Merge ~freyes/ubuntu/+source/keystone:upstream into ~ubuntu-openstack-dev/ubuntu/+source/keystone:upstream
- Git
- lp:~freyes/ubuntu/+source/keystone
- upstream
- Merge into upstream
Proposed by
Felipe Reyes
Status: | Merged |
---|---|
Merged at revision: | 1fde32da7e51eae8f6a38e5825ad803a3b89a314 |
Proposed branch: | ~freyes/ubuntu/+source/keystone:upstream |
Merge into: | ~ubuntu-openstack-dev/ubuntu/+source/keystone:upstream |
Diff against target: |
6994 lines (+1097/-1613) 98 files modified
.zuul.yaml (+13/-14) AUTHORS (+0/-12) ChangeLog (+7/-52) PKG-INFO (+63/-67) README.rst (+1/-1) api-ref/source/v3/authenticate-v3.inc (+1/-1) dev/null (+0/-6) devstack/plugin.sh (+0/-7) doc/source/admin/cli-manage-projects-users-and-roles.rst (+2/-2) doc/source/admin/domain-specific-config.inc (+0/-6) doc/source/admin/identity-concepts.rst (+9/-9) doc/source/admin/service-api-protection.rst (+43/-138) doc/source/admin/upgrading.rst (+1/-1) doc/source/conf.py (+1/-5) doc/source/configuration/policy.rst (+0/-9) doc/source/contributor/how-can-i-help.rst (+1/-1) doc/source/getting-started/community.rst (+3/-3) doc/source/getting-started/policy_mapping.rst (+1/-1) keystone.egg-info/PKG-INFO (+63/-67) keystone.egg-info/SOURCES.txt (+2/-16) keystone.egg-info/requires.txt (+3/-3) keystone/api/s3tokens.py (+1/-4) keystone/cmd/status.py (+0/-3) keystone/common/policies/application_credential.py (+16/-17) keystone/common/policies/consumer.py (+23/-24) keystone/common/policies/credential.py (+15/-15) keystone/common/policies/domain.py (+20/-20) keystone/common/policies/domain_config.py (+17/-17) keystone/common/policies/ec2_credential.py (+16/-17) keystone/common/policies/endpoint.py (+19/-19) keystone/common/policies/endpoint_group.py (+38/-37) keystone/common/policies/grant.py (+43/-44) keystone/common/policies/group.py (+40/-40) keystone/common/policies/identity_provider.py (+21/-22) keystone/common/policies/implied_role.py (+23/-23) keystone/common/policies/mapping.py (+22/-23) keystone/common/policies/policy.py (+19/-19) keystone/common/policies/policy_association.py (+37/-38) keystone/common/policies/project.py (+52/-52) keystone/common/policies/project_endpoint.py (+23/-23) keystone/common/policies/protocol.py (+24/-25) keystone/common/policies/region.py (+15/-16) keystone/common/policies/role.py (+43/-44) keystone/common/policies/role_assignment.py (+11/-12) keystone/common/policies/service.py (+23/-24) keystone/common/policies/service_provider.py (+23/-24) keystone/common/policies/token.py (+12/-12) keystone/common/policies/trust.py (+24/-24) keystone/common/policies/user.py (+20/-20) keystone/common/rbac_enforcer/enforcer.py (+0/-8) keystone/common/sql/core.py (+0/-10) keystone/common/utils.py (+2/-2) keystone/conf/__init__.py (+0/-7) keystone/conf/memcache.py (+1/-25) keystone/federation/idp.py (+2/-10) keystone/identity/mapping_backends/sql.py (+1/-1) keystone/identity/shadow_backends/sql.py (+1/-2) keystone/locale/en_GB/LC_MESSAGES/keystone.po (+2/-14) keystone/models/revoke_model.py (+1/-1) keystone/tests/unit/assignment/test_backends.py (+3/-3) keystone/tests/unit/catalog/test_backends.py (+18/-24) keystone/tests/unit/common/test_notifications.py (+1/-1) keystone/tests/unit/config_files/backend_ldap_sql.conf (+1/-1) keystone/tests/unit/config_files/backend_multi_ldap_sql.conf (+1/-1) keystone/tests/unit/config_files/backend_sql.conf (+1/-1) keystone/tests/unit/config_files/deprecated.conf (+8/-0) keystone/tests/unit/config_files/deprecated_override.conf (+15/-0) keystone/tests/unit/contrib/federation/test_utils.py (+3/-3) keystone/tests/unit/core.py (+11/-4) keystone/tests/unit/endpoint_policy/backends/test_base.py (+1/-1) keystone/tests/unit/identity/shadow_users/test_backend.py (+2/-2) keystone/tests/unit/identity/test_backends.py (+16/-20) keystone/tests/unit/ksfixtures/__init__.py (+0/-1) keystone/tests/unit/policy/backends/test_base.py (+1/-1) keystone/tests/unit/resource/test_backends.py (+19/-26) keystone/tests/unit/test_associate_project_endpoint_extension.py (+4/-4) keystone/tests/unit/test_backend_id_mapping_sql.py (+4/-24) keystone/tests/unit/test_backend_ldap.py (+23/-29) keystone/tests/unit/test_backend_sql.py (+2/-2) keystone/tests/unit/test_backend_templated.py (+2/-2) keystone/tests/unit/test_config.py (+35/-1) keystone/tests/unit/test_contrib_s3_core.py (+0/-82) keystone/tests/unit/test_hacking_checks.py (+1/-1) keystone/tests/unit/test_policy.py (+4/-6) keystone/tests/unit/test_sql_banned_operations.py (+1/-6) keystone/tests/unit/test_sql_upgrade.py (+2/-21) keystone/tests/unit/test_v3.py (+2/-2) keystone/tests/unit/test_v3_assignment.py (+1/-1) keystone/tests/unit/test_v3_federation.py (+6/-6) keystone/trust/backends/base.py (+1/-1) keystone/trust/backends/sql.py (+1/-5) keystone/trust/core.py (+9/-9) lower-constraints.txt (+3/-4) releasenotes/source/index.rst (+0/-3) releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po (+3/-124) requirements.txt (+3/-3) setup.cfg (+4/-4) tox.ini (+21/-25) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Corey Bryant | Pending | ||
Review via email: mp+416277@code.launchpad.net |
Commit message
Description of the change
To post a comment you must log in.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/.zuul.yaml b/.zuul.yaml | |||
2 | index fc3eebb..daadbc7 100644 | |||
3 | --- a/.zuul.yaml | |||
4 | +++ b/.zuul.yaml | |||
5 | @@ -33,14 +33,6 @@ | |||
6 | 33 | USE_PYTHON3: True | 33 | USE_PYTHON3: True |
7 | 34 | 34 | ||
8 | 35 | - job: | 35 | - job: |
9 | 36 | name: keystone-dsvm-py3-functional-fips | ||
10 | 37 | parent: keystone-dsvm-py3-functional | ||
11 | 38 | nodeset: devstack-single-node-centos-8-stream | ||
12 | 39 | description: | | ||
13 | 40 | Functional testing for a FIPS enabled Centos 8 system | ||
14 | 41 | pre-run: playbooks/enable-fips.yaml | ||
15 | 42 | |||
16 | 43 | - job: | ||
17 | 44 | name: keystone-dsvm-functional-federation-opensuse15 | 36 | name: keystone-dsvm-functional-federation-opensuse15 |
18 | 45 | parent: keystone-dsvm-functional | 37 | parent: keystone-dsvm-functional |
19 | 46 | nodeset: devstack-single-node-opensuse-15 | 38 | nodeset: devstack-single-node-opensuse-15 |
20 | @@ -110,6 +102,15 @@ | |||
21 | 110 | osa_test_repo: openstack/openstack-ansible-os_keystone | 102 | osa_test_repo: openstack/openstack-ansible-os_keystone |
22 | 111 | 103 | ||
23 | 112 | - job: | 104 | - job: |
24 | 105 | name: keystone-tox-protection | ||
25 | 106 | parent: openstack-tox-py37 | ||
26 | 107 | timeout: 3600 | ||
27 | 108 | vars: | ||
28 | 109 | tox_envlist: protection | ||
29 | 110 | bindep_profile: test py37 | ||
30 | 111 | python_version: 3.7 | ||
31 | 112 | |||
32 | 113 | - job: | ||
33 | 113 | name: keystone-dsvm-ldap-domain-specific-driver | 114 | name: keystone-dsvm-ldap-domain-specific-driver |
