3332
127
    check_str=base.RULE_ADMIN_REQUIRED,
101
    check_str=base.RULE_ADMIN_REQUIRED
3330
128
    deprecated_reason=DEPRECATED_REASON,
3331
129
    deprecated_since=versionutils.deprecated.TRAIN
3333
130
)
102
)
3334
131
103
3335
132
104
3336
105
DEPRECATED_REASON = (
3337
106
    "The project API is now aware of system scope and default roles."
3338
107
)
3339
108
3340
133
TAGS_DEPRECATED_REASON = """
109
TAGS_DEPRECATED_REASON = """
3341
134
As of the Train release, the project tags API understands how to handle
110
As of the Train release, the project tags API understands how to handle
3342
135
system-scoped tokens in addition to project and domain tokens, making the API
111
system-scoped tokens in addition to project and domain tokens, making the API
3343
@@ -146,7 +122,9 @@ project_policies = [
3344
146
        description='Show project details.',
122
        description='Show project details.',
3345
147
        operations=[{'path': '/v3/projects/{project_id}',
123
        operations=[{'path': '/v3/projects/{project_id}',
3346
148
                     'method': 'GET'}],
124
                     'method': 'GET'}],
3348
149
        deprecated_rule=deprecated_get_project),
125
        deprecated_rule=deprecated_get_project,
3349
126
        deprecated_reason=DEPRECATED_REASON,
3350
127
        deprecated_since=versionutils.deprecated.STEIN),
3351
150
    policy.DocumentedRuleDefault(
128
    policy.DocumentedRuleDefault(
3352
151
        name=base.IDENTITY % 'list_projects',
129
        name=base.IDENTITY % 'list_projects',
3353
152
        check_str=SYSTEM_READER_OR_DOMAIN_READER,
130
        check_str=SYSTEM_READER_OR_DOMAIN_READER,
3354
@@ -158,7 +136,9 @@ project_policies = [
3355
158
        description='List projects.',
136
        description='List projects.',
3356
159
        operations=[{'path': '/v3/projects',
137
        operations=[{'path': '/v3/projects',
3357
160
                     'method': 'GET'}],
138
                     'method': 'GET'}],
3359
161
        deprecated_rule=deprecated_list_projects),
139
        deprecated_rule=deprecated_list_projects,
3360
140
        deprecated_reason=DEPRECATED_REASON,
3361
141
        deprecated_since=versionutils.deprecated.STEIN),
3362
162
    policy.DocumentedRuleDefault(
142
    policy.DocumentedRuleDefault(
3363
163
        name=base.IDENTITY % 'list_user_projects',
143
        name=base.IDENTITY % 'list_user_projects',
3364
164
        check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER,
144
        check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER,
3365
@@ -166,7 +146,9 @@ project_policies = [
3366
166
        description='List projects for user.',
146
        description='List projects for user.',
3367
167
        operations=[{'path': '/v3/users/{user_id}/projects',
147
        operations=[{'path': '/v3/users/{user_id}/projects',
3368
168
                     'method': 'GET'}],
148
                     'method': 'GET'}],
3370
169
        deprecated_rule=deprecated_list_user_projects),
149
        deprecated_rule=deprecated_list_user_projects,
3371
150
        deprecated_reason=DEPRECATED_REASON,
3372
151
        deprecated_since=versionutils.deprecated.STEIN),
3373
170
    policy.DocumentedRuleDefault(
152
    policy.DocumentedRuleDefault(
3374
171
        name=base.IDENTITY % 'create_project',
153
        name=base.IDENTITY % 'create_project',
3375
172
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
154
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
3376
@@ -174,7 +156,9 @@ project_policies = [
3377
174
        description='Create project.',
156
        description='Create project.',
3378
175
        operations=[{'path': '/v3/projects',
157
        operations=[{'path': '/v3/projects',
3379
176
                     'method': 'POST'}],
158
                     'method': 'POST'}],
3381
177
        deprecated_rule=deprecated_create_project),
159
        deprecated_rule=deprecated_create_project,
3382
160
        deprecated_reason=DEPRECATED_REASON,
3383
161
        deprecated_since=versionutils.deprecated.STEIN),
3384
178
    policy.DocumentedRuleDefault(
162
    policy.DocumentedRuleDefault(
3385
179
        name=base.IDENTITY % 'update_project',
163
        name=base.IDENTITY % 'update_project',
3386
180
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
164
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
3387
@@ -182,7 +166,9 @@ project_policies = [
3388
182
        description='Update project.',
166
        description='Update project.',
3389
183
        operations=[{'path': '/v3/projects/{project_id}',
167
        operations=[{'path': '/v3/projects/{project_id}',
3390
184
                     'method': 'PATCH'}],
168
                     'method': 'PATCH'}],
3392
185
        deprecated_rule=deprecated_update_project),
169
        deprecated_rule=deprecated_update_project,
3393
170
        deprecated_reason=DEPRECATED_REASON,
3394
171
        deprecated_since=versionutils.deprecated.STEIN),
3395
186
    policy.DocumentedRuleDefault(
172
    policy.DocumentedRuleDefault(
3396
187
        name=base.IDENTITY % 'delete_project',
173
        name=base.IDENTITY % 'delete_project',
3397
188
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
174
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
3398
@@ -190,7 +176,9 @@ project_policies = [
3399
190
        description='Delete project.',
176
        description='Delete project.',
3400
191
        operations=[{'path': '/v3/projects/{project_id}',
177
        operations=[{'path': '/v3/projects/{project_id}',
3401
192
                     'method': 'DELETE'}],
178
                     'method': 'DELETE'}],
3403
193
        deprecated_rule=deprecated_delete_project),
179
        deprecated_rule=deprecated_delete_project,
3404
180
        deprecated_reason=DEPRECATED_REASON,
3405
181
        deprecated_since=versionutils.deprecated.STEIN),
3406
194
    policy.DocumentedRuleDefault(
182
    policy.DocumentedRuleDefault(
3407
195
        name=base.IDENTITY % 'list_project_tags',
183
        name=base.IDENTITY % 'list_project_tags',
3408
196
        check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
184
        check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
3409
@@ -200,7 +188,9 @@ project_policies = [
3410
200
                     'method': 'GET'},
188
                     'method': 'GET'},
3411
201
                    {'path': '/v3/projects/{project_id}/tags',
189
                    {'path': '/v3/projects/{project_id}/tags',
3412
202
                     'method': 'HEAD'}],
190
                     'method': 'HEAD'}],
3414
203
        deprecated_rule=deprecated_list_project_tags),
191
        deprecated_rule=deprecated_list_project_tags,
3415
192
        deprecated_reason=TAGS_DEPRECATED_REASON,
3416
193
        deprecated_since=versionutils.deprecated.TRAIN),
3417
204
    policy.DocumentedRuleDefault(
194
    policy.DocumentedRuleDefault(
3418
205
        name=base.IDENTITY % 'get_project_tag',
195
        name=base.IDENTITY % 'get_project_tag',
3419
206
        check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
196
        check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
3420
@@ -210,7 +200,9 @@ project_policies = [
3421
210
                     'method': 'GET'},
200
                     'method': 'GET'},
3422
211
                    {'path': '/v3/projects/{project_id}/tags/{value}',
201
                    {'path': '/v3/projects/{project_id}/tags/{value}',
3423
212
                     'method': 'HEAD'}],
202
                     'method': 'HEAD'}],
3425
213
        deprecated_rule=deprecated_get_project_tag),
203
        deprecated_rule=deprecated_get_project_tag,
3426
204
        deprecated_reason=TAGS_DEPRECATED_REASON,
3427
205
        deprecated_since=versionutils.deprecated.TRAIN),
3428
214
    policy.DocumentedRuleDefault(
206
    policy.DocumentedRuleDefault(
3429
215
        name=base.IDENTITY % 'update_project_tags',
207
        name=base.IDENTITY % 'update_project_tags',
3430
216
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
208
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
3431
@@ -218,7 +210,9 @@ project_policies = [
3432
218
        description='Replace all tags on a project with the new set of tags.',
210
        description='Replace all tags on a project with the new set of tags.',
3433
219
        operations=[{'path': '/v3/projects/{project_id}/tags',
211
        operations=[{'path': '/v3/projects/{project_id}/tags',
3434
220
                     'method': 'PUT'}],
212
                     'method': 'PUT'}],
3436
221
        deprecated_rule=deprecated_update_project_tag),
213
        deprecated_rule=deprecated_update_project_tag,
3437
214
        deprecated_reason=TAGS_DEPRECATED_REASON,
3438
215
        deprecated_since=versionutils.deprecated.TRAIN),
3439
222
    policy.DocumentedRuleDefault(
216
    policy.DocumentedRuleDefault(
3440
223
        name=base.IDENTITY % 'create_project_tag',
217
        name=base.IDENTITY % 'create_project_tag',
3441
224
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
218
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
3442
@@ -226,7 +220,9 @@ project_policies = [
3443
226
        description='Add a single tag to a project.',
220
        description='Add a single tag to a project.',
3444
227
        operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
221
        operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
3445
228
                     'method': 'PUT'}],
222
                     'method': 'PUT'}],
3447
229
        deprecated_rule=deprecated_create_project_tag),
223
        deprecated_rule=deprecated_create_project_tag,
3448
224
        deprecated_reason=TAGS_DEPRECATED_REASON,
3449
225
        deprecated_since=versionutils.deprecated.TRAIN),
3450
230
    policy.DocumentedRuleDefault(
226
    policy.DocumentedRuleDefault(
3451
231
        name=base.IDENTITY % 'delete_project_tags',
227
        name=base.IDENTITY % 'delete_project_tags',
3452
232
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
228
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
3453
@@ -234,7 +230,9 @@ project_policies = [
3454
234
        description='Remove all tags from a project.',
230
        description='Remove all tags from a project.',
3455
235
        operations=[{'path': '/v3/projects/{project_id}/tags',
231
        operations=[{'path': '/v3/projects/{project_id}/tags',
3456
236
                     'method': 'DELETE'}],
232
                     'method': 'DELETE'}],
3458
237
        deprecated_rule=deprecated_delete_project_tags),
233
        deprecated_rule=deprecated_delete_project_tags,
3459
234
        deprecated_reason=TAGS_DEPRECATED_REASON,
3460
235
        deprecated_since=versionutils.deprecated.TRAIN),
3461
238
    policy.DocumentedRuleDefault(
236
    policy.DocumentedRuleDefault(
3462
239
        name=base.IDENTITY % 'delete_project_tag',
237
        name=base.IDENTITY % 'delete_project_tag',
3463
240
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
238
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
3464
@@ -242,7 +240,9 @@ project_policies = [
3465
242
        description='Delete a specified tag from project.',
240
        description='Delete a specified tag from project.',
3466
243
        operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
241
        operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
3467
244
                     'method': 'DELETE'}],
242
                     'method': 'DELETE'}],
3469
245
        deprecated_rule=deprecated_delete_project_tag)
243
        deprecated_rule=deprecated_delete_project_tag,
3470
244
        deprecated_reason=TAGS_DEPRECATED_REASON,
3471
245
        deprecated_since=versionutils.deprecated.TRAIN)
3472
246
]
246
]
3473
247
247
3474
248
248
3475
diff --git a/keystone/common/policies/project_endpoint.py b/keystone/common/policies/project_endpoint.py
3476
index 86a020e..c04cddd 100644
3477
--- a/keystone/common/policies/project_endpoint.py
3478
+++ b/keystone/common/policies/project_endpoint.py
3479
@@ -15,49 +15,39 @@ from oslo_policy import policy
3480
15
15
3481
16
from keystone.common.policies import base
16
from keystone.common.policies import base
3482
17
17
3483
18
DEPRECATED_REASON = """
3484
19
As of the Train release, the project endpoint API now understands default
3485
20
roles and system-scoped tokens, making the API more granular by default without
3486
21
compromising security. The new policy defaults account for these changes
3487
22
automatically. Be sure to take these new defaults into consideration if you are
3488
23
relying on overrides in your deployment for the project endpoint API.
3489
24
"""
3490
25
3491
26
deprecated_list_projects_for_endpoint = policy.DeprecatedRule(
18
deprecated_list_projects_for_endpoint = policy.DeprecatedRule(
3492
27
    name=base.IDENTITY % 'list_projects_for_endpoint',
19
    name=base.IDENTITY % 'list_projects_for_endpoint',
3493
28
    check_str=base.RULE_ADMIN_REQUIRED,
20
    check_str=base.RULE_ADMIN_REQUIRED,
3494
29
    deprecated_reason=DEPRECATED_REASON,
3495
30
    deprecated_since=versionutils.deprecated.TRAIN
3496
31
)
21
)
3497
32
22
3498
33
deprecated_add_endpoint_to_project = policy.DeprecatedRule(
23
deprecated_add_endpoint_to_project = policy.DeprecatedRule(
3499
34
    name=base.IDENTITY % 'add_endpoint_to_project',
24
    name=base.IDENTITY % 'add_endpoint_to_project',
3500
35
    check_str=base.RULE_ADMIN_REQUIRED,
25
    check_str=base.RULE_ADMIN_REQUIRED,
3501
36
    deprecated_reason=DEPRECATED_REASON,
3502
37
    deprecated_since=versionutils.deprecated.TRAIN
3503
38
)
26
)
3504
39
27
3505
40
deprecated_check_endpoint_in_project = policy.DeprecatedRule(
28
deprecated_check_endpoint_in_project = policy.DeprecatedRule(
3506
41
    name=base.IDENTITY % 'check_endpoint_in_project',
29
    name=base.IDENTITY % 'check_endpoint_in_project',
3507
42
    check_str=base.RULE_ADMIN_REQUIRED,
30
    check_str=base.RULE_ADMIN_REQUIRED,
3508
43
    deprecated_reason=DEPRECATED_REASON,
3509
44
    deprecated_since=versionutils.deprecated.TRAIN
3510
45
)
31
)
3511
46
32
3512
47
deprecated_list_endpoints_for_project = policy.DeprecatedRule(
33
deprecated_list_endpoints_for_project = policy.DeprecatedRule(
3513
48
    name=base.IDENTITY % 'list_endpoints_for_project',
34
    name=base.IDENTITY % 'list_endpoints_for_project',
3514
49
    check_str=base.RULE_ADMIN_REQUIRED,
35
    check_str=base.RULE_ADMIN_REQUIRED,
3515
50
    deprecated_reason=DEPRECATED_REASON,
3516
51
    deprecated_since=versionutils.deprecated.TRAIN
3517
52
)
36
)
3518
53
37
3519
54
deprecated_remove_endpoint_from_project = policy.DeprecatedRule(
38
deprecated_remove_endpoint_from_project = policy.DeprecatedRule(
3520
55
    name=base.IDENTITY % 'remove_endpoint_from_project',
39
    name=base.IDENTITY % 'remove_endpoint_from_project',
3521
56
    check_str=base.RULE_ADMIN_REQUIRED,
40
    check_str=base.RULE_ADMIN_REQUIRED,
3522
57
    deprecated_reason=DEPRECATED_REASON,
3523
58
    deprecated_since=versionutils.deprecated.TRAIN
3524
59
)
41
)
3525
60
42
3526
43
DEPRECATED_REASON = """
3527
44
As of the Train release, the project endpoint API now understands default
3528
45
roles and system-scoped tokens, making the API more granular by default without
3529
46
compromising security. The new policy defaults account for these changes
3530
47
automatically. Be sure to take these new defaults into consideration if you are
3531
48
relying on overrides in your deployment for the project endpoint API.