34 | 114 | parent: devstack-tempest | 115 | parent: devstack-tempest |
35 | 115 | vars: | 116 | vars: |
36 | @@ -209,7 +210,6 @@ | |||
37 | 209 | - check-requirements | 210 | - check-requirements |
38 | 210 | - integrated-gate-py3 | 211 | - integrated-gate-py3 |
39 | 211 | - release-notes-jobs-python3 | 212 | - release-notes-jobs-python3 |
40 | 212 | - openstack-python3-wallaby-jobs-arm64 | ||
41 | 213 | check: | 213 | check: |
42 | 214 | jobs: | 214 | jobs: |
43 | 215 | - keystone-dsvm-py3-functional: | 215 | - keystone-dsvm-py3-functional: |
44 | @@ -220,9 +220,6 @@ | |||
45 | 220 | - ^etc/.*$ | 220 | - ^etc/.*$ |
46 | 221 | - ^keystone/tests/unit/.*$ | 221 | - ^keystone/tests/unit/.*$ |
47 | 222 | - ^releasenotes/.*$ | 222 | - ^releasenotes/.*$ |
48 | 223 | - keystone-dsvm-py3-functional-fips: | ||
49 | 224 | voting: false | ||
50 | 225 | irrelevant-files: *irrelevant-files | ||
51 | 226 | - keystone-dsvm-py3-functional-federation-ubuntu-focal: | 223 | - keystone-dsvm-py3-functional-federation-ubuntu-focal: |
52 | 227 | voting: false | 224 | voting: false |
53 | 228 | irrelevant-files: *irrelevant-files | 225 | irrelevant-files: *irrelevant-files |
54 | @@ -248,7 +245,7 @@ | |||
55 | 248 | irrelevant-files: *tempest-irrelevant-files | 245 | irrelevant-files: *tempest-irrelevant-files |
56 | 249 | - tempest-ipv6-only: | 246 | - tempest-ipv6-only: |
57 | 250 | irrelevant-files: *tempest-irrelevant-files | 247 | irrelevant-files: *tempest-irrelevant-files |
59 | 251 | - keystone-protection-functional | 248 | - keystone-tox-protection |
60 | 252 | gate: | 249 | gate: |
61 | 253 | jobs: | 250 | jobs: |
62 | 254 | - keystone-dsvm-py3-functional: | 251 | - keystone-dsvm-py3-functional: |
63 | @@ -261,7 +258,7 @@ | |||
64 | 261 | irrelevant-files: *tempest-irrelevant-files | 258 | irrelevant-files: *tempest-irrelevant-files |
65 | 262 | - tempest-ipv6-only: | 259 | - tempest-ipv6-only: |
66 | 263 | irrelevant-files: *tempest-irrelevant-files | 260 | irrelevant-files: *tempest-irrelevant-files |
68 | 264 | - keystone-protection-functional | 261 | - keystone-tox-protection |
69 | 265 | experimental: | 262 | experimental: |
70 | 266 | jobs: | 263 | jobs: |
71 | 267 | - keystone-tox-patch_cover | 264 | - keystone-tox-patch_cover |
72 | @@ -271,6 +268,8 @@ | |||
73 | 271 | irrelevant-files: *irrelevant-files | 268 | irrelevant-files: *irrelevant-files |
74 | 272 | - tempest-pg-full: | 269 | - tempest-pg-full: |
75 | 273 | irrelevant-files: *tempest-irrelevant-files | 270 | irrelevant-files: *tempest-irrelevant-files |
76 | 271 | - tempest-full-py3-opensuse15: | ||
77 | 272 | irrelevant-files: *tempest-irrelevant-files | ||
78 | 274 | - keystone-dsvm-functional-federation-centos7: | 273 | - keystone-dsvm-functional-federation-centos7: |
79 | 275 | irrelevant-files: *irrelevant-files | 274 | irrelevant-files: *irrelevant-files |
80 | 276 | - keystone-dsvm-functional-federation-ubuntu-xenial: | 275 | - keystone-dsvm-functional-federation-ubuntu-xenial: |
81 | diff --git a/AUTHORS b/AUTHORS | |||
82 | index e0e5154..558a789 100644 | |||
83 | --- a/AUTHORS | |||
84 | +++ b/AUTHORS | |||
85 | @@ -1,7 +1,6 @@ | |||
86 | 1 | Adam Gandelman <adam.gandelman@canonical.com> | 1 | Adam Gandelman <adam.gandelman@canonical.com> |
87 | 2 | Adam Young <ayoung@f17httpd.ayoung530> | 2 | Adam Young <ayoung@f17httpd.ayoung530> |
88 | 3 | Adam Young <ayoung@redhat.com> | 3 | Adam Young <ayoung@redhat.com> |
89 | 4 | Ade Lee <alee@redhat.com> | ||
90 | 5 | Adipudi Praveena <padipudi@padipudi.(none)> | 4 | Adipudi Praveena <padipudi@padipudi.(none)> |
91 | 6 | Adrian Turjak <adriant@catalyst.net.nz> | 5 | Adrian Turjak <adriant@catalyst.net.nz> |
92 | 7 | Ajaya Agrawal <ajku.agr@gmail.com> | 6 | Ajaya Agrawal <ajku.agr@gmail.com> |
93 | @@ -177,7 +176,6 @@ Ghe Rivero <ghe@debian.org> | |||
94 | 177 | Gordon Chung <chungg@ca.ibm.com> | 176 | Gordon Chung <chungg@ca.ibm.com> |
95 | 178 | Graham Hayes <graham.hayes@hpe.com> | 177 | Graham Hayes <graham.hayes@hpe.com> |
96 | 179 | Grzegorz Grasza <grzegorz.grasza@intel.com> | 178 | Grzegorz Grasza <grzegorz.grasza@intel.com> |
97 | 180 | Grzegorz Grasza <xek@redhat.com> | ||
98 | 181 | Guang Yee <guang.yee@hpe.com> | 179 | Guang Yee <guang.yee@hpe.com> |
99 | 182 | Guang Yee <guang.yee@suse.com> | 180 | Guang Yee <guang.yee@suse.com> |
100 | 183 | Guo Shan <guoshan@awcloud.com> | 181 | Guo Shan <guoshan@awcloud.com> |
101 | @@ -199,7 +197,6 @@ Hervé Beraud <hberaud@redhat.com> | |||
102 | 199 | Hidekazu Nakamura <hid-nakamura@vf.jp.nec.com> | 197 | Hidekazu Nakamura <hid-nakamura@vf.jp.nec.com> |
103 | 200 | Hieu LE <hieulq@vn.fujitsu.com> | 198 | Hieu LE <hieulq@vn.fujitsu.com> |
104 | 201 | Hirofumi Ichihara <ichihara.hirofumi@lab.ntt.co.jp> | 199 | Hirofumi Ichihara <ichihara.hirofumi@lab.ntt.co.jp> |
105 | 202 | Hironori Shiina <shiina.hironori@jp.fujitsu.com> | ||
106 | 203 | Hongbin Lu <hongbin034@gmail.com> | 200 | Hongbin Lu <hongbin034@gmail.com> |
107 | 204 | Hugh Saunders <hugh@wherenow.org> | 201 | Hugh Saunders <hugh@wherenow.org> |
108 | 205 | Hugo Nicodemos <hugonicodemos@gmail.com> | 202 | Hugo Nicodemos <hugonicodemos@gmail.com> |
109 | @@ -348,7 +345,6 @@ Matthew Thode <mthode@mthode.org> | |||
110 | 348 | Matthew Treinish <mtreinish@kortar.org> | 345 | Matthew Treinish <mtreinish@kortar.org> |
111 | 349 | Matthew Treinish <treinish@linux.vnet.ibm.com> | 346 | Matthew Treinish <treinish@linux.vnet.ibm.com> |
112 | 350 | Matthieu Huin <mhu@enovance.com> | 347 | Matthieu Huin <mhu@enovance.com> |
113 | 351 | Maurice Escher <maurice.escher@sap.com> | ||
114 | 352 | Michael Basnight <mbasnight@gmail.com> | 348 | Michael Basnight <mbasnight@gmail.com> |
115 | 353 | Michael J Fork <mjfork@us.ibm.com> | 349 | Michael J Fork <mjfork@us.ibm.com> |
116 | 354 | Michael Krotscheck <krotscheck@gmail.com> | 350 | Michael Krotscheck <krotscheck@gmail.com> |
117 | @@ -422,7 +418,6 @@ Robert Collins <rbtcollins@hp.com> | |||
118 | 422 | Robert Collins <robertc@robertcollins.net> | 418 | Robert Collins <robertc@robertcollins.net> |
119 | 423 | Robert H. Hyerle <hyerle@hp.com> | 419 | Robert H. Hyerle <hyerle@hp.com> |
120 | 424 | Robin Norwood <robin.norwood@gmail.com> | 420 | Robin Norwood <robin.norwood@gmail.com> |
121 | 425 | Rodolfo Alonso Hernandez <ralonsoh@redhat.com> | ||
122 | 426 | Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com> | 421 | Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com> |
123 | 427 | Rodrigo Duarte <rduartes@redhat.com> | 422 | Rodrigo Duarte <rduartes@redhat.com> |
124 | 428 | Rodrigo Duarte Sousa <rduartes@redhat.com> | 423 | Rodrigo Duarte Sousa <rduartes@redhat.com> |
125 | @@ -484,12 +479,10 @@ Sreyansh Jain <taishiroy2904@gmail.com> | |||
126 | 484 | Stanisław Pitucha <stanislaw.pitucha@hp.com> | 479 | Stanisław Pitucha <stanislaw.pitucha@hp.com> |
127 | 485 | Stef T <stelford@internap.com> | 480 | Stef T <stelford@internap.com> |
128 | 486 | Stephen Finucane <sfinucan@redhat.com> | 481 | Stephen Finucane <sfinucan@redhat.com> |
129 | 487 | Stephen Finucane <stephenfin@redhat.com> | ||
130 | 488 | Steve Baker <sbaker@redhat.com> | 482 | Steve Baker <sbaker@redhat.com> |
131 | 489 | Steve Martinelli <s.martinelli@gmail.com> | 483 | Steve Martinelli <s.martinelli@gmail.com> |
132 | 490 | Steve Martinelli <stevemar@ca.ibm.com> | 484 | Steve Martinelli <stevemar@ca.ibm.com> |
133 | 491 | Steven Hardy <shardy@redhat.com> | 485 | Steven Hardy <shardy@redhat.com> |
134 | 492 | Stuart Grace <stuart.grace@bbc.co.uk> | ||
135 | 493 | Stuart McLaren <stuart.mclaren@hp.com> | 486 | Stuart McLaren <stuart.mclaren@hp.com> |
136 | 494 | Suramya Shah <shah.suramya@gmail.com> | 487 | Suramya Shah <shah.suramya@gmail.com> |
137 | 495 | Sushil Kumar <sushil.kumar2@globallogic.com> | 488 | Sushil Kumar <sushil.kumar2@globallogic.com> |
138 | @@ -499,7 +492,6 @@ Sylvain Afchain <sylvain.afchain@enovance.com> | |||
139 | 499 | THOMAS J. COCOZZELLO <tjcocozz@us.ibm.com> | 492 | THOMAS J. COCOZZELLO <tjcocozz@us.ibm.com> |
140 | 500 | Tahmina Ahmed <tahmina.csebuet@gmail.com> | 493 | Tahmina Ahmed <tahmina.csebuet@gmail.com> |
141 | 501 | Taishi Roy <taishiroy2904@gmail.com> | 494 | Taishi Roy <taishiroy2904@gmail.com> |
142 | 502 | Takashi Kajinami <tkajinam@redhat.com> | ||
143 | 503 | Takashi NATSUME <natsume.takashi@lab.ntt.co.jp> | 495 | Takashi NATSUME <natsume.takashi@lab.ntt.co.jp> |
144 | 504 | Telles Nobrega <tellesmvn@lsd.ufcg.edu.br> | 496 | Telles Nobrega <tellesmvn@lsd.ufcg.edu.br> |
145 | 505 | Theodore Ilie <theodorex.ilie@intel.com> | 497 | Theodore Ilie <theodorex.ilie@intel.com> |
146 | @@ -564,7 +556,6 @@ Yong Sheng Gong <gongysh@cn.ibm.com> | |||
147 | 564 | Yong Sheng Gong <gongysh@unitedstack.com> | 556 | Yong Sheng Gong <gongysh@unitedstack.com> |
148 | 565 | You Ji <jiyou09@gmail.com> | 557 | You Ji <jiyou09@gmail.com> |
149 | 566 | You Yamagata <bi.yamagata@gmail.com> | 558 | You Yamagata <bi.yamagata@gmail.com> |
150 | 567 | YuehuiLei <leiyuehui-s@inspur.com> | ||
151 | 568 | Yuiko Takada <takada-yuiko@mxn.nes.nec.co.jp> | 559 | Yuiko Takada <takada-yuiko@mxn.nes.nec.co.jp> |
152 | 569 | Yun Mao <yunmao@gmail.com> | 560 | Yun Mao <yunmao@gmail.com> |
153 | 570 | Yuriy Taraday <yorik.sar@gmail.com> | 561 | Yuriy Taraday <yorik.sar@gmail.com> |
154 | @@ -672,7 +663,6 @@ prashkre <prashkre@in.ibm.com> | |||
155 | 672 | qinglin.cheng <qinglin.cheng@easystack.cn> | 663 | qinglin.cheng <qinglin.cheng@easystack.cn> |
156 | 673 | r-sekine <r-sekine@intellilink.co.jp> | 664 | r-sekine <r-sekine@intellilink.co.jp> |
157 | 674 | rajat29 <rajat.sharma@nectechnologies.in> | 665 | rajat29 <rajat.sharma@nectechnologies.in> |
158 | 675 | ricolin <rico.lin.guanyu@gmail.com> | ||
159 | 676 | rocky <haigang.xu@easystack.cn> | 666 | rocky <haigang.xu@easystack.cn> |
160 | 677 | root <root@newapps.(none)> | 667 | root <root@newapps.(none)> |
161 | 678 | rpedde <ron@pedde.com> | 668 | rpedde <ron@pedde.com> |
162 | @@ -699,7 +689,6 @@ wanghui <wang_hui@inspur.com> | |||
163 | 699 | wanglong <wl3617@qq.com> | 689 | wanglong <wl3617@qq.com> |
164 | 700 | wangqiangbj <wangqiangbj@inspur.com> | 690 | wangqiangbj <wangqiangbj@inspur.com> |
165 | 701 | wangxiyuan <wangxiyuan@huawei.com> | 691 | wangxiyuan <wangxiyuan@huawei.com> |
166 | 702 | wangzihao <wangzihao@yovole.com> | ||
167 | 703 | werner mendizabal <nonameentername@gmail.com> | 692 | werner mendizabal <nonameentername@gmail.com> |
168 | 704 | whoami-rajat <rajatdhasmana@gmail.com> | 693 | whoami-rajat <rajatdhasmana@gmail.com> |
169 | 705 | wingwj <wingwj@gmail.com> | 694 | wingwj <wingwj@gmail.com> |
170 | @@ -710,7 +699,6 @@ xingzhou <xingzhou@cn.ibm.com> | |||
171 | 710 | xuhaigang <haigang.xu@easystack.cn> | 699 | xuhaigang <haigang.xu@easystack.cn> |
172 | 711 | xurong00037997 <xu.rong@zte.com.cn> | 700 | xurong00037997 <xu.rong@zte.com.cn> |
173 | 712 | yanghuichan <yanghc@fiberhome.com> | 701 | yanghuichan <yanghc@fiberhome.com> |
174 | 713 | yangshaoxue <yang.shaoxue@99cloud.net> | ||
175 | 714 | yangweiwei <yangweiwei@cmss.chinamobile.com> | 702 | yangweiwei <yangweiwei@cmss.chinamobile.com> |
176 | 715 | yangyapeng <yang.yapeng@99cloud.net> | 703 | yangyapeng <yang.yapeng@99cloud.net> |
177 | 716 | yaroslavmt <yaroslavmt@gmail.com> | 704 | yaroslavmt <yaroslavmt@gmail.com> |
178 | diff --git a/ChangeLog b/ChangeLog | |||
179 | index d5d2a11..2f980e8 100644 | |||
180 | --- a/ChangeLog | |||
181 | +++ b/ChangeLog | |||
182 | @@ -1,64 +1,21 @@ | |||
183 | 1 | CHANGES | 1 | CHANGES |
184 | 2 | ======= | 2 | ======= |
185 | 3 | 3 | ||
202 | 4 | * Add 'WarningsFixture' | 4 | 18.1.0 |
187 | 5 | * Add support for pysaml2 >= 7.1.0 | ||
188 | 6 | * tox: Random fixups | ||
189 | 7 | * Deprecate ineffective [memcache] options | ||
190 | 8 | * Fix response code of 'Revoke Token' in api-ref | ||
191 | 9 | * Accept STS and IAM services from Ceph Obj Gateway | ||
192 | 10 | * Fix oslo policy warning assert in unit tests | ||
193 | 11 | * Temporary exclude the common.sql.core.py from sphinx-apidoc target | ||
194 | 12 | * Remove broken tempest-full-py3-opensuse15 job | ||
195 | 13 | * Fix typos in application credential policies | ||
196 | 14 | * Fix typo in identity provider policies | ||
197 | 15 | * Update master for stable/xena | ||
198 | 16 | * Improve performance on trust deletion | ||
199 | 17 | * Replace deprecated assertDictContainsSubset | ||
200 | 18 | |||
201 | 19 | 20.0.0 | ||
203 | 20 | ------ | 5 | ------ |
204 | 21 | 6 | ||
205 | 7 | * Fix typos in application credential policies | ||
206 | 22 | * Fix typos in ec2 credential policies | 8 | * Fix typos in ec2 credential policies |
218 | 23 | * Fix oslo policy DeprecatedRule warnings | 9 | * Fix typo in identity provider policies |
208 | 24 | * Update local\_id limit to 255 characters | ||
209 | 25 | * Add FIPS check job | ||
210 | 26 | * Replace deprecated import of ABCs from collections | ||
211 | 27 | * Moving IRC network reference to OFTC | ||
212 | 28 | * Update master for stable/wallaby | ||
213 | 29 | * Remove use of deprecated oslo.db options | ||
214 | 30 | * docs: Fix failing build | ||
215 | 31 | * Make DB queries compatible with SQLAlchemy 1.4.x | ||
216 | 32 | * fix get\_security\_compliance\_domain\_config policy rule typo | ||
217 | 33 | * setup.cfg: Replace dashes with underscores | ||
219 | 34 | * Hide AccountLocked exception from end users | 10 | * Hide AccountLocked exception from end users |
220 | 35 | * Retry update\_user when sqlalchemy raises StaleDataErrors | 11 | * Retry update\_user when sqlalchemy raises StaleDataErrors |
221 | 36 | * Imported Translations from Zanata | ||