3532
49
"""
3533
50
3534
61
51
3535
62
project_endpoint_policies = [
52
project_endpoint_policies = [
3536
63
53
3537
@@ -73,7 +63,9 @@ project_endpoint_policies = [
3538
73
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/'
63
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/'
3539
74
                              'projects'),
64
                              'projects'),
3540
75
                     'method': 'GET'}],
65
                     'method': 'GET'}],
3542
76
        deprecated_rule=deprecated_list_projects_for_endpoint),
66
        deprecated_rule=deprecated_list_projects_for_endpoint,
3543
67
        deprecated_reason=DEPRECATED_REASON,
3544
68
        deprecated_since=versionutils.deprecated.TRAIN),
3545
77
    policy.DocumentedRuleDefault(
69
    policy.DocumentedRuleDefault(
3546
78
        name=base.IDENTITY % 'add_endpoint_to_project',
70
        name=base.IDENTITY % 'add_endpoint_to_project',
3547
79
        check_str=base.SYSTEM_ADMIN,
71
        check_str=base.SYSTEM_ADMIN,
3548
@@ -82,7 +74,9 @@ project_endpoint_policies = [
3549
82
        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
74
        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
3550
83
                              'endpoints/{endpoint_id}'),
75
                              'endpoints/{endpoint_id}'),
3551
84
                     'method': 'PUT'}],
76
                     'method': 'PUT'}],
3553
85
        deprecated_rule=deprecated_add_endpoint_to_project),
77
        deprecated_rule=deprecated_add_endpoint_to_project,
3554
78
        deprecated_reason=DEPRECATED_REASON,
3555
79
        deprecated_since=versionutils.deprecated.TRAIN),
3556
86
    policy.DocumentedRuleDefault(
80
    policy.DocumentedRuleDefault(
3557
87
        name=base.IDENTITY % 'check_endpoint_in_project',
81
        name=base.IDENTITY % 'check_endpoint_in_project',
3558
88
        check_str=base.SYSTEM_READER,
82
        check_str=base.SYSTEM_READER,
3559
@@ -94,7 +88,9 @@ project_endpoint_policies = [
3560
94
                    {'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
88
                    {'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
3561
95
                              'endpoints/{endpoint_id}'),
89
                              'endpoints/{endpoint_id}'),
3562
96
                     'method': 'HEAD'}],
90
                     'method': 'HEAD'}],
3564
97
        deprecated_rule=deprecated_check_endpoint_in_project),
91
        deprecated_rule=deprecated_check_endpoint_in_project,
3565
92
        deprecated_reason=DEPRECATED_REASON,
3566
93
        deprecated_since=versionutils.deprecated.TRAIN),
3567
98
    policy.DocumentedRuleDefault(
94
    policy.DocumentedRuleDefault(
3568
99
        name=base.IDENTITY % 'list_endpoints_for_project',
95
        name=base.IDENTITY % 'list_endpoints_for_project',
3569
100
        check_str=base.SYSTEM_READER,
96
        check_str=base.SYSTEM_READER,
3570
@@ -103,7 +99,9 @@ project_endpoint_policies = [
3571
103
        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
99
        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
3572
104
                              'endpoints'),
100
                              'endpoints'),
3573
105
                     'method': 'GET'}],
101
                     'method': 'GET'}],
3575
106
        deprecated_rule=deprecated_list_endpoints_for_project),
102
        deprecated_rule=deprecated_list_endpoints_for_project,
3576
103
        deprecated_reason=DEPRECATED_REASON,
3577
104
        deprecated_since=versionutils.deprecated.TRAIN),
3578
107
    policy.DocumentedRuleDefault(
105
    policy.DocumentedRuleDefault(
3579
108
        name=base.IDENTITY % 'remove_endpoint_from_project',
106
        name=base.IDENTITY % 'remove_endpoint_from_project',
3580
109
        check_str=base.SYSTEM_ADMIN,
107
        check_str=base.SYSTEM_ADMIN,
3581
@@ -113,7 +111,9 @@ project_endpoint_policies = [
3582
113
        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
111
        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
3583
114
                              'endpoints/{endpoint_id}'),
112
                              'endpoints/{endpoint_id}'),
3584
115
                     'method': 'DELETE'}],
113
                     'method': 'DELETE'}],
3586
116
        deprecated_rule=deprecated_remove_endpoint_from_project),
114
        deprecated_rule=deprecated_remove_endpoint_from_project,
3587
115
        deprecated_reason=DEPRECATED_REASON,
3588
116
        deprecated_since=versionutils.deprecated.TRAIN),
3589
117
]
117
]
3590
118
118
3591
119
119
3592
diff --git a/keystone/common/policies/protocol.py b/keystone/common/policies/protocol.py
3593
index 887fc70..de2a729 100644
3594
--- a/keystone/common/policies/protocol.py
3595
+++ b/keystone/common/policies/protocol.py
3596
@@ -15,42 +15,31 @@ from oslo_policy import policy
3597
15
15
3598
16
from keystone.common.policies import base
16
from keystone.common.policies import base
3599
17
17
3600
18
DEPRECATED_REASON = (
3601
19
    "The federated protocol API is now aware of system scope and default "
3602
20
    "roles."
3603
21
)
3604
22
3605
23
deprecated_get_protocol = policy.DeprecatedRule(
18
deprecated_get_protocol = policy.DeprecatedRule(
3606
24
    name=base.IDENTITY % 'get_protocol',
19
    name=base.IDENTITY % 'get_protocol',
3610
25
    check_str=base.RULE_ADMIN_REQUIRED,
20
    check_str=base.RULE_ADMIN_REQUIRED
3608
26
    deprecated_reason=DEPRECATED_REASON,
3609
27
    deprecated_since=versionutils.deprecated.STEIN
3611
28
)
21
)
3612
29
deprecated_list_protocols = policy.DeprecatedRule(
22
deprecated_list_protocols = policy.DeprecatedRule(
3613
30
    name=base.IDENTITY % 'list_protocols',
23
    name=base.IDENTITY % 'list_protocols',
3617
31
    check_str=base.RULE_ADMIN_REQUIRED,
24
    check_str=base.RULE_ADMIN_REQUIRED
3615
32
    deprecated_reason=DEPRECATED_REASON,
3616
33
    deprecated_since=versionutils.deprecated.STEIN
3618
34
)
25
)
3619
35
deprecated_update_protocol = policy.DeprecatedRule(
26
deprecated_update_protocol = policy.DeprecatedRule(
3620
36
    name=base.IDENTITY % 'update_protocol',
27
    name=base.IDENTITY % 'update_protocol',
3624
37
    check_str=base.RULE_ADMIN_REQUIRED,
28
    check_str=base.RULE_ADMIN_REQUIRED
3622
38
    deprecated_reason=DEPRECATED_REASON,
3623
39
    deprecated_since=versionutils.deprecated.STEIN
3625
40
)
29
)
3626
41
deprecated_create_protocol = policy.DeprecatedRule(
30
deprecated_create_protocol = policy.DeprecatedRule(
3627
42
    name=base.IDENTITY % 'create_protocol',
31
    name=base.IDENTITY % 'create_protocol',
3631
43
    check_str=base.RULE_ADMIN_REQUIRED,
32
    check_str=base.RULE_ADMIN_REQUIRED
3629
44
    deprecated_reason=DEPRECATED_REASON,
3630
45
    deprecated_since=versionutils.deprecated.STEIN
3632
46
)
33
)
3633
47
deprecated_delete_protocol = policy.DeprecatedRule(
34
deprecated_delete_protocol = policy.DeprecatedRule(
3634
48
    name=base.IDENTITY % 'delete_protocol',
35
    name=base.IDENTITY % 'delete_protocol',
3638
49
    check_str=base.RULE_ADMIN_REQUIRED,
36
    check_str=base.RULE_ADMIN_REQUIRED
3636
50
    deprecated_reason=DEPRECATED_REASON,
3637
51
    deprecated_since=versionutils.deprecated.STEIN
3639
52
)
37
)
3640
53
38
3641
39
DEPRECATED_REASON = (
3642
40
    "The federated protocol API is now aware of system scope and default "
3643
41
    "roles."
3644
42
)
3645
54
43
3646
55
protocol_policies = [
44
protocol_policies = [
3647
56
    policy.DocumentedRuleDefault(
45
    policy.DocumentedRuleDefault(
3648
@@ -64,7 +53,9 @@ protocol_policies = [
3649
64
        operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
53
        operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
3650
65
                              'protocols/{protocol_id}'),
54
                              'protocols/{protocol_id}'),
3651
66
                     'method': 'PUT'}],
55
                     'method': 'PUT'}],
3653
67
        deprecated_rule=deprecated_create_protocol),
56
        deprecated_rule=deprecated_create_protocol,
3654
57
        deprecated_reason=DEPRECATED_REASON,
3655
58
        deprecated_since=versionutils.deprecated.STEIN),
3656
68
    policy.DocumentedRuleDefault(
59
    policy.DocumentedRuleDefault(
3657
69
        name=base.IDENTITY % 'update_protocol',
60
        name=base.IDENTITY % 'update_protocol',
3658
70
        check_str=base.SYSTEM_ADMIN,
61
        check_str=base.SYSTEM_ADMIN,
3659
@@ -73,7 +64,9 @@ protocol_policies = [
3660
73
        operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
64
        operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
3661
74
                              'protocols/{protocol_id}'),
65
                              'protocols/{protocol_id}'),
3662
75
                     'method': 'PATCH'}],
66
                     'method': 'PATCH'}],
3664
76
        deprecated_rule=deprecated_update_protocol),
67
        deprecated_rule=deprecated_update_protocol,
3665
68
        deprecated_reason=DEPRECATED_REASON,
3666
69
        deprecated_since=versionutils.deprecated.STEIN),
3667
77
    policy.DocumentedRuleDefault(
70
    policy.DocumentedRuleDefault(
3668
78
        name=base.IDENTITY % 'get_protocol',
71
        name=base.IDENTITY % 'get_protocol',
3669
79
        check_str=base.SYSTEM_READER,
72
        check_str=base.SYSTEM_READER,
3670
@@ -82,7 +75,9 @@ protocol_policies = [
3671
82
        operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
75
        operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
3672
83
                              'protocols/{protocol_id}'),
76
                              'protocols/{protocol_id}'),
3673
84
                     'method': 'GET'}],
77
                     'method': 'GET'}],
3675
85
        deprecated_rule=deprecated_get_protocol),
78
        deprecated_rule=deprecated_get_protocol,
3676
79
        deprecated_reason=DEPRECATED_REASON,
3677
80
        deprecated_since=versionutils.deprecated.STEIN),
3678
86
    policy.DocumentedRuleDefault(
81
    policy.DocumentedRuleDefault(
3679
87
        name=base.IDENTITY % 'list_protocols',
82
        name=base.IDENTITY % 'list_protocols',
3680
88
        check_str=base.SYSTEM_READER,
83
        check_str=base.SYSTEM_READER,
3681
@@ -91,7 +86,9 @@ protocol_policies = [
3682
91
        operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
86
        operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
3683
92
                              'protocols'),
87
                              'protocols'),
3684
93
                     'method': 'GET'}],
88
                     'method': 'GET'}],
3686
94
        deprecated_rule=deprecated_list_protocols),
89
        deprecated_rule=deprecated_list_protocols,
3687
90
        deprecated_reason=DEPRECATED_REASON,
3688
91
        deprecated_since=versionutils.deprecated.STEIN),
3689
95
    policy.DocumentedRuleDefault(
92
    policy.DocumentedRuleDefault(
3690
96
        name=base.IDENTITY % 'delete_protocol',
93
        name=base.IDENTITY % 'delete_protocol',
3691
97
        check_str=base.SYSTEM_ADMIN,
94
        check_str=base.SYSTEM_ADMIN,
3692
@@ -100,7 +97,9 @@ protocol_policies = [
3693
100
        operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
97
        operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
3694
101
                              'protocols/{protocol_id}'),
98
                              'protocols/{protocol_id}'),
3695
102
                     'method': 'DELETE'}],
99
                     'method': 'DELETE'}],
3697
103
        deprecated_rule=deprecated_delete_protocol)
100
        deprecated_rule=deprecated_delete_protocol,
3698
101
        deprecated_reason=DEPRECATED_REASON,
3699
102
        deprecated_since=versionutils.deprecated.STEIN)
3700
104
]
103
]
3701
105
104
3702
106
105
3703
diff --git a/keystone/common/policies/region.py b/keystone/common/policies/region.py
3704
index f13299d..bf60f8f 100644
3705
--- a/keystone/common/policies/region.py
3706
+++ b/keystone/common/policies/region.py
3707
@@ -15,29 +15,22 @@ from oslo_policy import policy
3708
15
15
3709
16
from keystone.common.policies import base
16
from keystone.common.policies import base
3710
17
17
3711
18
DEPRECATED_REASON = (
3712
19
    "The region API is now aware of system scope and default roles."
3713
20
)
3714
21
3715
22
deprecated_create_region = policy.DeprecatedRule(
18
deprecated_create_region = policy.DeprecatedRule(
3716
23
    name=base.IDENTITY % 'create_region',
19
    name=base.IDENTITY % 'create_region',
3720
24
    check_str=base.RULE_ADMIN_REQUIRED,
20
    check_str=base.RULE_ADMIN_REQUIRED
3718
25
    deprecated_reason=DEPRECATED_REASON,
3719
26
    deprecated_since=versionutils.deprecated.STEIN
3721
27
)
21
)
3722
28
deprecated_update_region = policy.DeprecatedRule(
22
deprecated_update_region = policy.DeprecatedRule(
3723
29
    name=base.IDENTITY % 'update_region',
23
    name=base.IDENTITY % 'update_region',
3727
30
    check_str=base.RULE_ADMIN_REQUIRED,
24
    check_str=base.RULE_ADMIN_REQUIRED
3725
31
    deprecated_reason=DEPRECATED_REASON,
3726
32
    deprecated_since=versionutils.deprecated.STEIN
3728
33
)
25
)
3729
34
deprecated_delete_region = policy.DeprecatedRule(
26
deprecated_delete_region = policy.DeprecatedRule(
3730
35
    name=base.IDENTITY % 'delete_region',
27
    name=base.IDENTITY % 'delete_region',
3734
36
    check_str=base.RULE_ADMIN_REQUIRED,
28
    check_str=base.RULE_ADMIN_REQUIRED
3732
37
    deprecated_reason=DEPRECATED_REASON,
3733
38
    deprecated_since=versionutils.deprecated.STEIN
3735
39
)
29
)
3736
40
30
3737
31
DEPRECATED_REASON = (
3738
32
    "The region API is now aware of system scope and default roles."