222 | 37 | |||
223 | 38 | 19.0.0.0rc1 | ||
224 | 39 | ----------- | ||
225 | 40 | |||
226 | 41 | * Add job for keystone functional protection tests | ||
227 | 42 | * trivial: Update minor wording nit in RBAC persona documentation | ||
228 | 43 | * Clarify top-level personas in RBAC documentation | ||
229 | 44 | * Clarify \`\`reader\`\` role implementation in persona admin guide | ||
230 | 45 | * [goal] Deprecate the JSON formatted policy file | ||
231 | 46 | * Ignore oslo.db deprecating sqlalchemy-migrate warning | ||
232 | 47 | * Add openstack-python3-wallaby-jobs-arm64 job | ||
233 | 48 | * Support bytes type in generate\_public\_ID() | 12 | * Support bytes type in generate\_public\_ID() |
234 | 49 | * Imported Translations from Zanata | ||
235 | 50 | * Drop lower-constraints job | ||
236 | 51 | * fix E741 ambiguous variable name | ||
237 | 52 | * fix E225 missing whitespace around operator | ||
238 | 53 | * Use app cred user ID in policy enforcement | 13 | * Use app cred user ID in policy enforcement |
241 | 54 | * Generalize release note for bug 1878938 | 14 | * Update TOX\_CONSTRAINTS\_FILE for stable/victoria |
242 | 55 | * Use enforce\_new\_defaults when setting up keystone protection tests | 15 | * Drop lower-constraints job |
243 | 16 | * Delete system role assignments from system\_assignment table | ||
244 | 56 | * Implement more robust connection handling for asynchronous LDAP calls | 17 | * Implement more robust connection handling for asynchronous LDAP calls |
250 | 57 | * Imported Translations from Zanata | 18 | * Update .gitreview for stable/victoria |
246 | 58 | * Update master for stable/victoria | ||
247 | 59 | * Add vine to lower-constraints | ||
248 | 60 | * Simplify default config test | ||
249 | 61 | * Replace assertItemsEqual with assertCountEqual | ||
251 | 62 | 19 | ||
252 | 63 | 18.0.0 | 20 | 18.0.0 |
253 | 64 | ------ | 21 | ------ |
254 | @@ -75,9 +32,7 @@ CHANGES | |||
255 | 75 | * Spelling Fix | 32 | * Spelling Fix |
256 | 76 | * NIT: Spelling Fix | 33 | * NIT: Spelling Fix |
257 | 77 | * Properly handle octet (byte) strings when converting LDAP responses | 34 | * Properly handle octet (byte) strings when converting LDAP responses |
258 | 78 | * Add support for functional RBAC tests | ||
259 | 79 | * Fix invalid assertTrue which should be assertEqual | 35 | * Fix invalid assertTrue which should be assertEqual |
260 | 80 | * Delete system role assignments from system\_assignment table | ||
261 | 81 | * Fix api-ref for list endpoints | 36 | * Fix api-ref for list endpoints |
262 | 82 | * Fix lower-constraint for PyMySQL | 37 | * Fix lower-constraint for PyMySQL |
263 | 83 | * Fix doc for package mod\_wsgi on Centos8/RHEL8 | 38 | * Fix doc for package mod\_wsgi on Centos8/RHEL8 |
264 | diff --git a/PKG-INFO b/PKG-INFO | |||
265 | index 3b63a18..c4bc751 100644 | |||
266 | --- a/PKG-INFO | |||
267 | +++ b/PKG-INFO | |||
268 | @@ -1,11 +1,73 @@ | |||
269 | 1 | Metadata-Version: 2.1 | 1 | Metadata-Version: 2.1 |
270 | 2 | Name: keystone | 2 | Name: keystone |
272 | 3 | Version: 20.1.0.dev27 | 3 | Version: 18.1.0 |
273 | 4 | Summary: OpenStack Identity | 4 | Summary: OpenStack Identity |
274 | 5 | Home-page: https://docs.openstack.org/keystone/latest | 5 | Home-page: https://docs.openstack.org/keystone/latest |
275 | 6 | Author: OpenStack | 6 | Author: OpenStack |
276 | 7 | Author-email: openstack-discuss@lists.openstack.org | 7 | Author-email: openstack-discuss@lists.openstack.org |
277 | 8 | License: UNKNOWN | 8 | License: UNKNOWN |
278 | 9 | Description: ================== | ||
279 | 10 | OpenStack Keystone | ||
280 | 11 | ================== | ||
281 | 12 | |||
282 | 13 | .. image:: https://governance.openstack.org/tc/badges/keystone.svg | ||
283 | 14 | :target: https://governance.openstack.org/tc/reference/tags/index.html | ||
284 | 15 | |||
285 | 16 | .. Change things from this point on | ||
286 | 17 | |||
287 | 18 | OpenStack Keystone provides authentication, authorization and service discovery | ||
288 | 19 | mechanisms via HTTP primarily for use by projects in the OpenStack family. It | ||
289 | 20 | is most commonly deployed as an HTTP interface to existing identity systems, | ||
290 | 21 | such as LDAP. | ||
291 | 22 | |||
292 | 23 | Developer documentation, the source of which is in ``doc/source/``, is | ||
293 | 24 | published at: | ||
294 | 25 | |||
295 | 26 | https://docs.openstack.org/keystone/latest | ||
296 | 27 | |||
297 | 28 | The API reference and documentation are available at: | ||
298 | 29 | |||
299 | 30 | https://docs.openstack.org/api-ref/identity | ||
300 | 31 | |||
301 | 32 | The canonical client library is available at: | ||
302 | 33 | |||
303 | 34 | https://opendev.org/openstack/python-keystoneclient | ||
304 | 35 | |||
305 | 36 | Documentation for cloud administrators is available at: | ||
306 | 37 | |||
307 | 38 | https://docs.openstack.org/ | ||
308 | 39 | |||
309 | 40 | The source of documentation for cloud administrators is available at: | ||
310 | 41 | |||
311 | 42 | https://opendev.org/openstack/openstack-manuals | ||
312 | 43 | |||
313 | 44 | Information about our team meeting is available at: | ||
314 | 45 | |||
315 | 46 | https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting | ||
316 | 47 | |||
317 | 48 | Release notes is available at: | ||
318 | 49 | |||
319 | 50 | https://docs.openstack.org/releasenotes/keystone | ||
320 | 51 | |||
321 | 52 | Bugs and feature requests are tracked on Launchpad at: | ||
322 | 53 | |||
323 | 54 | https://bugs.launchpad.net/keystone | ||
324 | 55 | |||
325 | 56 | Future design work is tracked at: | ||
326 | 57 | |||
327 | 58 | https://specs.openstack.org/openstack/keystone-specs | ||
328 | 59 | |||
329 | 60 | Contributors are encouraged to join IRC (``#openstack-keystone`` on freenode): | ||
330 | 61 | |||
331 | 62 | https://wiki.openstack.org/wiki/IRC | ||
332 | 63 | |||
333 | 64 | Source for the project: | ||
334 | 65 | |||
335 | 66 | https://opendev.org/openstack/keystone | ||
336 | 67 | |||
337 | 68 | For information on contributing to Keystone, see ``CONTRIBUTING.rst``. | ||
338 | 69 | |||
339 | 70 | |||
340 | 9 | Platform: UNKNOWN | 71 | Platform: UNKNOWN |
341 | 10 | Classifier: Environment :: OpenStack | 72 | Classifier: Environment :: OpenStack |
342 | 11 | Classifier: Intended Audience :: Information Technology | 73 | Classifier: Intended Audience :: Information Technology |
343 | @@ -24,69 +86,3 @@ Provides-Extra: ldap | |||
344 | 24 | Provides-Extra: memcache | 86 | Provides-Extra: memcache |
345 | 25 | Provides-Extra: mongodb | 87 | Provides-Extra: mongodb |
346 | 26 | Provides-Extra: test | 88 | Provides-Extra: test |
347 | 27 | License-File: LICENSE | ||
348 | 28 | License-File: AUTHORS | ||
349 | 29 | |||
350 | 30 | ================== | ||
351 | 31 | OpenStack Keystone | ||
352 | 32 | ================== | ||
353 | 33 | |||
354 | 34 | .. image:: https://governance.openstack.org/tc/badges/keystone.svg | ||
355 | 35 | :target: https://governance.openstack.org/tc/reference/tags/index.html | ||
356 | 36 | |||
357 | 37 | .. Change things from this point on | ||
358 | 38 | |||
359 | 39 | OpenStack Keystone provides authentication, authorization and service discovery | ||
360 | 40 | mechanisms via HTTP primarily for use by projects in the OpenStack family. It | ||
361 | 41 | is most commonly deployed as an HTTP interface to existing identity systems, | ||
362 | 42 | such as LDAP. | ||
363 | 43 | |||
364 | 44 | Developer documentation, the source of which is in ``doc/source/``, is | ||
365 | 45 | published at: | ||
366 | 46 | |||
367 | 47 | https://docs.openstack.org/keystone/latest | ||
368 | 48 | |||
369 | 49 | The API reference and documentation are available at: | ||
370 | 50 | |||
371 | 51 | https://docs.openstack.org/api-ref/identity | ||
372 | 52 | |||
373 | 53 | The canonical client library is available at: | ||
374 | 54 | |||
375 | 55 | https://opendev.org/openstack/python-keystoneclient | ||
376 | 56 | |||
377 | 57 | Documentation for cloud administrators is available at: | ||
378 | 58 | |||
379 | 59 | https://docs.openstack.org/ | ||
380 | 60 | |||
381 | 61 | The source of documentation for cloud administrators is available at: | ||
382 | 62 | |||
383 | 63 | https://opendev.org/openstack/openstack-manuals | ||
384 | 64 | |||
385 | 65 | Information about our team meeting is available at: | ||
386 | 66 | |||
387 | 67 | https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting | ||
388 | 68 | |||
389 | 69 | Release notes is available at: | ||
390 | 70 | |||
391 | 71 | https://docs.openstack.org/releasenotes/keystone | ||
392 | 72 | |||
393 | 73 | Bugs and feature requests are tracked on Launchpad at: | ||
394 | 74 | |||
395 | 75 | https://bugs.launchpad.net/keystone | ||
396 | 76 | |||
397 | 77 | Future design work is tracked at: | ||
398 | 78 | |||
399 | 79 | https://specs.openstack.org/openstack/keystone-specs | ||
400 | 80 | |||
401 | 81 | Contributors are encouraged to join IRC (``#openstack-keystone`` on OFTC): | ||
402 | 82 | |||
403 | 83 | https://wiki.openstack.org/wiki/IRC | ||
404 | 84 | |||
405 | 85 | Source for the project: | ||
406 | 86 | |||
407 | 87 | https://opendev.org/openstack/keystone | ||
408 | 88 | |||
409 | 89 | For information on contributing to Keystone, see ``CONTRIBUTING.rst``. | ||
410 | 90 | |||
411 | 91 | |||
412 | 92 | |||
413 | diff --git a/README.rst b/README.rst | |||
414 | index 520a71e..2a19ff5 100644 | |||
415 | --- a/README.rst | |||
416 | +++ b/README.rst | |||
417 | @@ -49,7 +49,7 @@ Future design work is tracked at: | |||
418 | 49 | 49 | ||
419 | 50 | https://specs.openstack.org/openstack/keystone-specs | 50 | https://specs.openstack.org/openstack/keystone-specs |
420 | 51 | 51 | ||
422 | 52 | Contributors are encouraged to join IRC (``#openstack-keystone`` on OFTC): | 52 | Contributors are encouraged to join IRC (``#openstack-keystone`` on freenode): |
423 | 53 | 53 | ||
424 | 54 | https://wiki.openstack.org/wiki/IRC | 54 | https://wiki.openstack.org/wiki/IRC |
425 | 55 | 55 | ||
426 | diff --git a/api-ref/source/v3/authenticate-v3.inc b/api-ref/source/v3/authenticate-v3.inc | |||
427 | index d69972a..11f19cb 100644 | |||
428 | --- a/api-ref/source/v3/authenticate-v3.inc | |||
429 | +++ b/api-ref/source/v3/authenticate-v3.inc | |||
430 | @@ -965,7 +965,7 @@ Status Codes | |||
431 | 965 | 965 | ||
432 | 966 | .. rest_status_code:: success status.yaml | 966 | .. rest_status_code:: success status.yaml |
433 | 967 | 967 | ||
435 | 968 | - 204 | 968 | - 201 |
436 | 969 | 969 | ||
437 | 970 | .. rest_status_code:: error status.yaml | 970 | .. rest_status_code:: error status.yaml |
438 | 971 | 971 | ||
439 | diff --git a/devstack/lib/scope.sh b/devstack/lib/scope.sh | |||
440 | 972 | deleted file mode 100644 | 972 | deleted file mode 100644 |
441 | index 255ed69..0000000 | |||
442 | --- a/devstack/lib/scope.sh | |||
443 | +++ /dev/null | |||
444 | @@ -1,26 +0,0 @@ | |||
445 | 1 | # Copyright 2019 SUSE LLC | ||
446 | 2 | # | ||
447 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
448 | 4 | # not use this file except in compliance with the License. You may obtain | ||
449 | 5 | # a copy of the License at | ||
450 | 6 | # | ||
451 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 | ||
452 | 8 | # | ||
453 | 9 | # Unless required by applicable law or agreed to in writing, software | ||
454 | 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
455 | 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
456 | 12 | # License for the specific language governing permissions and limitations | ||
457 | 13 | # under the License. | ||
458 | 14 | |||
459 | 15 | function configure_enforce_scope { | ||
460 | 16 | iniset $KEYSTONE_CONF oslo_policy enforce_scope true | ||
461 | 17 | iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true | ||
462 | 18 | iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml | ||
463 | 19 | sudo systemctl restart devstack@keystone | ||
464 | 20 | } | ||
465 | 21 | |||
466 | 22 | function configure_protection_tests { | ||
467 | 23 | iniset $TEMPEST_CONFIG identity-feature-enabled enforce_scope true | ||
468 | 24 | iniset $TEMPEST_CONFIG auth admin_system true | ||
469 | 25 | iniset $TEMPEST_CONFIG auth admin_project_name '' | ||
470 | 26 | } | ||
471 | diff --git a/devstack/plugin.sh b/devstack/plugin.sh | |||
472 | index 8f7a385..924b820 100644 | |||
473 | --- a/devstack/plugin.sh | |||
474 | +++ b/devstack/plugin.sh | |||
475 | @@ -15,7 +15,6 @@ | |||
476 | 15 | 15 | ||
477 | 16 | KEYSTONE_PLUGIN=$DEST/keystone/devstack | 16 | KEYSTONE_PLUGIN=$DEST/keystone/devstack |
478 | 17 | source $KEYSTONE_PLUGIN/lib/federation.sh | 17 | source $KEYSTONE_PLUGIN/lib/federation.sh |
479 | 18 | source $KEYSTONE_PLUGIN/lib/scope.sh | ||
480 | 19 | 18 | ||
481 | 20 | # For more information on Devstack plugins, including a more detailed | 19 | # For more information on Devstack plugins, including a more detailed |
482 | 21 | # explanation on when the different steps are executed please see: | 20 | # explanation on when the different steps are executed please see: |
483 | @@ -48,12 +47,6 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then | |||
484 | 48 | if is_service_enabled keystone-saml2-federation; then | 47 | if is_service_enabled keystone-saml2-federation; then |
485 | 49 | configure_tests_settings | 48 | configure_tests_settings |
486 | 50 | fi | 49 | fi |
487 | 51 | if [[ "$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)" == "True" ]] ; then | ||
488 | 52 | # devstack and tempest assume enforce_scope is false, so need to wait | ||
489 | 53 | # until the final phase to turn it on | ||