3739
33
)
3740
41
34
3741
42
region_policies = [
35
region_policies = [
3742
43
    policy.DocumentedRuleDefault(
36
    policy.DocumentedRuleDefault(
3743
@@ -73,7 +66,9 @@ region_policies = [
3744
73
                     'method': 'POST'},
66
                     'method': 'POST'},
3745
74
                    {'path': '/v3/regions/{region_id}',
67
                    {'path': '/v3/regions/{region_id}',
3746
75
                     'method': 'PUT'}],
68
                     'method': 'PUT'}],
3748
76
        deprecated_rule=deprecated_create_region),
69
        deprecated_rule=deprecated_create_region,
3749
70
        deprecated_reason=DEPRECATED_REASON,
3750
71
        deprecated_since=versionutils.deprecated.STEIN),
3751
77
    policy.DocumentedRuleDefault(
72
    policy.DocumentedRuleDefault(
3752
78
        name=base.IDENTITY % 'update_region',
73
        name=base.IDENTITY % 'update_region',
3753
79
        check_str=base.SYSTEM_ADMIN,
74
        check_str=base.SYSTEM_ADMIN,
3754
@@ -81,7 +76,9 @@ region_policies = [
3755
81
        description='Update region.',
76
        description='Update region.',
3756
82
        operations=[{'path': '/v3/regions/{region_id}',
77
        operations=[{'path': '/v3/regions/{region_id}',
3757
83
                     'method': 'PATCH'}],
78
                     'method': 'PATCH'}],
3759
84
        deprecated_rule=deprecated_update_region),
79
        deprecated_rule=deprecated_update_region,
3760
80
        deprecated_reason=DEPRECATED_REASON,
3761
81
        deprecated_since=versionutils.deprecated.STEIN),
3762
85
    policy.DocumentedRuleDefault(
82
    policy.DocumentedRuleDefault(
3763
86
        name=base.IDENTITY % 'delete_region',
83
        name=base.IDENTITY % 'delete_region',
3764
87
        check_str=base.SYSTEM_ADMIN,
84
        check_str=base.SYSTEM_ADMIN,
3765
@@ -89,7 +86,9 @@ region_policies = [
3766
89
        description='Delete region.',
86
        description='Delete region.',
3767
90
        operations=[{'path': '/v3/regions/{region_id}',
87
        operations=[{'path': '/v3/regions/{region_id}',
3768
91
                     'method': 'DELETE'}],
88
                     'method': 'DELETE'}],
3770
92
        deprecated_rule=deprecated_delete_region),
89
        deprecated_rule=deprecated_delete_region,
3771
90
        deprecated_reason=DEPRECATED_REASON,
3772
91
        deprecated_since=versionutils.deprecated.STEIN),
3773
93
]
92
]
3774
94
93
3775
95
94
3776
diff --git a/keystone/common/policies/role.py b/keystone/common/policies/role.py
3777
index b372efb..7d6a38e 100644
3778
--- a/keystone/common/policies/role.py
3779
+++ b/keystone/common/policies/role.py
3780
@@ -15,71 +15,50 @@ from oslo_policy import policy
3781
15
15
3782
16
from keystone.common.policies import base
16
from keystone.common.policies import base
3783
17
17
3784
18
DEPRECATED_REASON = (
3785
19
    "The role API is now aware of system scope and default roles."
3786
20
)
3787
21
3788
22
deprecated_get_role = policy.DeprecatedRule(
18
deprecated_get_role = policy.DeprecatedRule(
3789
23
    name=base.IDENTITY % 'get_role',
19
    name=base.IDENTITY % 'get_role',
3793
24
    check_str=base.RULE_ADMIN_REQUIRED,
20
    check_str=base.RULE_ADMIN_REQUIRED
3791
25
    deprecated_reason=DEPRECATED_REASON,
3792
26
    deprecated_since=versionutils.deprecated.STEIN
3794
27
)
21
)
3795
28
deprecated_list_role = policy.DeprecatedRule(
22
deprecated_list_role = policy.DeprecatedRule(
3796
29
    name=base.IDENTITY % 'list_roles',
23
    name=base.IDENTITY % 'list_roles',
3800
30
    check_str=base.RULE_ADMIN_REQUIRED,
24
    check_str=base.RULE_ADMIN_REQUIRED
3798
31
    deprecated_reason=DEPRECATED_REASON,
3799
32
    deprecated_since=versionutils.deprecated.STEIN
3801
33
)
25
)
3802
34
deprecated_update_role = policy.DeprecatedRule(
26
deprecated_update_role = policy.DeprecatedRule(
3803
35
    name=base.IDENTITY % 'update_role',
27
    name=base.IDENTITY % 'update_role',
3807
36
    check_str=base.RULE_ADMIN_REQUIRED,
28
    check_str=base.RULE_ADMIN_REQUIRED
3805
37
    deprecated_reason=DEPRECATED_REASON,
3806
38
    deprecated_since=versionutils.deprecated.STEIN
3808
39
)
29
)
3809
40
deprecated_create_role = policy.DeprecatedRule(
30
deprecated_create_role = policy.DeprecatedRule(
3810
41
    name=base.IDENTITY % 'create_role',
31
    name=base.IDENTITY % 'create_role',
3814
42
    check_str=base.RULE_ADMIN_REQUIRED,
32
    check_str=base.RULE_ADMIN_REQUIRED
3812
43
    deprecated_reason=DEPRECATED_REASON,
3813
44
    deprecated_since=versionutils.deprecated.STEIN
3815
45
)
33
)
3816
46
deprecated_delete_role = policy.DeprecatedRule(
34
deprecated_delete_role = policy.DeprecatedRule(
3817
47
    name=base.IDENTITY % 'delete_role',
35
    name=base.IDENTITY % 'delete_role',
3821
48
    check_str=base.RULE_ADMIN_REQUIRED,
36
    check_str=base.RULE_ADMIN_REQUIRED
3819
49
    deprecated_reason=DEPRECATED_REASON,
3820
50
    deprecated_since=versionutils.deprecated.STEIN
3822
51
)
37
)
3823
52
deprecated_get_domain_role = policy.DeprecatedRule(
38
deprecated_get_domain_role = policy.DeprecatedRule(
3824
53
    name=base.IDENTITY % 'get_domain_role',
39
    name=base.IDENTITY % 'get_domain_role',
3828
54
    check_str=base.RULE_ADMIN_REQUIRED,
40
    check_str=base.RULE_ADMIN_REQUIRED
3826
55
    deprecated_reason=DEPRECATED_REASON,
3827
56
    deprecated_since=versionutils.deprecated.TRAIN
3829
57
)
41
)
3830
58
deprecated_list_domain_roles = policy.DeprecatedRule(
42
deprecated_list_domain_roles = policy.DeprecatedRule(
3831
59
    name=base.IDENTITY % 'list_domain_roles',
43
    name=base.IDENTITY % 'list_domain_roles',
3835
60
    check_str=base.RULE_ADMIN_REQUIRED,
44
    check_str=base.RULE_ADMIN_REQUIRED
3833
61
    deprecated_reason=DEPRECATED_REASON,
3834
62
    deprecated_since=versionutils.deprecated.TRAIN
3836
63
)
45
)
3837
64
deprecated_update_domain_role = policy.DeprecatedRule(
46
deprecated_update_domain_role = policy.DeprecatedRule(
3838
65
    name=base.IDENTITY % 'update_domain_role',
47
    name=base.IDENTITY % 'update_domain_role',
3842
66
    check_str=base.RULE_ADMIN_REQUIRED,
48
    check_str=base.RULE_ADMIN_REQUIRED
3840
67
    deprecated_reason=DEPRECATED_REASON,
3841
68
    deprecated_since=versionutils.deprecated.TRAIN
3843
69
)
49
)
3844
70
deprecated_create_domain_role = policy.DeprecatedRule(
50
deprecated_create_domain_role = policy.DeprecatedRule(
3845
71
    name=base.IDENTITY % 'create_domain_role',
51
    name=base.IDENTITY % 'create_domain_role',
3849
72
    check_str=base.RULE_ADMIN_REQUIRED,
52
    check_str=base.RULE_ADMIN_REQUIRED
3847
73
    deprecated_reason=DEPRECATED_REASON,
3848
74
    deprecated_since=versionutils.deprecated.TRAIN
3850
75
)
53
)
3851
76
deprecated_delete_domain_role = policy.DeprecatedRule(
54
deprecated_delete_domain_role = policy.DeprecatedRule(
3852
77
    name=base.IDENTITY % 'delete_domain_role',
55
    name=base.IDENTITY % 'delete_domain_role',
3856
78
    check_str=base.RULE_ADMIN_REQUIRED,
56
    check_str=base.RULE_ADMIN_REQUIRED
3854
79
    deprecated_reason=DEPRECATED_REASON,
3855
80
    deprecated_since=versionutils.deprecated.TRAIN
3857
81
)
57
)
3858
82
58
3859
59
DEPRECATED_REASON = (
3860
60
    "The role API is now aware of system scope and default roles."
3861
61
)
3862
83
62
3863
84
role_policies = [
63
role_policies = [
3864
85
    policy.DocumentedRuleDefault(
64
    policy.DocumentedRuleDefault(
3865
@@ -96,7 +75,9 @@ role_policies = [
3866
96
                     'method': 'GET'},
75
                     'method': 'GET'},
3867
97
                    {'path': '/v3/roles/{role_id}',
76
                    {'path': '/v3/roles/{role_id}',
3868
98
                     'method': 'HEAD'}],
77
                     'method': 'HEAD'}],
3870
99
        deprecated_rule=deprecated_get_role),
78
        deprecated_rule=deprecated_get_role,
3871
79
        deprecated_reason=DEPRECATED_REASON,
3872
80
        deprecated_since=versionutils.deprecated.STEIN),
3873
100
    policy.DocumentedRuleDefault(
81
    policy.DocumentedRuleDefault(
3874
101
        name=base.IDENTITY % 'list_roles',
82
        name=base.IDENTITY % 'list_roles',
3875
102
        check_str=base.SYSTEM_READER,
83
        check_str=base.SYSTEM_READER,
3876
@@ -106,7 +87,9 @@ role_policies = [
3877
106
                     'method': 'GET'},
87
                     'method': 'GET'},
3878
107
                    {'path': '/v3/roles',
88
                    {'path': '/v3/roles',
3879
108
                     'method': 'HEAD'}],
89
                     'method': 'HEAD'}],
3881
109
        deprecated_rule=deprecated_list_role),
90
        deprecated_rule=deprecated_list_role,
3882
91
        deprecated_reason=DEPRECATED_REASON,
3883
92
        deprecated_since=versionutils.deprecated.STEIN),
3884
110
    policy.DocumentedRuleDefault(
93
    policy.DocumentedRuleDefault(
3885
111
        name=base.IDENTITY % 'create_role',
94
        name=base.IDENTITY % 'create_role',
3886
112
        check_str=base.SYSTEM_ADMIN,
95
        check_str=base.SYSTEM_ADMIN,
3887
@@ -114,7 +97,9 @@ role_policies = [
3888
114
        description='Create role.',
97
        description='Create role.',
3889
115
        operations=[{'path': '/v3/roles',
98
        operations=[{'path': '/v3/roles',
3890
116
                     'method': 'POST'}],
99
                     'method': 'POST'}],
3892
117
        deprecated_rule=deprecated_create_role),
100
        deprecated_rule=deprecated_create_role,
3893
101
        deprecated_reason=DEPRECATED_REASON,
3894
102
        deprecated_since=versionutils.deprecated.STEIN),
3895
118
    policy.DocumentedRuleDefault(
103
    policy.DocumentedRuleDefault(
3896
119
        name=base.IDENTITY % 'update_role',
104
        name=base.IDENTITY % 'update_role',
3897
120
        check_str=base.SYSTEM_ADMIN,
105
        check_str=base.SYSTEM_ADMIN,
3898
@@ -122,7 +107,9 @@ role_policies = [
3899
122
        description='Update role.',
107
        description='Update role.',
3900
123
        operations=[{'path': '/v3/roles/{role_id}',
108
        operations=[{'path': '/v3/roles/{role_id}',
3901
124
                     'method': 'PATCH'}],
109
                     'method': 'PATCH'}],
3903
125
        deprecated_rule=deprecated_update_role),
110
        deprecated_rule=deprecated_update_role,
3904
111
        deprecated_reason=DEPRECATED_REASON,
3905
112
        deprecated_since=versionutils.deprecated.STEIN),
3906
126
    policy.DocumentedRuleDefault(
113
    policy.DocumentedRuleDefault(
3907
127
        name=base.IDENTITY % 'delete_role',
114
        name=base.IDENTITY % 'delete_role',
3908
128
        check_str=base.SYSTEM_ADMIN,
115
        check_str=base.SYSTEM_ADMIN,
3909
@@ -130,7 +117,9 @@ role_policies = [
3910
130
        description='Delete role.',
117
        description='Delete role.',
3911
131
        operations=[{'path': '/v3/roles/{role_id}',
118
        operations=[{'path': '/v3/roles/{role_id}',
3912
132
                     'method': 'DELETE'}],
119
                     'method': 'DELETE'}],
3914
133
        deprecated_rule=deprecated_delete_role),
120
        deprecated_rule=deprecated_delete_role,
3915
121
        deprecated_reason=DEPRECATED_REASON,
3916
122
        deprecated_since=versionutils.deprecated.STEIN),
3917
134
    policy.DocumentedRuleDefault(
123
    policy.DocumentedRuleDefault(
3918
135
        name=base.IDENTITY % 'get_domain_role',
124
        name=base.IDENTITY % 'get_domain_role',
3919
136
        check_str=base.SYSTEM_READER,
125
        check_str=base.SYSTEM_READER,
3920
@@ -145,7 +134,9 @@ role_policies = [
3921
145
                     'method': 'GET'},
134
                     'method': 'GET'},
3922
146
                    {'path': '/v3/roles/{role_id}',
135
                    {'path': '/v3/roles/{role_id}',
3923
147
                     'method': 'HEAD'}],
136
                     'method': 'HEAD'}],
3925
148
        deprecated_rule=deprecated_get_domain_role),
137
        deprecated_rule=deprecated_get_domain_role,
3926
138
        deprecated_reason=DEPRECATED_REASON,
3927
139
        deprecated_since=versionutils.deprecated.TRAIN),
3928
149
    policy.DocumentedRuleDefault(
140
    policy.DocumentedRuleDefault(
3929
150
        name=base.IDENTITY % 'list_domain_roles',
141
        name=base.IDENTITY % 'list_domain_roles',
3930
151
        check_str=base.SYSTEM_READER,
142
        check_str=base.SYSTEM_READER,
3931
@@ -155,7 +146,9 @@ role_policies = [
3932
155
                     'method': 'GET'},
146
                     'method': 'GET'},
3933
156
                    {'path': '/v3/roles?domain_id={domain_id}',
147
                    {'path': '/v3/roles?domain_id={domain_id}',
3934
157
                     'method': 'HEAD'}],
148
                     'method': 'HEAD'}],
3936
158
        deprecated_rule=deprecated_list_domain_roles),
149
        deprecated_rule=deprecated_list_domain_roles,
3937
150
        deprecated_reason=DEPRECATED_REASON,
3938
151
        deprecated_since=versionutils.deprecated.TRAIN),
3939
159
    policy.DocumentedRuleDefault(
152
    policy.DocumentedRuleDefault(
3940
160
        name=base.IDENTITY % 'create_domain_role',
153
        name=base.IDENTITY % 'create_domain_role',
3941
161
        check_str=base.SYSTEM_ADMIN,
154
        check_str=base.SYSTEM_ADMIN,
3942
@@ -163,7 +156,9 @@ role_policies = [
3943
163
        scope_types=['system'],
156
        scope_types=['system'],
3944
164
        operations=[{'path': '/v3/roles',
157
        operations=[{'path': '/v3/roles',
3945
165
                     'method': 'POST'}],
158
                     'method': 'POST'}],
3947
166
        deprecated_rule=deprecated_create_domain_role),
159
        deprecated_rule=deprecated_create_domain_role,
3948
160
        deprecated_reason=DEPRECATED_REASON,
3949
161
        deprecated_since=versionutils.deprecated.TRAIN),
3950
167
    policy.DocumentedRuleDefault(
162
    policy.DocumentedRuleDefault(
3951
168
        name=base.IDENTITY % 'update_domain_role',
163
        name=base.IDENTITY % 'update_domain_role',
3952
169
        check_str=base.SYSTEM_ADMIN,
164
        check_str=base.SYSTEM_ADMIN,
3953
@@ -171,7 +166,9 @@ role_policies = [
3954
171
        scope_types=['system'],
166
        scope_types=['system'],
3955
172
        operations=[{'path': '/v3/roles/{role_id}',
167
        operations=[{'path': '/v3/roles/{role_id}',
3956
173
                     'method': 'PATCH'}],
168
                     'method': 'PATCH'}],
3958
174
        deprecated_rule=deprecated_update_domain_role),
169
        deprecated_rule=deprecated_update_domain_role,
3959
170
        deprecated_reason=DEPRECATED_REASON,
3960
171
        deprecated_since=versionutils.deprecated.TRAIN),
3961
175
    policy.DocumentedRuleDefault(
172
    policy.DocumentedRuleDefault(
3962
176
        name=base.IDENTITY % 'delete_domain_role',
173
        name=base.IDENTITY % 'delete_domain_role',
3963
177
        check_str=base.SYSTEM_ADMIN,
174
        check_str=base.SYSTEM_ADMIN,
3964
@@ -179,7 +176,9 @@ role_policies = [
3965
179
        scope_types=['system'],
176
        scope_types=['system'],
3966
180
        operations=[{'path': '/v3/roles/{role_id}',
177
        operations=[{'path': '/v3/roles/{role_id}',
3967
181
                     'method': 'DELETE'}],
178
                     'method': 'DELETE'}],
3969
182
        deprecated_rule=deprecated_delete_domain_role)
179
        deprecated_rule=deprecated_delete_domain_role,
3970
180
        deprecated_reason=DEPRECATED_REASON,
3971
181
        deprecated_since=versionutils.deprecated.TRAIN)
3972
183
]
182
]
3973
184
183
3974
185
184
3975
diff --git a/keystone/common/policies/role_assignment.py b/keystone/common/policies/role_assignment.py
3976
index 5dea3dc..c70f292 100644
3977
--- a/keystone/common/policies/role_assignment.py
3978
+++ b/keystone/common/policies/role_assignment.py
3979
@@ -25,23 +25,18 @@ SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN = (
3980
25
    '(role:admin and project_id:%(target.project.id)s)'
25
    '(role:admin and project_id:%(target.project.id)s)'
3981
26
)
26
)
3982
27
27
3983
28
DEPRECATED_REASON = (
3984
29
    "The assignment API is now aware of system scope and default roles."