490 | 54 | configure_enforce_scope | ||
491 | 55 | configure_protection_tests | ||
492 | 56 | fi | ||
493 | 57 | fi | 50 | fi |
494 | 58 | 51 | ||
495 | 59 | if [[ "$1" == "unstack" ]]; then | 52 | if [[ "$1" == "unstack" ]]; then |
496 | diff --git a/doc/source/admin/cli-manage-projects-users-and-roles.rst b/doc/source/admin/cli-manage-projects-users-and-roles.rst | |||
497 | index 8d2f837..f27979d 100644 | |||
498 | --- a/doc/source/admin/cli-manage-projects-users-and-roles.rst | |||
499 | +++ b/doc/source/admin/cli-manage-projects-users-and-roles.rst | |||
500 | @@ -10,8 +10,8 @@ define which actions users can perform. You assign roles to | |||
501 | 10 | user-project pairs. | 10 | user-project pairs. |
502 | 11 | 11 | ||
503 | 12 | You can define actions for OpenStack service roles in the | 12 | You can define actions for OpenStack service roles in the |
506 | 13 | ``/etc/PROJECT/policy.yaml`` files. For example, define actions for | 13 | ``/etc/PROJECT/policy.json`` files. For example, define actions for |
507 | 14 | Compute service roles in the ``/etc/nova/policy.yaml`` file. | 14 | Compute service roles in the ``/etc/nova/policy.json`` file. |
508 | 15 | 15 | ||
509 | 16 | You can manage projects, users, and roles independently from each other. | 16 | You can manage projects, users, and roles independently from each other. |
510 | 17 | 17 | ||
511 | diff --git a/doc/source/admin/domain-specific-config.inc b/doc/source/admin/domain-specific-config.inc | |||
512 | index 2d8f993..3797e30 100644 | |||
513 | --- a/doc/source/admin/domain-specific-config.inc | |||
514 | +++ b/doc/source/admin/domain-specific-config.inc | |||
515 | @@ -146,12 +146,6 @@ then the same public ID will be created. This is useful if you are running | |||
516 | 146 | multiple keystones and want to ensure the same ID would be generated whichever | 146 | multiple keystones and want to ensure the same ID would be generated whichever |
517 | 147 | server you hit. | 147 | server you hit. |
518 | 148 | 148 | ||
519 | 149 | .. NOTE:: | ||
520 | 150 | |||
521 | 151 | In case of the LDAP backend, the names of users and groups are not hashed. | ||
522 | 152 | As a result, these are length limited to 255 characters. Longer names | ||
523 | 153 | will result in an error. | ||
524 | 154 | |||
525 | 155 | While keystone will dynamically maintain the identity mapping, including | 149 | While keystone will dynamically maintain the identity mapping, including |
526 | 156 | removing entries when entities are deleted via the keystone, for those entities | 150 | removing entries when entities are deleted via the keystone, for those entities |
527 | 157 | in backends that are managed outside of keystone (e.g. a read-only LDAP), | 151 | in backends that are managed outside of keystone (e.g. a read-only LDAP), |
528 | diff --git a/doc/source/admin/identity-concepts.rst b/doc/source/admin/identity-concepts.rst | |||
529 | index 0f8cfc5..3d615c0 100644 | |||
530 | --- a/doc/source/admin/identity-concepts.rst | |||
531 | +++ b/doc/source/admin/identity-concepts.rst | |||
532 | @@ -122,9 +122,9 @@ Identity user management examples: | |||
533 | 122 | Individual services assign meaning to roles, typically through | 122 | Individual services assign meaning to roles, typically through |
534 | 123 | limiting or granting access to users with the role to the | 123 | limiting or granting access to users with the role to the |
535 | 124 | operations that the service supports. Role access is typically | 124 | operations that the service supports. Role access is typically |
537 | 125 | configured in the service's ``policy.yaml`` file. For example, | 125 | configured in the service's ``policy.json`` file. For example, |
538 | 126 | to limit Compute access to the ``compute-user`` role, edit the | 126 | to limit Compute access to the ``compute-user`` role, edit the |
540 | 127 | Compute service's ``policy.yaml`` file to require this role for | 127 | Compute service's ``policy.json`` file to require this role for |
541 | 128 | Compute operations. | 128 | Compute operations. |
542 | 129 | 129 | ||
543 | 130 | The Identity service assigns a project and a role to a user. You might | 130 | The Identity service assigns a project and a role to a user. You might |
544 | @@ -139,25 +139,25 @@ A user can have different roles in different projects. For example, Alice | |||
545 | 139 | might also have the ``admin`` role in the ``Cyberdyne`` project. A user | 139 | might also have the ``admin`` role in the ``Cyberdyne`` project. A user |
546 | 140 | can also have multiple roles in the same project. | 140 | can also have multiple roles in the same project. |
547 | 141 | 141 | ||
549 | 142 | The ``/etc/[SERVICE_CODENAME]/policy.yaml`` file controls the | 142 | The ``/etc/[SERVICE_CODENAME]/policy.json`` file controls the |
550 | 143 | tasks that users can perform for a given service. For example, the | 143 | tasks that users can perform for a given service. For example, the |
553 | 144 | ``/etc/nova/policy.yaml`` file specifies the access policy for the | 144 | ``/etc/nova/policy.json`` file specifies the access policy for the |
554 | 145 | Compute service, the ``/etc/glance/policy.yaml`` file specifies | 145 | Compute service, the ``/etc/glance/policy.json`` file specifies |
555 | 146 | the access policy for the Image service, and the | 146 | the access policy for the Image service, and the |
557 | 147 | ``/etc/keystone/policy.yaml`` file specifies the access policy for | 147 | ``/etc/keystone/policy.json`` file specifies the access policy for |
558 | 148 | the Identity service. | 148 | the Identity service. |
559 | 149 | 149 | ||
561 | 150 | The default ``policy.yaml`` files in the Compute, Identity, and | 150 | The default ``policy.json`` files in the Compute, Identity, and |
562 | 151 | Image services recognize only the ``admin`` role. Any user with | 151 | Image services recognize only the ``admin`` role. Any user with |
563 | 152 | any role in a project can access all operations that do not require the | 152 | any role in a project can access all operations that do not require the |
564 | 153 | ``admin`` role. | 153 | ``admin`` role. |
565 | 154 | 154 | ||
566 | 155 | To restrict users from performing operations in, for example, the | 155 | To restrict users from performing operations in, for example, the |
567 | 156 | Compute service, you must create a role in the Identity service and | 156 | Compute service, you must create a role in the Identity service and |
569 | 157 | then modify the ``/etc/nova/policy.yaml`` file so that this role | 157 | then modify the ``/etc/nova/policy.json`` file so that this role |
570 | 158 | is required for Compute operations. | 158 | is required for Compute operations. |
571 | 159 | 159 | ||