3985
30
)
3986
31
3987
32
deprecated_list_role_assignments = policy.DeprecatedRule(
28
deprecated_list_role_assignments = policy.DeprecatedRule(
3988
33
    name=base.IDENTITY % 'list_role_assignments',
29
    name=base.IDENTITY % 'list_role_assignments',
3992
34
    check_str=base.RULE_ADMIN_REQUIRED,
30
    check_str=base.RULE_ADMIN_REQUIRED
3990
35
    deprecated_reason=DEPRECATED_REASON,
3991
36
    deprecated_since=versionutils.deprecated.STEIN
3993
37
)
31
)
3994
38
deprecated_list_role_assignments_for_tree = policy.DeprecatedRule(
32
deprecated_list_role_assignments_for_tree = policy.DeprecatedRule(
3995
39
    name=base.IDENTITY % 'list_role_assignments_for_tree',
33
    name=base.IDENTITY % 'list_role_assignments_for_tree',
3999
40
    check_str=base.RULE_ADMIN_REQUIRED,
34
    check_str=base.RULE_ADMIN_REQUIRED
3997
41
    deprecated_reason=DEPRECATED_REASON,
3998
42
    deprecated_since=versionutils.deprecated.TRAIN
4000
43
)
35
)
4001
44
36
4002
37
DEPRECATED_REASON = (
4003
38
    "The assignment API is now aware of system scope and default roles."
4004
39
)
4005
45
40
4006
46
role_assignment_policies = [
41
role_assignment_policies = [
4007
47
    policy.DocumentedRuleDefault(
42
    policy.DocumentedRuleDefault(
4008
@@ -53,7 +48,9 @@ role_assignment_policies = [
4009
53
                     'method': 'GET'},
48
                     'method': 'GET'},
4010
54
                    {'path': '/v3/role_assignments',
49
                    {'path': '/v3/role_assignments',
4011
55
                     'method': 'HEAD'}],
50
                     'method': 'HEAD'}],
4013
56
        deprecated_rule=deprecated_list_role_assignments),
51
        deprecated_rule=deprecated_list_role_assignments,
4014
52
        deprecated_reason=DEPRECATED_REASON,
4015
53
        deprecated_since=versionutils.deprecated.STEIN),
4016
57
    policy.DocumentedRuleDefault(
54
    policy.DocumentedRuleDefault(
4017
58
        name=base.IDENTITY % 'list_role_assignments_for_tree',
55
        name=base.IDENTITY % 'list_role_assignments_for_tree',
4018
59
        check_str=SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN,
56
        check_str=SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN,
4019
@@ -64,7 +61,9 @@ role_assignment_policies = [
4020
64
                     'method': 'GET'},
61
                     'method': 'GET'},
4021
65
                    {'path': '/v3/role_assignments?include_subtree',
62
                    {'path': '/v3/role_assignments?include_subtree',
4022
66
                     'method': 'HEAD'}],
63
                     'method': 'HEAD'}],
4024
67
        deprecated_rule=deprecated_list_role_assignments_for_tree),
64
        deprecated_rule=deprecated_list_role_assignments_for_tree,
4025
65
        deprecated_reason=DEPRECATED_REASON,
4026
66
        deprecated_since=versionutils.deprecated.TRAIN),
4027
68
67
4028
69
]
68
]
4029
70
69
4030
diff --git a/keystone/common/policies/service.py b/keystone/common/policies/service.py
4031
index 0287076..66d3aaa 100644
4032
--- a/keystone/common/policies/service.py
4033
+++ b/keystone/common/policies/service.py
4034
@@ -15,41 +15,30 @@ from oslo_policy import policy
4035
15
15
4036
16
from keystone.common.policies import base
16
from keystone.common.policies import base
4037
17
17
4038
18
DEPRECATED_REASON = (
4039
19
    "The service API is now aware of system scope and default roles."
4040
20
)
4041
21
4042
22
deprecated_get_service = policy.DeprecatedRule(
18
deprecated_get_service = policy.DeprecatedRule(
4043
23
    name=base.IDENTITY % 'get_service',
19
    name=base.IDENTITY % 'get_service',
4047
24
    check_str=base.RULE_ADMIN_REQUIRED,
20
    check_str=base.RULE_ADMIN_REQUIRED
4045
25
    deprecated_reason=DEPRECATED_REASON,
4046
26
    deprecated_since=versionutils.deprecated.STEIN
4048
27
)
21
)
4049
28
deprecated_list_service = policy.DeprecatedRule(
22
deprecated_list_service = policy.DeprecatedRule(
4050
29
    name=base.IDENTITY % 'list_services',
23
    name=base.IDENTITY % 'list_services',
4054
30
    check_str=base.RULE_ADMIN_REQUIRED,
24
    check_str=base.RULE_ADMIN_REQUIRED
4052
31
    deprecated_reason=DEPRECATED_REASON,
4053
32
    deprecated_since=versionutils.deprecated.STEIN
4055
33
)
25
)
4056
34
deprecated_update_service = policy.DeprecatedRule(
26
deprecated_update_service = policy.DeprecatedRule(
4057
35
    name=base.IDENTITY % 'update_service',
27
    name=base.IDENTITY % 'update_service',
4061
36
    check_str=base.RULE_ADMIN_REQUIRED,
28
    check_str=base.RULE_ADMIN_REQUIRED
4059
37
    deprecated_reason=DEPRECATED_REASON,
4060
38
    deprecated_since=versionutils.deprecated.STEIN
4062
39
)
29
)
4063
40
deprecated_create_service = policy.DeprecatedRule(
30
deprecated_create_service = policy.DeprecatedRule(
4064
41
    name=base.IDENTITY % 'create_service',
31
    name=base.IDENTITY % 'create_service',
4068
42
    check_str=base.RULE_ADMIN_REQUIRED,
32
    check_str=base.RULE_ADMIN_REQUIRED
4066
43
    deprecated_reason=DEPRECATED_REASON,
4067
44
    deprecated_since=versionutils.deprecated.STEIN
4069
45
)
33
)
4070
46
deprecated_delete_service = policy.DeprecatedRule(
34
deprecated_delete_service = policy.DeprecatedRule(
4071
47
    name=base.IDENTITY % 'delete_service',
35
    name=base.IDENTITY % 'delete_service',
4075
48
    check_str=base.RULE_ADMIN_REQUIRED,
36
    check_str=base.RULE_ADMIN_REQUIRED
4073
49
    deprecated_reason=DEPRECATED_REASON,
4074
50
    deprecated_since=versionutils.deprecated.STEIN
4076
51
)
37
)
4077
52
38
4078
39
DEPRECATED_REASON = (
4079
40
    "The service API is now aware of system scope and default roles."
4080
41
)
4081
53
42
4082
54
service_policies = [
43
service_policies = [
4083
55
    policy.DocumentedRuleDefault(
44
    policy.DocumentedRuleDefault(
4084
@@ -59,7 +48,9 @@ service_policies = [
4085
59
        description='Show service details.',
48
        description='Show service details.',
4086
60
        operations=[{'path': '/v3/services/{service_id}',
49
        operations=[{'path': '/v3/services/{service_id}',
4087
61
                     'method': 'GET'}],
50
                     'method': 'GET'}],
4089
62
        deprecated_rule=deprecated_get_service),
51
        deprecated_rule=deprecated_get_service,
4090
52
        deprecated_reason=DEPRECATED_REASON,
4091
53
        deprecated_since=versionutils.deprecated.STEIN),
4092
63
    policy.DocumentedRuleDefault(
54
    policy.DocumentedRuleDefault(
4093
64
        name=base.IDENTITY % 'list_services',
55
        name=base.IDENTITY % 'list_services',
4094
65
        check_str=base.SYSTEM_READER,
56
        check_str=base.SYSTEM_READER,
4095
@@ -67,7 +58,9 @@ service_policies = [
4096
67
        description='List services.',
58
        description='List services.',
4097
68
        operations=[{'path': '/v3/services',
59
        operations=[{'path': '/v3/services',
4098
69
                     'method': 'GET'}],
60
                     'method': 'GET'}],
4100
70
        deprecated_rule=deprecated_list_service),
61
        deprecated_rule=deprecated_list_service,
4101
62
        deprecated_reason=DEPRECATED_REASON,
4102
63
        deprecated_since=versionutils.deprecated.STEIN),
4103
71
    policy.DocumentedRuleDefault(
64
    policy.DocumentedRuleDefault(
4104
72
        name=base.IDENTITY % 'create_service',
65
        name=base.IDENTITY % 'create_service',
4105
73
        check_str=base.SYSTEM_ADMIN,
66
        check_str=base.SYSTEM_ADMIN,
4106
@@ -75,7 +68,9 @@ service_policies = [
4107
75
        description='Create service.',
68
        description='Create service.',
4108
76
        operations=[{'path': '/v3/services',
69
        operations=[{'path': '/v3/services',
4109
77
                     'method': 'POST'}],
70
                     'method': 'POST'}],
4111
78
        deprecated_rule=deprecated_create_service),
71
        deprecated_rule=deprecated_create_service,
4112
72
        deprecated_reason=DEPRECATED_REASON,
4113
73
        deprecated_since=versionutils.deprecated.STEIN),
4114
79
    policy.DocumentedRuleDefault(
74
    policy.DocumentedRuleDefault(
4115
80
        name=base.IDENTITY % 'update_service',
75
        name=base.IDENTITY % 'update_service',
4116
81
        check_str=base.SYSTEM_ADMIN,
76
        check_str=base.SYSTEM_ADMIN,
4117
@@ -83,7 +78,9 @@ service_policies = [
4118
83
        description='Update service.',
78
        description='Update service.',
4119
84
        operations=[{'path': '/v3/services/{service_id}',
79
        operations=[{'path': '/v3/services/{service_id}',
4120
85
                     'method': 'PATCH'}],
80
                     'method': 'PATCH'}],
4122
86
        deprecated_rule=deprecated_update_service),
81
        deprecated_rule=deprecated_update_service,
4123
82
        deprecated_reason=DEPRECATED_REASON,
4124
83
        deprecated_since=versionutils.deprecated.STEIN),
4125
87
    policy.DocumentedRuleDefault(
84
    policy.DocumentedRuleDefault(
4126
88
        name=base.IDENTITY % 'delete_service',
85
        name=base.IDENTITY % 'delete_service',
4127
89
        check_str=base.SYSTEM_ADMIN,
86
        check_str=base.SYSTEM_ADMIN,
4128
@@ -91,7 +88,9 @@ service_policies = [
4129
91
        description='Delete service.',
88
        description='Delete service.',
4130
92
        operations=[{'path': '/v3/services/{service_id}',
89
        operations=[{'path': '/v3/services/{service_id}',
4131
93
                     'method': 'DELETE'}],
90
                     'method': 'DELETE'}],
4133
94
        deprecated_rule=deprecated_delete_service)
91
        deprecated_rule=deprecated_delete_service,
4134
92
        deprecated_reason=DEPRECATED_REASON,
4135
93
        deprecated_since=versionutils.deprecated.STEIN)
4136
95
]
94
]
4137
96
95
4138
97
96
4139
diff --git a/keystone/common/policies/service_provider.py b/keystone/common/policies/service_provider.py
4140
index 657368a..4d0e3cb 100644
4141
--- a/keystone/common/policies/service_provider.py
4142
+++ b/keystone/common/policies/service_provider.py
4143
@@ -15,41 +15,30 @@ from oslo_policy import policy
4144
15
15
4145
16
from keystone.common.policies import base
16
from keystone.common.policies import base
4146
17
17
4147
18
DEPRECATED_REASON = (
4148
19
    "The service provider API is now aware of system scope and default roles."
4149
20
)
4150
21
4151
22
deprecated_get_sp = policy.DeprecatedRule(
18
deprecated_get_sp = policy.DeprecatedRule(
4152
23
    name=base.IDENTITY % 'get_service_provider',
19
    name=base.IDENTITY % 'get_service_provider',
4156
24
    check_str=base.RULE_ADMIN_REQUIRED,
20
    check_str=base.RULE_ADMIN_REQUIRED
4154
25
    deprecated_reason=DEPRECATED_REASON,
4155
26
    deprecated_since=versionutils.deprecated.STEIN
4157
27
)
21
)
4158
28
deprecated_list_sp = policy.DeprecatedRule(
22
deprecated_list_sp = policy.DeprecatedRule(
4159
29
    name=base.IDENTITY % 'list_service_providers',
23
    name=base.IDENTITY % 'list_service_providers',
4163
30
    check_str=base.RULE_ADMIN_REQUIRED,
24
    check_str=base.RULE_ADMIN_REQUIRED
4161
31
    deprecated_reason=DEPRECATED_REASON,
4162
32
    deprecated_since=versionutils.deprecated.STEIN
4164
33
)
25
)
4165
34
deprecated_update_sp = policy.DeprecatedRule(
26
deprecated_update_sp = policy.DeprecatedRule(
4166
35
    name=base.IDENTITY % 'update_service_provider',
27
    name=base.IDENTITY % 'update_service_provider',
4170
36
    check_str=base.RULE_ADMIN_REQUIRED,
28
    check_str=base.RULE_ADMIN_REQUIRED
4168
37
    deprecated_reason=DEPRECATED_REASON,
4169
38
    deprecated_since=versionutils.deprecated.STEIN
4171
39
)
29
)
4172
40
deprecated_create_sp = policy.DeprecatedRule(
30
deprecated_create_sp = policy.DeprecatedRule(
4173
41
    name=base.IDENTITY % 'create_service_provider',
31
    name=base.IDENTITY % 'create_service_provider',
4177
42
    check_str=base.RULE_ADMIN_REQUIRED,
32
    check_str=base.RULE_ADMIN_REQUIRED
4175
43
    deprecated_reason=DEPRECATED_REASON,
4176
44
    deprecated_since=versionutils.deprecated.STEIN
4178
45
)
33
)
4179
46
deprecated_delete_sp = policy.DeprecatedRule(
34
deprecated_delete_sp = policy.DeprecatedRule(
4180
47
    name=base.IDENTITY % 'delete_service_provider',
35
    name=base.IDENTITY % 'delete_service_provider',
4184
48
    check_str=base.RULE_ADMIN_REQUIRED,
36
    check_str=base.RULE_ADMIN_REQUIRED
4182
49
    deprecated_reason=DEPRECATED_REASON,
4183
50
    deprecated_since=versionutils.deprecated.STEIN
4185
51
)
37
)
4186
52
38
4187
39
DEPRECATED_REASON = (
4188
40
    "The service provider API is now aware of system scope and default roles."
4189
41
)
4190
53
42
4191
54
service_provider_policies = [
43
service_provider_policies = [
4192
55
    policy.DocumentedRuleDefault(
44
    policy.DocumentedRuleDefault(
4193
@@ -66,7 +55,9 @@ service_provider_policies = [
4194
66
        operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
55
        operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
4195
67
                              '{service_provider_id}'),
56
                              '{service_provider_id}'),
4196
68
                     'method': 'PUT'}],
57
                     'method': 'PUT'}],
4198
69
        deprecated_rule=deprecated_create_sp),
58
        deprecated_rule=deprecated_create_sp,
4199
59
        deprecated_reason=DEPRECATED_REASON,
4200
60
        deprecated_since=versionutils.deprecated.STEIN),
4201
70
    policy.DocumentedRuleDefault(
61
    policy.DocumentedRuleDefault(
4202
71
        name=base.IDENTITY % 'list_service_providers',
62
        name=base.IDENTITY % 'list_service_providers',
4203
72
        check_str=base.SYSTEM_READER,
63
        check_str=base.SYSTEM_READER,
4204
@@ -82,7 +73,9 @@ service_provider_policies = [
4205
82
                'method': 'HEAD'
73
                'method': 'HEAD'
4206
83
            }
74
            }
4207
84
        ],
75
        ],
4209
85
        deprecated_rule=deprecated_list_sp
76
        deprecated_rule=deprecated_list_sp,
4210
77
        deprecated_reason=DEPRECATED_REASON,
4211
78
        deprecated_since=versionutils.deprecated.STEIN
4212
86
    ),
79
    ),
4213
87
    policy.DocumentedRuleDefault(
80
    policy.DocumentedRuleDefault(
4214
88
        name=base.IDENTITY % 'get_service_provider',
81
        name=base.IDENTITY % 'get_service_provider',
4215
@@ -101,7 +94,9 @@ service_provider_policies = [
4216
101
                'method': 'HEAD'
94
                'method': 'HEAD'
4217
102
            }
95
            }
4218
103
        ],
96
        ],
4220
104
        deprecated_rule=deprecated_get_sp
97
        deprecated_rule=deprecated_get_sp,
4221
98
        deprecated_reason=DEPRECATED_REASON,
4222
99
        deprecated_since=versionutils.deprecated.STEIN
4223
105
    ),
100
    ),
4224
106
    policy.DocumentedRuleDefault(
101
    policy.DocumentedRuleDefault(
4225
107
        name=base.IDENTITY % 'update_service_provider',
102
        name=base.IDENTITY % 'update_service_provider',
4226
@@ -111,7 +106,9 @@ service_provider_policies = [
4227
111
        operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
106
        operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
4228
112
                              '{service_provider_id}'),
107
                              '{service_provider_id}'),
4229
113
                     'method': 'PATCH'}],
108
                     'method': 'PATCH'}],
4231
114
        deprecated_rule=deprecated_update_sp),
109
        deprecated_rule=deprecated_update_sp,
4232
110
        deprecated_reason=DEPRECATED_REASON,
4233
111
        deprecated_since=versionutils.deprecated.STEIN),
4234
115
    policy.DocumentedRuleDefault(
112
    policy.DocumentedRuleDefault(
4235
116
        name=base.IDENTITY % 'delete_service_provider',
113
        name=base.IDENTITY % 'delete_service_provider',
4236
117
        check_str=base.SYSTEM_ADMIN,
114
        check_str=base.SYSTEM_ADMIN,
4237
@@ -120,7 +117,9 @@ service_provider_policies = [
4238
120
        operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
117
        operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
4239
121
                              '{service_provider_id}'),
118
                              '{service_provider_id}'),
4240
122
                     'method': 'DELETE'}],
119
                     'method': 'DELETE'}],
4242
123
        deprecated_rule=deprecated_delete_sp)
120
        deprecated_rule=deprecated_delete_sp,
4243
121
        deprecated_reason=DEPRECATED_REASON,
4244
122
        deprecated_since=versionutils.deprecated.STEIN)
4245
124
]
123
]
4246
125
124
4247
126
125
4248
diff --git a/keystone/common/policies/token.py b/keystone/common/policies/token.py
4249
index cb321b0..9fa3c52 100644
4250
--- a/keystone/common/policies/token.py
4251
+++ b/keystone/common/policies/token.py
4252
@@ -21,21 +21,15 @@ DEPRECATED_REASON = (
4253
21
21
4254
22
deprecated_check_token = policy.DeprecatedRule(
22
deprecated_check_token = policy.DeprecatedRule(
4255
23
    name=base.IDENTITY % 'check_token',
23
    name=base.IDENTITY % 'check_token',
4259
24
    check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT,
24
    check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT
4257
25
    deprecated_reason=DEPRECATED_REASON,
4258
26
    deprecated_since=versionutils.deprecated.TRAIN
4260
27
)
25
)
4261
28
deprecated_validate_token = policy.DeprecatedRule(
26
deprecated_validate_token = policy.DeprecatedRule(
4262
29
    name=base.IDENTITY % 'validate_token',
27
    name=base.IDENTITY % 'validate_token',
4266
30
    check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT,
28
    check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT
4264
31
    deprecated_reason=DEPRECATED_REASON,
4265
32
    deprecated_since=versionutils.deprecated.TRAIN
4267
33
)
29
)
4268
34
deprecated_revoke_token = policy.DeprecatedRule(
30
deprecated_revoke_token = policy.DeprecatedRule(
4269
35
    name=base.IDENTITY % 'revoke_token',
31
    name=base.IDENTITY % 'revoke_token',
4273
36
    check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT,
32
    check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT
4271
37
    deprecated_reason=DEPRECATED_REASON,
4272
38
    deprecated_since=versionutils.deprecated.TRAIN
4274
39
)
33
)
4275
40
34
4276
41
SYSTEM_ADMIN_OR_TOKEN_SUBJECT = (
35
SYSTEM_ADMIN_OR_TOKEN_SUBJECT = (
4277
@@ -58,7 +52,9 @@ token_policies = [
4278
58
        description='Check a token.',
52
        description='Check a token.',
4279
59
        operations=[{'path': '/v3/auth/tokens',
53
        operations=[{'path': '/v3/auth/tokens',
4280
60
                     'method': 'HEAD'}],
54
                     'method': 'HEAD'}],
4282
61
        deprecated_rule=deprecated_check_token),
55
        deprecated_rule=deprecated_check_token,
4283
56
        deprecated_reason=DEPRECATED_REASON,
4284
57
        deprecated_since=versionutils.deprecated.TRAIN),
4285
62
    policy.DocumentedRuleDefault(
58
    policy.DocumentedRuleDefault(
4286
63
        name=base.IDENTITY % 'validate_token',
59
        name=base.IDENTITY % 'validate_token',
4287
64
        check_str=SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT,
60
        check_str=SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT,
4288
@@ -66,7 +62,9 @@ token_policies = [
4289
66
        description='Validate a token.',
62
        description='Validate a token.',
4290
67
        operations=[{'path': '/v3/auth/tokens',
63
        operations=[{'path': '/v3/auth/tokens',
4291
68
                     'method': 'GET'}],
64
                     'method': 'GET'}],
4293
69
        deprecated_rule=deprecated_validate_token),
65
        deprecated_rule=deprecated_validate_token,
4294
66
        deprecated_reason=DEPRECATED_REASON,
4295
67
        deprecated_since=versionutils.deprecated.TRAIN),
4296
70
    policy.DocumentedRuleDefault(
68
    policy.DocumentedRuleDefault(
4297
71
        name=base.IDENTITY % 'revoke_token',
69
        name=base.IDENTITY % 'revoke_token',
4298
72
        check_str=SYSTEM_ADMIN_OR_TOKEN_SUBJECT,
70
        check_str=SYSTEM_ADMIN_OR_TOKEN_SUBJECT,
4299
@@ -74,7 +72,9 @@ token_policies = [
4300
74
        description='Revoke a token.',
72
        description='Revoke a token.',
4301
75
        operations=[{'path': '/v3/auth/tokens',
73
        operations=[{'path': '/v3/auth/tokens',
4302
76
                     'method': 'DELETE'}],
74
                     'method': 'DELETE'}],
4304
77
        deprecated_rule=deprecated_revoke_token)
75
        deprecated_rule=deprecated_revoke_token,
4305
76
        deprecated_reason=DEPRECATED_REASON,
4306
77
        deprecated_since=versionutils.deprecated.TRAIN)
4307
78
]
78
]
4308
79
79
4309
80
80
4310
diff --git a/keystone/common/policies/trust.py b/keystone/common/policies/trust.py
4311
index 7678106..82acb0a 100644
4312
--- a/keystone/common/policies/trust.py
4313
+++ b/keystone/common/policies/trust.py
4314
@@ -24,39 +24,29 @@ SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR
4315
24
SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE
24
SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE
4316
25
SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR
25
SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR
4317
26
26
4318
27
DEPRECATED_REASON = (
4319
28
    "The trust API is now aware of system scope and default roles."
4320
29
)
4321
30
4322
31
deprecated_list_trusts = policy.DeprecatedRule(
27
deprecated_list_trusts = policy.DeprecatedRule(
4323
32
    name=base.IDENTITY % 'list_trusts',
28
    name=base.IDENTITY % 'list_trusts',
4327
33
    check_str=base.RULE_ADMIN_REQUIRED,
29
    check_str=base.RULE_ADMIN_REQUIRED
4325
34
    deprecated_reason=DEPRECATED_REASON,
4326
35
    deprecated_since=versionutils.deprecated.TRAIN
4328
36
)
30
)
4329
37
deprecated_list_roles_for_trust = policy.DeprecatedRule(
31
deprecated_list_roles_for_trust = policy.DeprecatedRule(
4330
38
    name=base.IDENTITY % 'list_roles_for_trust',
32
    name=base.IDENTITY % 'list_roles_for_trust',
4334
39
    check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE,
33
    check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
4332
40
    deprecated_reason=DEPRECATED_REASON,
4333
41
    deprecated_since=versionutils.deprecated.TRAIN
4335
42
)
34
)
4336
43
deprecated_get_role_for_trust = policy.DeprecatedRule(
35
deprecated_get_role_for_trust = policy.DeprecatedRule(
4337
44
    name=base.IDENTITY % 'get_role_for_trust',
36
    name=base.IDENTITY % 'get_role_for_trust',
4341
45
    check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE,
37
    check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
4339
46
    deprecated_reason=DEPRECATED_REASON,
4340
47
    deprecated_since=versionutils.deprecated.TRAIN
4342
48
)
38
)
4343
49
deprecated_delete_trust = policy.DeprecatedRule(
39
deprecated_delete_trust = policy.DeprecatedRule(
4344
50
    name=base.IDENTITY % 'delete_trust',
40
    name=base.IDENTITY % 'delete_trust',
4348
51
    check_str=RULE_TRUSTOR,
41
    check_str=RULE_TRUSTOR
4346
52
    deprecated_reason=DEPRECATED_REASON,
4347
53
    deprecated_since=versionutils.deprecated.TRAIN
4349
54
)
42
)
4350
55
deprecated_get_trust = policy.DeprecatedRule(
43
deprecated_get_trust = policy.DeprecatedRule(
4351
56
    name=base.IDENTITY % 'get_trust',
44
    name=base.IDENTITY % 'get_trust',
4355
57
    check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE,
45
    check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
4356
58
    deprecated_reason=DEPRECATED_REASON,
46
)
4357
59
    deprecated_since=versionutils.deprecated.TRAIN
47
4358
48
DEPRECATED_REASON = (
4359
49
    "The trust API is now aware of system scope and default roles."