573 | 160 | For example, the following line in the ``/etc/cinder/policy.yaml`` | 160 | For example, the following line in the ``/etc/cinder/policy.json`` |
574 | 161 | file does not restrict which users can create volumes: | 161 | file does not restrict which users can create volumes: |
575 | 162 | 162 | ||
576 | 163 | .. code-block:: none | 163 | .. code-block:: none |
577 | diff --git a/doc/source/admin/service-api-protection.rst b/doc/source/admin/service-api-protection.rst | |||
578 | index 47886ae..80b8af1 100644 | |||
579 | --- a/doc/source/admin/service-api-protection.rst | |||
580 | +++ b/doc/source/admin/service-api-protection.rst | |||
581 | @@ -10,16 +10,14 @@ Like most OpenStack services, keystone protects its API using role-based access | |||
582 | 10 | control (RBAC). | 10 | control (RBAC). |
583 | 11 | 11 | ||
584 | 12 | Users can access different APIs depending on the roles they have on a project, | 12 | Users can access different APIs depending on the roles they have on a project, |
586 | 13 | domain, or system, which we refer to as scope. | 13 | domain, or system. |
587 | 14 | 14 | ||
588 | 15 | As of the Rocky release, keystone provides three roles called ``admin``, | 15 | As of the Rocky release, keystone provides three roles called ``admin``, |
589 | 16 | ``member``, and ``reader`` by default. Operators can grant these roles to any | 16 | ``member``, and ``reader`` by default. Operators can grant these roles to any |
591 | 17 | actor (e.g., group or user) on any scope (e.g., system, domain, or project). | 17 | actor (e.g., group or user) on any target (e.g., system, domain, or project). |
592 | 18 | If you need a refresher on authorization scopes and token types, please refer | 18 | If you need a refresher on authorization scopes and token types, please refer |
593 | 19 | to the `token guide`_. The following sections describe how each default role | 19 | to the `token guide`_. The following sections describe how each default role |
597 | 20 | behaves with keystone's API across different scopes. Additionally, other | 20 | behaves with keystone's API across different scopes. |
595 | 21 | service developers can use this document as a guide for implementing similar | ||
596 | 22 | patterns in their services. | ||
598 | 23 | 21 | ||
599 | 24 | Default roles and behaviors across scopes allow operators to delegate more | 22 | Default roles and behaviors across scopes allow operators to delegate more |
600 | 25 | functionality to their team, auditors, customers, and users without maintaining | 23 | functionality to their team, auditors, customers, and users without maintaining |
601 | @@ -31,10 +29,9 @@ custom policies. | |||
602 | 31 | Roles Definitions | 29 | Roles Definitions |
603 | 32 | ----------------- | 30 | ----------------- |
604 | 33 | 31 | ||
609 | 34 | The default roles provided by keystone, via ``keystone-manage boostrap``, are | 32 | The default roles imply one another. The ``admin`` role implies the ``member`` |
610 | 35 | related through role implications. The ``admin`` role implies the ``member`` | 33 | role, and the ``member`` role implies the ``reader`` role. This implication |
611 | 36 | role, and the ``member`` role implies the ``reader`` role. These implications | 34 | means users with the ``admin`` role automatically have the ``member`` and |
608 | 37 | mean users with the ``admin`` role automatically have the ``member`` and | ||
612 | 38 | ``reader`` roles. Additionally, users with the ``member`` role automatically | 35 | ``reader`` roles. Additionally, users with the ``member`` role automatically |
613 | 39 | have the ``reader`` role. Implying roles reduces role assignments and forms a | 36 | have the ``reader`` role. Implying roles reduces role assignments and forms a |
614 | 40 | natural hierarchy between the default roles. It also reduces the complexity of | 37 | natural hierarchy between the default roles. It also reduces the complexity of |
615 | @@ -54,26 +51,6 @@ Instead of: | |||
616 | 54 | Reader | 51 | Reader |
617 | 55 | ====== | 52 | ====== |
618 | 56 | 53 | ||
619 | 57 | .. warning:: | ||
620 | 58 | |||
621 | 59 | While it's possible to use the ``reader`` role to perform audits, we highly | ||
622 | 60 | recommend assessing the viability of using ``reader`` for auditing from the | ||
623 | 61 | perspective of the compliance target you're pursuing. | ||
624 | 62 | |||
625 | 63 | The ``reader`` role is the least-privileged role within the role hierarchy | ||
626 | 64 | described here. As such, OpenStack development teams, by default, do not | ||
627 | 65 | advocate exposing sensitive information to users with the ``reader`` role, | ||
628 | 66 | regardless of the scope. We have noted the need for a formal, read-only, | ||
629 | 67 | role that is useful for inspecting all applicable resources within a | ||
630 | 68 | particular scope, but it shouldn't be implemented as the lowest level of | ||
631 | 69 | authorization. This work will come in a subsequent release where we support | ||
632 | 70 | an elevated read-only role, that implies ``reader``, but also exposes | ||
633 | 71 | sensitive information, where applicable. | ||
634 | 72 | |||
635 | 73 | This will allow operators to grant third-party auditors a permissive role | ||
636 | 74 | for viewing sensitive information, specifically for compliance targets that | ||
637 | 75 | require it. | ||
638 | 76 | |||
639 | 77 | The ``reader`` role provides read-only access to resources within the system, a | 54 | The ``reader`` role provides read-only access to resources within the system, a |
640 | 78 | domain, or a project. Depending on the assignment scope, two users with the | 55 | domain, or a project. Depending on the assignment scope, two users with the |
641 | 79 | ``reader`` role can expect different API behaviors. For example, a user with | 56 | ``reader`` role can expect different API behaviors. For example, a user with |
642 | @@ -87,20 +64,6 @@ roles. For example, to accomplish this without analyzing assignment scope, you | |||
643 | 87 | would need ``system-reader``, ``domain-reader``, and ``project-reader`` roles | 64 | would need ``system-reader``, ``domain-reader``, and ``project-reader`` roles |
644 | 88 | in addition to custom policies for each service. | 65 | in addition to custom policies for each service. |
645 | 89 | 66 | ||
646 | 90 | It's imperative to note that ``reader`` is the least authoritative role in the | ||
647 | 91 | hierarchy because assignments using ``admin`` or ``member`` ultimately include | ||
648 | 92 | the ``reader`` role. We document this explicitly so that ``reader`` roles are not | ||
649 | 93 | overloaded with read-only access to sensitive information. For example, a deployment | ||
650 | 94 | pursuing a specific compliance target may want to leverage the ``reader`` role | ||