4360
60
)
50
)
4361
61
51
4362
62
trust_policies = [
52
trust_policies = [
4363
@@ -79,7 +69,9 @@ trust_policies = [
4364
79
                     'method': 'GET'},
69
                     'method': 'GET'},
4365
80
                    {'path': '/v3/OS-TRUST/trusts',
70
                    {'path': '/v3/OS-TRUST/trusts',
4366
81
                     'method': 'HEAD'}],
71
                     'method': 'HEAD'}],
4368
82
        deprecated_rule=deprecated_list_trusts),
72
        deprecated_rule=deprecated_list_trusts,
4369
73
        deprecated_reason=DEPRECATED_REASON,
4370
74
        deprecated_since=versionutils.deprecated.TRAIN),
4371
83
    policy.DocumentedRuleDefault(
75
    policy.DocumentedRuleDefault(
4372
84
        name=base.IDENTITY % 'list_trusts_for_trustor',
76
        name=base.IDENTITY % 'list_trusts_for_trustor',
4373
85
        check_str=SYSTEM_READER_OR_TRUSTOR,
77
        check_str=SYSTEM_READER_OR_TRUSTOR,
4374
@@ -111,7 +103,9 @@ trust_policies = [
4375
111
                     'method': 'GET'},
103
                     'method': 'GET'},
4376
112
                    {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles',
104
                    {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles',
4377
113
                     'method': 'HEAD'}],
105
                     'method': 'HEAD'}],
4379
114
        deprecated_rule=deprecated_list_roles_for_trust),
106
        deprecated_rule=deprecated_list_roles_for_trust,
4380
107
        deprecated_reason=DEPRECATED_REASON,
4381
108
        deprecated_since=versionutils.deprecated.TRAIN),
4382
115
    policy.DocumentedRuleDefault(
109
    policy.DocumentedRuleDefault(
4383
116
        name=base.IDENTITY % 'get_role_for_trust',
110
        name=base.IDENTITY % 'get_role_for_trust',
4384
117
        check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
111
        check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
4385
@@ -121,7 +115,9 @@ trust_policies = [
4386
121
                     'method': 'GET'},
115
                     'method': 'GET'},
4387
122
                    {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',
116
                    {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',
4388
123
                     'method': 'HEAD'}],
117
                     'method': 'HEAD'}],
4390
124
        deprecated_rule=deprecated_get_role_for_trust),
118
        deprecated_rule=deprecated_get_role_for_trust,
4391
119
        deprecated_reason=DEPRECATED_REASON,
4392
120
        deprecated_since=versionutils.deprecated.TRAIN),
4393
125
    policy.DocumentedRuleDefault(
121
    policy.DocumentedRuleDefault(
4394
126
        name=base.IDENTITY % 'delete_trust',
122
        name=base.IDENTITY % 'delete_trust',
4395
127
        check_str=SYSTEM_ADMIN_OR_TRUSTOR,
123
        check_str=SYSTEM_ADMIN_OR_TRUSTOR,
4396
@@ -129,7 +125,9 @@ trust_policies = [
4397
129
        description='Revoke trust.',
125
        description='Revoke trust.',
4398
130
        operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
126
        operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
4399
131
                     'method': 'DELETE'}],
127
                     'method': 'DELETE'}],
4401
132
        deprecated_rule=deprecated_delete_trust),
128
        deprecated_rule=deprecated_delete_trust,
4402
129
        deprecated_reason=DEPRECATED_REASON,
4403
130
        deprecated_since=versionutils.deprecated.TRAIN),
4404
133
    policy.DocumentedRuleDefault(
131
    policy.DocumentedRuleDefault(
4405
134
        name=base.IDENTITY % 'get_trust',
132
        name=base.IDENTITY % 'get_trust',
4406
135
        check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
133
        check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
4407
@@ -139,7 +137,9 @@ trust_policies = [
4408
139
                     'method': 'GET'},
137
                     'method': 'GET'},
4409
140
                    {'path': '/v3/OS-TRUST/trusts/{trust_id}',
138
                    {'path': '/v3/OS-TRUST/trusts/{trust_id}',
4410
141
                     'method': 'HEAD'}],
139
                     'method': 'HEAD'}],
4412
142
        deprecated_rule=deprecated_get_trust)
140
        deprecated_rule=deprecated_get_trust,
4413
141
        deprecated_reason=DEPRECATED_REASON,
4414
142
        deprecated_since=versionutils.deprecated.TRAIN)
4415
143
]
143
]
4416
144
144
4417
145
145
4418
diff --git a/keystone/common/policies/user.py b/keystone/common/policies/user.py
4419
index 0534f70..75a0062 100644
4420
--- a/keystone/common/policies/user.py
4421
+++ b/keystone/common/policies/user.py
4422
@@ -36,33 +36,23 @@ DEPRECATED_REASON = (
4423
36
36
4424
37
deprecated_get_user = policy.DeprecatedRule(
37
deprecated_get_user = policy.DeprecatedRule(
4425
38
    name=base.IDENTITY % 'get_user',
38
    name=base.IDENTITY % 'get_user',
4429
39
    check_str=base.RULE_ADMIN_OR_OWNER,
39
    check_str=base.RULE_ADMIN_OR_OWNER
4427
40
    deprecated_reason=DEPRECATED_REASON,
4428
41
    deprecated_since=versionutils.deprecated.STEIN
4430
42
)
40
)
4431
43
deprecated_list_users = policy.DeprecatedRule(
41
deprecated_list_users = policy.DeprecatedRule(
4432
44
    name=base.IDENTITY % 'list_users',
42
    name=base.IDENTITY % 'list_users',
4436
45
    check_str=base.RULE_ADMIN_REQUIRED,
43
    check_str=base.RULE_ADMIN_REQUIRED
4434
46
    deprecated_reason=DEPRECATED_REASON,
4435
47
    deprecated_since=versionutils.deprecated.STEIN
4437
48
)
44
)
4438
49
deprecated_create_user = policy.DeprecatedRule(
45
deprecated_create_user = policy.DeprecatedRule(
4439
50
    name=base.IDENTITY % 'create_user',
46
    name=base.IDENTITY % 'create_user',
4443
51
    check_str=base.RULE_ADMIN_REQUIRED,
47
    check_str=base.RULE_ADMIN_REQUIRED
4441
52
    deprecated_reason=DEPRECATED_REASON,
4442
53
    deprecated_since=versionutils.deprecated.STEIN
4444
54
)
48
)
4445
55
deprecated_update_user = policy.DeprecatedRule(
49
deprecated_update_user = policy.DeprecatedRule(
4446
56
    name=base.IDENTITY % 'update_user',
50
    name=base.IDENTITY % 'update_user',
4450
57
    check_str=base.RULE_ADMIN_REQUIRED,
51
    check_str=base.RULE_ADMIN_REQUIRED
4448
58
    deprecated_reason=DEPRECATED_REASON,
4449
59
    deprecated_since=versionutils.deprecated.STEIN
4451
60
)
52
)
4452
61
deprecated_delete_user = policy.DeprecatedRule(
53
deprecated_delete_user = policy.DeprecatedRule(
4453
62
    name=base.IDENTITY % 'delete_user',
54
    name=base.IDENTITY % 'delete_user',
4457
63
    check_str=base.RULE_ADMIN_REQUIRED,
55
    check_str=base.RULE_ADMIN_REQUIRED
4455
64
    deprecated_reason=DEPRECATED_REASON,
4456
65
    deprecated_since=versionutils.deprecated.STEIN
4458
66
)
56
)
4459
67
57
4460
68
user_policies = [
58
user_policies = [
4461
@@ -75,7 +65,9 @@ user_policies = [
4462
75
                     'method': 'GET'},
65
                     'method': 'GET'},
4463
76
                    {'path': '/v3/users/{user_id}',
66
                    {'path': '/v3/users/{user_id}',
4464
77
                     'method': 'HEAD'}],
67
                     'method': 'HEAD'}],
4466
78
        deprecated_rule=deprecated_get_user),
68
        deprecated_rule=deprecated_get_user,
4467
69
        deprecated_reason=DEPRECATED_REASON,
4468
70
        deprecated_since=versionutils.deprecated.STEIN),
4469
79
    policy.DocumentedRuleDefault(
71
    policy.DocumentedRuleDefault(
4470
80
        name=base.IDENTITY % 'list_users',
72
        name=base.IDENTITY % 'list_users',
4471
81
        check_str=SYSTEM_READER_OR_DOMAIN_READER,
73
        check_str=SYSTEM_READER_OR_DOMAIN_READER,
4472
@@ -85,7 +77,9 @@ user_policies = [
4473
85
                     'method': 'GET'},
77
                     'method': 'GET'},
4474
86
                    {'path': '/v3/users',
78
                    {'path': '/v3/users',
4475
87
                     'method': 'HEAD'}],
79
                     'method': 'HEAD'}],
4477
88
        deprecated_rule=deprecated_list_users),
80
        deprecated_rule=deprecated_list_users,
4478
81
        deprecated_reason=DEPRECATED_REASON,
4479
82
        deprecated_since=versionutils.deprecated.STEIN),
4480
89
    policy.DocumentedRuleDefault(
83
    policy.DocumentedRuleDefault(
4481
90
        name=base.IDENTITY % 'list_projects_for_user',
84
        name=base.IDENTITY % 'list_projects_for_user',
4482
91
        check_str='',
85
        check_str='',
4483
@@ -117,7 +111,9 @@ user_policies = [
4484
117
        description='Create a user.',
111
        description='Create a user.',
4485
118
        operations=[{'path': '/v3/users',
112
        operations=[{'path': '/v3/users',
4486
119
                     'method': 'POST'}],
113
                     'method': 'POST'}],
4488
120
        deprecated_rule=deprecated_create_user),
114
        deprecated_rule=deprecated_create_user,
4489
115
        deprecated_reason=DEPRECATED_REASON,
4490
116
        deprecated_since=versionutils.deprecated.STEIN),
4491
121
    policy.DocumentedRuleDefault(
117
    policy.DocumentedRuleDefault(
4492
122
        name=base.IDENTITY % 'update_user',
118
        name=base.IDENTITY % 'update_user',
4493
123
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
119
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
4494
@@ -125,7 +121,9 @@ user_policies = [
4495
125
        description='Update a user, including administrative password resets.',
121
        description='Update a user, including administrative password resets.',
4496
126
        operations=[{'path': '/v3/users/{user_id}',
122
        operations=[{'path': '/v3/users/{user_id}',
4497
127
                     'method': 'PATCH'}],
123
                     'method': 'PATCH'}],
4499
128
        deprecated_rule=deprecated_update_user),
124
        deprecated_rule=deprecated_update_user,
4500
125
        deprecated_reason=DEPRECATED_REASON,
4501
126
        deprecated_since=versionutils.deprecated.STEIN),
4502
129
    policy.DocumentedRuleDefault(
127
    policy.DocumentedRuleDefault(
4503
130
        name=base.IDENTITY % 'delete_user',
128
        name=base.IDENTITY % 'delete_user',
4504
131
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
129
        check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
4505
@@ -133,7 +131,9 @@ user_policies = [
4506
133
        description='Delete a user.',
131
        description='Delete a user.',
4507
134
        operations=[{'path': '/v3/users/{user_id}',
132
        operations=[{'path': '/v3/users/{user_id}',
4508
135
                     'method': 'DELETE'}],
133
                     'method': 'DELETE'}],
4510
136
        deprecated_rule=deprecated_delete_user)
134
        deprecated_rule=deprecated_delete_user,
4511
135
        deprecated_reason=DEPRECATED_REASON,
4512
136
        deprecated_since=versionutils.deprecated.STEIN)
4513
137
]
137
]
4514
138
138
4515
139
139
4516
diff --git a/keystone/common/rbac_enforcer/enforcer.py b/keystone/common/rbac_enforcer/enforcer.py
4517
index 7add048..ca6a8e7 100644
4518
--- a/keystone/common/rbac_enforcer/enforcer.py
4519
+++ b/keystone/common/rbac_enforcer/enforcer.py
4520
@@ -14,7 +14,6 @@ import functools
4521
14
14
4522
15
import flask
15
import flask
4523
16
from oslo_log import log
16
from oslo_log import log
4524
17
from oslo_policy import opts
4525
18
from oslo_policy import policy as common_policy
17
from oslo_policy import policy as common_policy
4526
19
from oslo_utils import strutils
18
from oslo_utils import strutils
4527
20
19
4528
@@ -40,13 +39,6 @@ _POSSIBLE_TARGET_ACTIONS = frozenset([
4529
40
_ENFORCEMENT_CHECK_ATTR = 'keystone:RBAC:enforcement_called'
39
_ENFORCEMENT_CHECK_ATTR = 'keystone:RBAC:enforcement_called'
4530
41
40
4531
42
41
4532
43
# TODO(gmann): Remove setting the default value of config policy_file
4533
44
# once oslo_policy change the default value to 'policy.yaml'.
4534
45
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
4535
46
DEFAULT_POLICY_FILE = 'policy.yaml'
4536
47
opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
4537
48
4538
49
4539
50
class RBACEnforcer(object):
42
class RBACEnforcer(object):
4540
51
    """Enforce RBAC on API calls."""
43
    """Enforce RBAC on API calls."""
4541
52
44
4542
diff --git a/keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py b/keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py
4543
53
deleted file mode 100644
45
deleted file mode 100644
4544
index 2b09cbc..0000000
4545
--- a/keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py
4546
+++ /dev/null
4547
@@ -1,18 +0,0 @@
4548
1
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
4549
2
#    not use this file except in compliance with the License. You may obtain
4550
3
#    a copy of the License at
4551
4
#
4552
5
#         http://www.apache.org/licenses/LICENSE-2.0
4553
6
#
4554
7
#    Unless required by applicable law or agreed to in writing, software
4555
8
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
4556
9
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
4557
10
#    License for the specific language governing permissions and limitations
4558
11
#    under the License.
4559
12
4560
13
# This is a placeholder for Ussuri backports. Do not use this number for new
4561
14
# Victoria work. New Victoria work starts after all the placeholders.
4562
15
4563
16
4564
17
def upgrade(migrate_engine):
4565
18
    pass
4566
diff --git a/keystone/common/sql/core.py b/keystone/common/sql/core.py
4567
index 7670c47..ed84e58 100644
4568
--- a/keystone/common/sql/core.py
4569
+++ b/keystone/common/sql/core.py
4570
@@ -119,11 +119,6 @@ ModelBase.__init__ = initialize_decorator(ModelBase.__init__)
4571
119
class JsonBlob(sql_types.TypeDecorator):
119
class JsonBlob(sql_types.TypeDecorator):
4572
120
120
4573
121
    impl = sql.Text
121
    impl = sql.Text
4574
122
    # NOTE(ralonsoh): set to True as any other TypeDecorator in SQLAlchemy
4575
123
    # https://docs.sqlalchemy.org/en/14/core/custom_types.html# \
4576
124
    #   sqlalchemy.types.TypeDecorator.cache_ok
4577
125
    cache_ok = True
4578
126
    """This type is safe to cache."""
4579
127
122
4580
128
    def process_bind_param(self, value, dialect):
123
    def process_bind_param(self, value, dialect):
4581
129
        return jsonutils.dumps(value)
124
        return jsonutils.dumps(value)
4582
@@ -149,11 +144,6 @@ class DateTimeInt(sql_types.TypeDecorator):
4583
149
144
4584
150
    impl = sql.BigInteger
145
    impl = sql.BigInteger
4585
151
    epoch = datetime.datetime.fromtimestamp(0, tz=pytz.UTC)
146
    epoch = datetime.datetime.fromtimestamp(0, tz=pytz.UTC)
4586
152
    # NOTE(ralonsoh): set to True as any other TypeDecorator in SQLAlchemy
4587
153
    # https://docs.sqlalchemy.org/en/14/core/custom_types.html# \
4588
154
    #   sqlalchemy.types.TypeDecorator.cache_ok
4589
155
    cache_ok = True
4590
156
    """This type is safe to cache."""
4591
157
147
4592
158
    def process_bind_param(self, value, dialect):
148
    def process_bind_param(self, value, dialect):
4593
159
        if value is None:
149
        if value is None:
4594
diff --git a/keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py b/keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py
4595
160
deleted file mode 100644
150
deleted file mode 100644
4596
index 2b09cbc..0000000
4597
--- a/keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py
4598
+++ /dev/null
4599
@@ -1,18 +0,0 @@
4600
1
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
4601
2
#    not use this file except in compliance with the License. You may obtain
4602
3
#    a copy of the License at
4603
4
#
4604
5
#         http://www.apache.org/licenses/LICENSE-2.0
4605
6
#
4606
7
#    Unless required by applicable law or agreed to in writing, software
4607
8
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
4608
9
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
4609
10
#    License for the specific language governing permissions and limitations
4610
11
#    under the License.
4611
12
4612
13
# This is a placeholder for Ussuri backports. Do not use this number for new
4613
14
# Victoria work. New Victoria work starts after all the placeholders.
4614
15
4615
16
4616
17
def upgrade(migrate_engine):
4617
18
    pass
4618
diff --git a/keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py b/keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py
4619
19
deleted file mode 100644
0
deleted file mode 100644
4620
index 20db838..0000000
4621
--- a/keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py
4622
+++ /dev/null
4623
@@ -1,24 +0,0 @@
4624
1
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
4625
2
#    not use this file except in compliance with the License. You may obtain
4626
3
#    a copy of the License at
4627
4
#
4628
5
#         http://www.apache.org/licenses/LICENSE-2.0
4629
6
#
4630
7
#    Unless required by applicable law or agreed to in writing, software
4631
8
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
4632
9
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
4633
10
#    License for the specific language governing permissions and limitations
4634
11
#    under the License.
4635
12
4636
13
import sqlalchemy as sql
4637
14
4638
15
4639
16
def upgrade(migrate_engine):
4640
17
4641
18
    meta = sql.MetaData()
4642
19
    meta.bind = migrate_engine
4643
20
4644
21
    id_mapping_table = sql.Table(
4645
22
        'id_mapping', meta, autoload=True
4646
23
    )
4647
24
    id_mapping_table.c.local_id.alter(type=sql.String(255))
4648
diff --git a/keystone/common/utils.py b/keystone/common/utils.py
4649
index 7c3e7ae..1314085 100644
4650
--- a/keystone/common/utils.py
4651
+++ b/keystone/common/utils.py
4652
@@ -16,7 +16,7 @@
4653
16
#    License for the specific language governing permissions and limitations
16
#    License for the specific language governing permissions and limitations
4654
17
#    under the License.
17
#    under the License.
4655
18
18
4657
19
import collections.abc
19
import collections
4658
20
import grp
20
import grp
4659
21
import hashlib
21
import hashlib
4660
22
import itertools
22
import itertools
4661
@@ -81,7 +81,7 @@ def flatten_dict(d, parent_key=''):
4662
81
    items = []
81
    items = []
4663
82
    for k, v in d.items():
82
    for k, v in d.items():
4664
83
        new_key = parent_key + '.' + k if parent_key else k
83
        new_key = parent_key + '.' + k if parent_key else k
4666
84
        if isinstance(v, collections.abc.MutableMapping):
84
        if isinstance(v, collections.MutableMapping):
4667
85
            items.extend(list(flatten_dict(v, new_key).items()))
85
            items.extend(list(flatten_dict(v, new_key).items()))
4668
86
        else:
86
        else:
4669
87
            items.append((new_key, v))
87
            items.append((new_key, v))
4670
diff --git a/keystone/conf/__init__.py b/keystone/conf/__init__.py
4671
index 5de0ec1..77c26a1 100644
4672
--- a/keystone/conf/__init__.py
4673
+++ b/keystone/conf/__init__.py
4674
@@ -18,7 +18,6 @@ from oslo_log import log
4675
18
from oslo_log import versionutils
18
from oslo_log import versionutils
4676
19
import oslo_messaging
19
import oslo_messaging
4677
20
from oslo_middleware import cors
20
from oslo_middleware import cors
4678
21
from oslo_policy import opts as policy_opts
4679
22
from osprofiler import opts as profiler
21
from osprofiler import opts as profiler
4680
23
22
4681
24
from keystone.conf import application_credential
23
from keystone.conf import application_credential
4682
@@ -186,12 +185,6 @@ def set_external_opts_defaults():
4683
186
    # configure OSprofiler options
185
    # configure OSprofiler options
4684
187
    profiler.set_defaults(CONF, enabled=False, trace_sqlalchemy=False)
186
    profiler.set_defaults(CONF, enabled=False, trace_sqlalchemy=False)
4685
188
187
4686
189
    # TODO(gmann): Remove setting the default value of config policy_file
4687
190
    # once oslo_policy change the default value to 'policy.yaml'.
4688
191
    # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
4689
192
    DEFAULT_POLICY_FILE = 'policy.yaml'
4690
193
    policy_opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
4691
194
4692
195
    # Oslo.cache is always enabled by default for request-local caching
188
    # Oslo.cache is always enabled by default for request-local caching
4693
196
    # TODO(morganfainberg): Fix this to not use internal interface when
189
    # TODO(morganfainberg): Fix this to not use internal interface when
4694
197
    # oslo.cache has proper interface to set defaults added. This is
190
    # oslo.cache has proper interface to set defaults added. This is
4695
diff --git a/keystone/conf/memcache.py b/keystone/conf/memcache.py
4696
index b4b8c8b..97dc2c9 100644
4697
--- a/keystone/conf/memcache.py
4698
+++ b/keystone/conf/memcache.py
4699
@@ -19,12 +19,6 @@ from keystone.conf import utils
4700
19
dead_retry = cfg.IntOpt(
19
dead_retry = cfg.IntOpt(
4701
20
    'dead_retry',
20
    'dead_retry',
4702
21
    default=5 * 60,
21
    default=5 * 60,
4703
22
    deprecated_for_removal=True,
4704
23
    deprecated_reason='This option has no effect. '
4705
24
                      'Configure ``keystone.conf [cache] '
4706
25
                      'memcache_dead_retry`` option to set the '
4707
26
                      'dead_retry of memcached instead. ',
4708
27
    deprecated_since='Y',
4709
28
    help=utils.fmt("""
22
    help=utils.fmt("""
4710
29
Number of seconds memcached server is considered dead before it is tried again.
23
Number of seconds memcached server is considered dead before it is tried again.
4711
30
This is used by the key value store system.
24
This is used by the key value store system.
4712
@@ -34,7 +28,7 @@ socket_timeout = cfg.IntOpt(
4713
34
    'socket_timeout',
28
    'socket_timeout',
4714
35
    default=3,
29
    default=3,
4715
36
    deprecated_for_removal=True,
30
    deprecated_for_removal=True,
4717
37
    deprecated_reason='This option has no effect. '
31
    deprecated_reason='This option is duplicated with oslo.cache. '
4718
38
                      'Configure ``keystone.conf [cache] '
32
                      'Configure ``keystone.conf [cache] '
4719
39
                      'memcache_socket_timeout`` option to set the '
33
                      'memcache_socket_timeout`` option to set the '
4720
40
                      'socket_timeout of memcached instead. ',
34
                      'socket_timeout of memcached instead. ',
4721
@@ -47,12 +41,6 @@ store system.
4722
47
pool_maxsize = cfg.IntOpt(
41
pool_maxsize = cfg.IntOpt(
4723
48
    'pool_maxsize',
42
    'pool_maxsize',
4724
49
    default=10,
43
    default=10,
4725
50
    deprecated_for_removal=True,
4726
51
    deprecated_reason='This option has no effect. '
4727
52
                      'Configure ``keystone.conf [cache] '
4728
53
                      'memcache_pool_maxsize`` option to set the '
4729
54
                      'pool_maxsize of memcached instead. ',
4730
55
    deprecated_since='Y',
4731
56
    help=utils.fmt("""
44
    help=utils.fmt("""
4732
57
Max total number of open connections to every memcached server. This is used by
45
Max total number of open connections to every memcached server. This is used by
4733
58
the key value store system.
46
the key value store system.
4734
@@ -61,12 +49,6 @@ the key value store system.
4735
61
pool_unused_timeout = cfg.IntOpt(
49
pool_unused_timeout = cfg.IntOpt(
4736
62
    'pool_unused_timeout',
50
    'pool_unused_timeout',
4737
63
    default=60,
51
    default=60,
4738
64
    deprecated_for_removal=True,
4739
65
    deprecated_reason='This option has no effect. '
4740
66
                      'Configure ``keystone.conf [cache] '
4741
67
                      'memcache_pool_unused_timeout`` option to set the '
4742
68
                      'pool_unused_timeout of memcached instead. ',
4743
69
    deprecated_since='Y',
4744
70
    help=utils.fmt("""
52
    help=utils.fmt("""
4745
71
Number of seconds a connection to memcached is held unused in the pool before
53
Number of seconds a connection to memcached is held unused in the pool before
4746
72
it is closed. This is used by the key value store system.
54
it is closed. This is used by the key value store system.
4747
@@ -75,12 +57,6 @@ it is closed. This is used by the key value store system.
4748
75
pool_connection_get_timeout = cfg.IntOpt(
57
pool_connection_get_timeout = cfg.IntOpt(
4749
76
    'pool_connection_get_timeout',
58
    'pool_connection_get_timeout',
4750
77
    default=10,
59
    default=10,
4751
78
    deprecated_for_removal=True,
4752
79
    deprecated_reason='This option has no effect. '
4753
80
                      'Configure ``keystone.conf [cache] '
4754
81
                      'memcache_pool_connection_get_timeout`` option to set '
4755
82
                      'the connection_get_timeout of memcached instead. ',
4756
83
    deprecated_since='Y',
4757
84
    help=utils.fmt("""
60
    help=utils.fmt("""
4758
85
Number of seconds that an operation will wait to get a memcache client
61
Number of seconds that an operation will wait to get a memcache client
4759
86
connection. This is used by the key value store system.
62
connection. This is used by the key value store system.
4760
diff --git a/keystone/federation/idp.py b/keystone/federation/idp.py
4761
index 2f1a4fe..fd464f5 100644
4762
--- a/keystone/federation/idp.py
4763
+++ b/keystone/federation/idp.py
4764
@@ -366,11 +366,7 @@ class SAMLGenerator(object):
4765
366
366
4766
367
        """
367
        """
4767
368
        canonicalization_method = xmldsig.CanonicalizationMethod()
368
        canonicalization_method = xmldsig.CanonicalizationMethod()
4773
369
        # TODO(stephenfin): Drop when we remove support for pysaml < 7.1.0
369
        canonicalization_method.algorithm = xmldsig.ALG_EXC_C14N
4769
370
        if hasattr(xmldsig, 'TRANSFORM_C14N'):  # >= 7.1.0
4770
371
            canonicalization_method.algorithm = xmldsig.TRANSFORM_C14N
4771
372
        else:  # < 7.1.0
4772
373
            canonicalization_method.algorithm = xmldsig.ALG_EXC_C14N
4774
374
        signature_method = xmldsig.SignatureMethod(
370
        signature_method = xmldsig.SignatureMethod(
4775
375
            algorithm=xmldsig.SIG_RSA_SHA1)
371
            algorithm=xmldsig.SIG_RSA_SHA1)
4776
376
372
4777
@@ -378,11 +374,7 @@ class SAMLGenerator(object):
4778
378
        envelope_transform = xmldsig.Transform(
374
        envelope_transform = xmldsig.Transform(
4779
379
            algorithm=xmldsig.TRANSFORM_ENVELOPED)
375
            algorithm=xmldsig.TRANSFORM_ENVELOPED)
4780
380
376
4786
381
        # TODO(stephenfin): Drop when we remove support for pysaml < 7.1.0
377
        c14_transform = xmldsig.Transform(algorithm=xmldsig.ALG_EXC_C14N)
4782
382
        if hasattr(xmldsig, 'TRANSFORM_C14N'):  # >= 7.1.0
4783
383
            c14_transform = xmldsig.Transform(algorithm=xmldsig.TRANSFORM_C14N)
4784
384
        else:  # < 7.1.0
4785
385
            c14_transform = xmldsig.Transform(algorithm=xmldsig.ALG_EXC_C14N)
4787
386
        transforms.transform = [envelope_transform, c14_transform]
378
        transforms.transform = [envelope_transform, c14_transform]
4788
387
379
4789
388
        digest_method = xmldsig.DigestMethod(algorithm=xmldsig.DIGEST_SHA1)
380
        digest_method = xmldsig.DigestMethod(algorithm=xmldsig.DIGEST_SHA1)
4790
diff --git a/keystone/identity/mapping_backends/sql.py b/keystone/identity/mapping_backends/sql.py
4791
index 6fadd6a..676d144 100644
4792
--- a/keystone/identity/mapping_backends/sql.py
4793
+++ b/keystone/identity/mapping_backends/sql.py
4794
@@ -21,7 +21,7 @@ class IDMapping(sql.ModelBase, sql.ModelDictMixin):
4795
21
    __tablename__ = 'id_mapping'
21
    __tablename__ = 'id_mapping'
4796
22
    public_id = sql.Column(sql.String(64), primary_key=True)
22
    public_id = sql.Column(sql.String(64), primary_key=True)
4797
23
    domain_id = sql.Column(sql.String(64), nullable=False)
23
    domain_id = sql.Column(sql.String(64), nullable=False)
4799
24
    local_id = sql.Column(sql.String(255), nullable=False)
24
    local_id = sql.Column(sql.String(64), nullable=False)
4800
25
    # NOTE(henry-nash): Postgres requires a name to be defined for an Enum
25
    # NOTE(henry-nash): Postgres requires a name to be defined for an Enum
4801
26
    entity_type = sql.Column(
26
    entity_type = sql.Column(
4802
27
        sql.Enum(identity_mapping.EntityType.USER,
27
        sql.Enum(identity_mapping.EntityType.USER,
4803
diff --git a/keystone/identity/shadow_backends/sql.py b/keystone/identity/shadow_backends/sql.py
4804
index 3e04b33..1d817c0 100644
4805
--- a/keystone/identity/shadow_backends/sql.py
4806
+++ b/keystone/identity/shadow_backends/sql.py
4807
@@ -98,8 +98,7 @@ class ShadowUsers(base.ShadowUsersDriverBase):
4808
98
            x for x in hints.filters if x['name'] not in ('idp_id',
98
            x for x in hints.filters if x['name'] not in ('idp_id',
4809
99
                                                          'protocol_id',
99
                                                          'protocol_id',
4810
100
                                                          'unique_id')]
100
                                                          'unique_id')]
4813
101
        if statements:
101
        query = query.filter(sqlalchemy.and_(*statements))
4812
102
            query = query.filter(sqlalchemy.and_(*statements))
4814
103
        return query
102
        return query
4815
104
103
4816
105
    def get_federated_users(self, hints):
104
    def get_federated_users(self, hints):
4817
diff --git a/keystone/locale/en_GB/LC_MESSAGES/keystone.po b/keystone/locale/en_GB/LC_MESSAGES/keystone.po
4818
index 191ed55..5e6cdf8 100644
4819
--- a/keystone/locale/en_GB/LC_MESSAGES/keystone.po
4820
+++ b/keystone/locale/en_GB/LC_MESSAGES/keystone.po
4821
@@ -12,11 +12,11 @@ msgid ""
4822
12
msgstr ""
12
msgstr ""
4823
13
"Project-Id-Version: keystone VERSION\n"
13
"Project-Id-Version: keystone VERSION\n"
4824
14
"Report-Msgid-Bugs-To: https://bugs.launchpad.net/openstack-i18n/\n"
14
"Report-Msgid-Bugs-To: https://bugs.launchpad.net/openstack-i18n/\n"
4826
15
"POT-Creation-Date: 2021-01-08 19:57+0000\n"
15
"POT-Creation-Date: 2020-06-18 11:23+0000\n"
4827
16
"MIME-Version: 1.0\n"
16
"MIME-Version: 1.0\n"
4828
17
"Content-Type: text/plain; charset=UTF-8\n"
17
"Content-Type: text/plain; charset=UTF-8\n"
4829
18
"Content-Transfer-Encoding: 8bit\n"
18
"Content-Transfer-Encoding: 8bit\n"
4831
19
"PO-Revision-Date: 2020-10-28 02:12+0000\n"
19
"PO-Revision-Date: 2020-06-15 05:35+0000\n"
4832
20
"Last-Translator: Andi Chandler <andi@gowling.com>\n"
20
"Last-Translator: Andi Chandler <andi@gowling.com>\n"
4833
21
"Language: en_GB\n"
21
"Language: en_GB\n"
4834
22
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
22
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
4835
@@ -1384,14 +1384,6 @@ msgstr ""
4836
1384
1384
4837
1385
#, python-format
1385
#, python-format
4838
1386
msgid ""
1386
msgid ""
4839
1387
"Unable to create additional credentials, maximum of %(limit)d already "
4840
1388
"exceeded for user."
4841
1389
msgstr ""
4842
1390
"Unable to create additional credentials, maximum of %(limit)d already "
4843
1391
"exceeded for user."
4844
1392
4845
1393
#, python-format
4846
1394
msgid ""
4847
1395
"Unable to delete immutable %(type)s resource: `%(resource_id)s. Set resource "
1387
"Unable to delete immutable %(type)s resource: `%(resource_id)s. Set resource "
4848
1396
"option \"immutable\" to false first."
1388
"option \"immutable\" to false first."
4849
1397
msgstr ""
1389
msgstr ""
4850
@@ -1500,10 +1492,6 @@ msgstr ""
4851
1500
"%(group_id)s, Project: %(project_id)s, Domain: %(domain_id)s."
1492
"%(group_id)s, Project: %(project_id)s, Domain: %(domain_id)s."
4852
1501
1493
4853
1502
#, python-format
1494
#, python-format
4854
1503
msgid "Unexpected evaluation type \"%(eval_type)s\""
4855
1504
msgstr "Unexpected evaluation type \"%(eval_type)s\""
4856
1505
4857
1506
#, python-format
4858
1507
msgid "Unexpected status requested for JSON Home response, %s"
1495
msgid "Unexpected status requested for JSON Home response, %s"
4859
1508
msgstr "Unexpected status requested for JSON Home response, %s"
1496
msgstr "Unexpected status requested for JSON Home response, %s"
4860
1509
1497
4861
diff --git a/keystone/models/revoke_model.py b/keystone/models/revoke_model.py
4862
index 63425f1..6841559 100644
4863
--- a/keystone/models/revoke_model.py
4864
+++ b/keystone/models/revoke_model.py
4865
@@ -170,7 +170,7 @@ def matches(event, token_values):
4866
170
    # rest of the logic.
170
    # rest of the logic.
4867
171
171
4868
172
    # The token has two attributes that can match the domain_id.
172
    # The token has two attributes that can match the domain_id.
4870
173
    if event.domain_id is not None and event.domain_id not in (
173
    if event.domain_id is not None and event.domain_id not in(
4871
174
            token_values['identity_domain_id'],
174
            token_values['identity_domain_id'],
4872
175
            token_values['assignment_domain_id'],):
175
            token_values['assignment_domain_id'],):
4873
176
        return False
176
        return False
4874
diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py
4875
index 4add564..cdf8966 100644
4876
--- a/keystone/tests/unit/assignment/test_backends.py
4877
+++ b/keystone/tests/unit/assignment/test_backends.py
4878
@@ -3694,9 +3694,9 @@ class ImpliedRoleTests(AssignmentTestHelperMixin):
4879
3694
        expected_implied_role_ref = {
3694
        expected_implied_role_ref = {
4880
3695
            'prior_role_id': prior_role_ref['id'],
3695
            'prior_role_id': prior_role_ref['id'],
4881
3696
            'implied_role_id': implied_role_ref['id']}
3696
            'implied_role_id': implied_role_ref['id']}
4885
3697
        self.assertLessEqual(
3697
        self.assertDictContainsSubset(
4886
3698
            expected_implied_role_ref.items(),
3698
            expected_implied_role_ref,
4887
3699
            implied_role.items())
3699
            implied_role)
4888
3700
3700
4889
3701
        PROVIDERS.role_api.delete_implied_role(
3701
        PROVIDERS.role_api.delete_implied_role(
4890
3702
            prior_role_ref['id'],
3702
            prior_role_ref['id'],
4891
diff --git a/keystone/tests/unit/catalog/test_backends.py b/keystone/tests/unit/catalog/test_backends.py
4892
index 513e5c3..b2989de 100644
4893
--- a/keystone/tests/unit/catalog/test_backends.py
4894
+++ b/keystone/tests/unit/catalog/test_backends.py
4895
@@ -111,23 +111,20 @@ class CatalogTests(object):
4896
111
        PROVIDERS.catalog_api.get_region(region_id)
111
        PROVIDERS.catalog_api.get_region(region_id)
4897
112
        # update the region bypassing catalog_api
112
        # update the region bypassing catalog_api
4898
113
        PROVIDERS.catalog_api.driver.update_region(region_id, updated_region)
113
        PROVIDERS.catalog_api.driver.update_region(region_id, updated_region)
4902
114
        self.assertLessEqual(
114
        self.assertDictContainsSubset(
4903
115
            new_region.items(),
115
            new_region, PROVIDERS.catalog_api.get_region(region_id)
4901
116
            PROVIDERS.catalog_api.get_region(region_id).items()
4904
117
        )
116
        )
4905
118
        PROVIDERS.catalog_api.get_region.invalidate(
117
        PROVIDERS.catalog_api.get_region.invalidate(
4906
119
            PROVIDERS.catalog_api, region_id
118
            PROVIDERS.catalog_api, region_id
4907
120
        )
119
        )
4911
121
        self.assertLessEqual(
120
        self.assertDictContainsSubset(
4912
122
            updated_region.items(),
121
            updated_region, PROVIDERS.catalog_api.get_region(region_id)
4910
123
            PROVIDERS.catalog_api.get_region(region_id).items()
4913
124
        )
122
        )
4914
125
        # delete the region
123
        # delete the region
4915
126
        PROVIDERS.catalog_api.driver.delete_region(region_id)
124
        PROVIDERS.catalog_api.driver.delete_region(region_id)
4916
127
        # still get the old region
125
        # still get the old region
4920
128
        self.assertLessEqual(
126
        self.assertDictContainsSubset(
4921
129
            updated_region.items(),
127
            updated_region, PROVIDERS.catalog_api.get_region(region_id)
4919
130
            PROVIDERS.catalog_api.get_region(region_id).items()
4922
131
        )
128
        )
4923
132
        PROVIDERS.catalog_api.get_region.invalidate(
129
        PROVIDERS.catalog_api.get_region.invalidate(
4924
133
            PROVIDERS.catalog_api, region_id
130
            PROVIDERS.catalog_api, region_id
4925
@@ -345,23 +342,20 @@ class CatalogTests(object):
4926
345
        PROVIDERS.catalog_api.driver.update_service(
342
        PROVIDERS.catalog_api.driver.update_service(
4927
346
            service_id, updated_service
343
            service_id, updated_service
4928
347
        )
344
        )
4932
348
        self.assertLessEqual(
345
        self.assertDictContainsSubset(
4933
349
            new_service.items(),
346
            new_service, PROVIDERS.catalog_api.get_service(service_id)
4931
350
            PROVIDERS.catalog_api.get_service(service_id).items()
4934
351
        )
347
        )
4935
352
        PROVIDERS.catalog_api.get_service.invalidate(
348
        PROVIDERS.catalog_api.get_service.invalidate(
4936
353
            PROVIDERS.catalog_api, service_id
349
            PROVIDERS.catalog_api, service_id
4937
354
        )
350
        )
4941
355
        self.assertLessEqual(
351
        self.assertDictContainsSubset(
4942
356
            updated_service.items(),
352
            updated_service, PROVIDERS.catalog_api.get_service(service_id)
4940
357
            PROVIDERS.catalog_api.get_service(service_id).items()
4943
358
        )
353
        )
4944
359
354
4945
360
        # delete bypassing catalog api
355
        # delete bypassing catalog api
4946
361
        PROVIDERS.catalog_api.driver.delete_service(service_id)
356
        PROVIDERS.catalog_api.driver.delete_service(service_id)
4950
362
        self.assertLessEqual(
357
        self.assertDictContainsSubset(
4951
363
            updated_service.items(),
358
            updated_service, PROVIDERS.catalog_api.get_service(service_id)
4949
364
            PROVIDERS.catalog_api.get_service(service_id).items()
4952
365
        )
359
        )
4953
366
        PROVIDERS.catalog_api.get_service.invalidate(
360
        PROVIDERS.catalog_api.get_service.invalidate(
4954
367
            PROVIDERS.catalog_api, service_id
361
            PROVIDERS.catalog_api, service_id
4955
@@ -422,12 +416,12 @@ class CatalogTests(object):
4956
422
        PROVIDERS.catalog_api.get_endpoint(endpoint['id'])
416
        PROVIDERS.catalog_api.get_endpoint(endpoint['id'])
4957
423
        # delete the service bypassing catalog api
417
        # delete the service bypassing catalog api
4958
424
        PROVIDERS.catalog_api.driver.delete_service(service['id'])
418
        PROVIDERS.catalog_api.driver.delete_service(service['id'])
4965
425
        self.assertLessEqual(
419
        self.assertDictContainsSubset(endpoint,
4966
426
            endpoint.items(),
420
                                      PROVIDERS.catalog_api.
4967
427
            PROVIDERS.catalog_api.get_endpoint(endpoint['id']).items())
421
                                      get_endpoint(endpoint['id']))
4968
428
        self.assertLessEqual(
422
        self.assertDictContainsSubset(service,
4969
429
            service.items(),
423
                                      PROVIDERS.catalog_api.
4970
430
            PROVIDERS.catalog_api.get_service(service['id']).items())
424
                                      get_service(service['id']))
4971
431
        PROVIDERS.catalog_api.get_endpoint.invalidate(
425
        PROVIDERS.catalog_api.get_endpoint.invalidate(
4972
432
            PROVIDERS.catalog_api, endpoint['id']
426
            PROVIDERS.catalog_api, endpoint['id']
4973
433
        )
427
        )
4974
diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py
4975
index 2fa9f26..308cc01 100644
4976
--- a/keystone/tests/unit/common/test_notifications.py
4977
+++ b/keystone/tests/unit/common/test_notifications.py
4978
@@ -1045,7 +1045,7 @@ class TestEventCallbacks(test_v3.RestfulTestCase):
4979
1045
        Foo()
1045
        Foo()
4980
1046
        project_ref = unit.new_project_ref(domain_id=self.domain_id)
1046
        project_ref = unit.new_project_ref(domain_id=self.domain_id)
4981
1047
        PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
1047
        PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
4983
1048
        self.assertCountEqual(['cb1', 'cb0'], callback_called)
1048
        self.assertItemsEqual(['cb1', 'cb0'], callback_called)
4984
1049
1049
4985
1050
    def test_invalid_event_callbacks(self):
1050
    def test_invalid_event_callbacks(self):
4986
1051
        @notifications.listener
1051
        @notifications.listener
4987
diff --git a/keystone/tests/unit/config_files/backend_ldap_sql.conf b/keystone/tests/unit/config_files/backend_ldap_sql.conf
4988
index c50d8dd..96a0ffa 100644
4989
--- a/keystone/tests/unit/config_files/backend_ldap_sql.conf
4990
+++ b/keystone/tests/unit/config_files/backend_ldap_sql.conf
4991
@@ -5,7 +5,7 @@
4992
5
#connection = mysql+pymysql://keystone:keystone@localhost/keystone?charset=utf8
5
#connection = mysql+pymysql://keystone:keystone@localhost/keystone?charset=utf8
4993
6
#To Test PostgreSQL:
6
#To Test PostgreSQL:
4994
7
#connection = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8
7
#connection = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8
4996
8
connection_recycle_time = 200
8
idle_timeout = 200
4997
9
9
4998
10
[ldap]
10
[ldap]
4999
11
url = fake://memory
11
url = fake://memory
5000
diff --git a/keystone/tests/unit/config_files/backend_multi_ldap_sql.conf b/keystone/tests/unit/config_files/backend_multi_ldap_sql.conf
Status:	Merged
Merged at revision:	1fde32da7e51eae8f6a38e5825ad803a3b89a314
Proposed branch:	~freyes/ubuntu/+source/keystone:upstream
Merge into:	~ubuntu-openstack-dev/ubuntu/+source/keystone:upstream
Diff against target:	6994 lines (+1097/-1613) 98 files modified .zuul.yaml (+13/-14) AUTHORS (+0/-12) ChangeLog (+7/-52) PKG-INFO (+63/-67) README.rst (+1/-1) api-ref/source/v3/authenticate-v3.inc (+1/-1) dev/null (+0/-6) devstack/plugin.sh (+0/-7) doc/source/admin/cli-manage-projects-users-and-roles.rst (+2/-2) doc/source/admin/domain-specific-config.inc (+0/-6) doc/source/admin/identity-concepts.rst (+9/-9) doc/source/admin/service-api-protection.rst (+43/-138) doc/source/admin/upgrading.rst (+1/-1) doc/source/conf.py (+1/-5) doc/source/configuration/policy.rst (+0/-9) doc/source/contributor/how-can-i-help.rst (+1/-1) doc/source/getting-started/community.rst (+3/-3) doc/source/getting-started/policy_mapping.rst (+1/-1) keystone.egg-info/PKG-INFO (+63/-67) keystone.egg-info/SOURCES.txt (+2/-16) keystone.egg-info/requires.txt (+3/-3) keystone/api/s3tokens.py (+1/-4) keystone/cmd/status.py (+0/-3) keystone/common/policies/application_credential.py (+16/-17) keystone/common/policies/consumer.py (+23/-24) keystone/common/policies/credential.py (+15/-15) keystone/common/policies/domain.py (+20/-20) keystone/common/policies/domain_config.py (+17/-17) keystone/common/policies/ec2_credential.py (+16/-17) keystone/common/policies/endpoint.py (+19/-19) keystone/common/policies/endpoint_group.py (+38/-37) keystone/common/policies/grant.py (+43/-44) keystone/common/policies/group.py (+40/-40) keystone/common/policies/identity_provider.py (+21/-22) keystone/common/policies/implied_role.py (+23/-23) keystone/common/policies/mapping.py (+22/-23) keystone/common/policies/policy.py (+19/-19) keystone/common/policies/policy_association.py (+37/-38) keystone/common/policies/project.py (+52/-52) keystone/common/policies/project_endpoint.py (+23/-23) keystone/common/policies/protocol.py (+24/-25) keystone/common/policies/region.py (+15/-16) keystone/common/policies/role.py (+43/-44) keystone/common/policies/role_assignment.py (+11/-12) keystone/common/policies/service.py (+23/-24) keystone/common/policies/service_provider.py (+23/-24) keystone/common/policies/token.py (+12/-12) keystone/common/policies/trust.py (+24/-24) keystone/common/policies/user.py (+20/-20) keystone/common/rbac_enforcer/enforcer.py (+0/-8) keystone/common/sql/core.py (+0/-10) keystone/common/utils.py (+2/-2) keystone/conf/__init__.py (+0/-7) keystone/conf/memcache.py (+1/-25) keystone/federation/idp.py (+2/-10) keystone/identity/mapping_backends/sql.py (+1/-1) keystone/identity/shadow_backends/sql.py (+1/-2) keystone/locale/en_GB/LC_MESSAGES/keystone.po (+2/-14) keystone/models/revoke_model.py (+1/-1) keystone/tests/unit/assignment/test_backends.py (+3/-3) keystone/tests/unit/catalog/test_backends.py (+18/-24) keystone/tests/unit/common/test_notifications.py (+1/-1) keystone/tests/unit/config_files/backend_ldap_sql.conf (+1/-1) keystone/tests/unit/config_files/backend_multi_ldap_sql.conf (+1/-1) keystone/tests/unit/config_files/backend_sql.conf (+1/-1) keystone/tests/unit/config_files/deprecated.conf (+8/-0) keystone/tests/unit/config_files/deprecated_override.conf (+15/-0) keystone/tests/unit/contrib/federation/test_utils.py (+3/-3) keystone/tests/unit/core.py (+11/-4) keystone/tests/unit/endpoint_policy/backends/test_base.py (+1/-1) keystone/tests/unit/identity/shadow_users/test_backend.py (+2/-2) keystone/tests/unit/identity/test_backends.py (+16/-20) keystone/tests/unit/ksfixtures/__init__.py (+0/-1) keystone/tests/unit/policy/backends/test_base.py (+1/-1) keystone/tests/unit/resource/test_backends.py (+19/-26) keystone/tests/unit/test_associate_project_endpoint_extension.py (+4/-4) keystone/tests/unit/test_backend_id_mapping_sql.py (+4/-24) keystone/tests/unit/test_backend_ldap.py (+23/-29) keystone/tests/unit/test_backend_sql.py (+2/-2) keystone/tests/unit/test_backend_templated.py (+2/-2) keystone/tests/unit/test_config.py (+35/-1) keystone/tests/unit/test_contrib_s3_core.py (+0/-82) keystone/tests/unit/test_hacking_checks.py (+1/-1) keystone/tests/unit/test_policy.py (+4/-6) keystone/tests/unit/test_sql_banned_operations.py (+1/-6) keystone/tests/unit/test_sql_upgrade.py (+2/-21) keystone/tests/unit/test_v3.py (+2/-2) keystone/tests/unit/test_v3_assignment.py (+1/-1) keystone/tests/unit/test_v3_federation.py (+6/-6) keystone/trust/backends/base.py (+1/-1) keystone/trust/backends/sql.py (+1/-5) keystone/trust/core.py (+9/-9) lower-constraints.txt (+3/-4) releasenotes/source/index.rst (+0/-3) releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po (+3/-124) requirements.txt (+3/-3) setup.cfg (+4/-4) tox.ini (+21/-25)
Related bugs:	Link a bug report
Reviewer	Review Type	Date Requested	Status
Corey Bryant		2022-03-02	Pending
Review via email: mp+416277@code.launchpad.net