651 | 95 | to perform the audit. If the audit requires the auditor to evaluate sensitive | ||
652 | 96 | information, like license keys or administrative metadata, within a given | ||
653 | 97 | scope, auditors shouldn't expect to perform these operations with the | ||
654 | 98 | ``reader`` role. We justify this design decision because sensitive information | ||
655 | 99 | should be explicitly protected, and not implicitly exposed. | ||
656 | 100 | |||
657 | 101 | The ``reader`` role should be implemented and used from the perspective of | ||
658 | 102 | least-privilege, which may or may not fulfill your auditing use case. | ||
659 | 103 | |||
660 | 104 | Member | 67 | Member |
661 | 105 | ====== | 68 | ====== |
662 | 106 | 69 | ||
663 | @@ -132,30 +95,9 @@ services are addressing this individually at their own pace). | |||
664 | 132 | As of the Train release, keystone applies the following personas | 95 | As of the Train release, keystone applies the following personas |
665 | 133 | consistently across its API. | 96 | consistently across its API. |
666 | 134 | 97 | ||
689 | 135 | --------------- | 98 | --------------------- |
668 | 136 | System Personas | ||
669 | 137 | --------------- | ||
670 | 138 | |||
671 | 139 | This section describes authorization personas typically used for operators and | ||
672 | 140 | deployers. You can find all users with system role assignments using the | ||
673 | 141 | following query: | ||
674 | 142 | |||
675 | 143 | .. code-block:: console | ||
676 | 144 | |||
677 | 145 | $ openstack role assignment list --names --system all | ||
678 | 146 | +--------+------------------------+------------------------+---------+--------+--------+-----------+ | ||
679 | 147 | | Role | User | Group | Project | Domain | System | Inherited | | ||
680 | 148 | +--------+------------------------+------------------------+---------+--------+--------+-----------+ | ||
681 | 149 | | admin | | system-admins@Default | | | all | False | | ||
682 | 150 | | admin | admin@Default | | | | all | False | | ||
683 | 151 | | admin | operator@Default | | | | all | False | | ||
684 | 152 | | reader | | system-support@Default | | | all | False | | ||
685 | 153 | | admin | operator@Default | | | | all | False | | ||
686 | 154 | | member | system-support@Default | | | | all | False | | ||
687 | 155 | +--------+------------------------+------------------------+---------+--------+--------+-----------+ | ||
688 | 156 | |||
690 | 157 | System Administrators | 99 | System Administrators |
692 | 158 | ===================== | 100 | --------------------- |
693 | 159 | 101 | ||
694 | 160 | *System administrators* are allowed to manage every resource in keystone. | 102 | *System administrators* are allowed to manage every resource in keystone. |
695 | 161 | System administrators are typically operators and cloud administrators. They | 103 | System administrators are typically operators and cloud administrators. They |
696 | @@ -169,7 +111,7 @@ assignments: | |||
697 | 169 | 111 | ||
698 | 170 | .. code-block:: console | 112 | .. code-block:: console |
699 | 171 | 113 | ||
701 | 172 | $ openstack role assignment list --names --system all --role admin | 114 | $ openstack role assignment list --names --system all |
702 | 173 | +-------+------------------+-----------------------+---------+--------+--------+-----------+ | 115 | +-------+------------------+-----------------------+---------+--------+--------+-----------+ |
703 | 174 | | Role | User | Group | Project | Domain | System | Inherited | | 116 | | Role | User | Group | Project | Domain | System | Inherited | |
704 | 175 | +-------+------------------+-----------------------+---------+--------+--------+-----------+ | 117 | +-------+------------------+-----------------------+---------+--------+--------+-----------+ |
705 | @@ -178,57 +120,38 @@ assignments: | |||
706 | 178 | | admin | operator@Default | | | | all | False | | 120 | | admin | operator@Default | | | | all | False | |
707 | 179 | +-------+------------------+-----------------------+---------+--------+--------+-----------+ | 121 | +-------+------------------+-----------------------+---------+--------+--------+-----------+ |
708 | 180 | 122 | ||
709 | 123 | ------------------------------- | ||
710 | 181 | System Members & System Readers | 124 | System Members & System Readers |
712 | 182 | =============================== | 125 | ------------------------------- |
713 | 183 | 126 | ||
714 | 184 | In keystone, *system members* and *system readers* are very similar and have | 127 | In keystone, *system members* and *system readers* are very similar and have |
715 | 185 | the same authorization. Users with these roles on the system can view all | 128 | the same authorization. Users with these roles on the system can view all |
718 | 186 | resources within keystone. They can list role assignments, users, projects, and | 129 | resources within keystone. They can audit role assignments, users, projects, |
719 | 187 | group memberships, among other resources. | 130 | and group memberships, among other resources. |
720 | 188 | 131 | ||
725 | 189 | The *system reader* persona is useful for members of a support team or auditors | 132 | The *system reader* persona is useful for auditors or members of a support |
726 | 190 | if the audit doesn't require access to sensitive information. You can find | 133 | team. You can find *system members* and *system readers* in your deployment |
727 | 191 | *system members* and *system readers* in your deployment with the following | 134 | with the following assignments: |
724 | 192 | assignments: | ||
728 | 193 | 135 | ||
729 | 194 | .. code-block:: console | 136 | .. code-block:: console |
730 | 195 | 137 | ||
731 | 196 | $ openstack role assignment list --names --system all --role member --role reader | 138 | $ openstack role assignment list --names --system all --role member --role reader |
739 | 197 | +--------+------------------------+------------------------+---------+--------+--------+-----------+ | 139 | +--------+------------------------+-------------------------+---------+--------+--------+-----------+ |
740 | 198 | | Role | User | Group | Project | Domain | System | Inherited | | 140 | | Role | User | Group | Project | Domain | System | Inherited | |
741 | 199 | +--------+------------------------+------------------------+---------+--------+--------+-----------+ | 141 | +--------+------------------------+-------------------------+---------+--------+--------+-----------+ |
742 | 200 | | reader | | system-support@Default | | | all | False | | 142 | | reader | | system-auditors@Default | | | all | False | |
743 | 201 | | admin | operator@Default | | | | all | False | | 143 | | admin | operator@Default | | | | all | False | |
744 | 202 | | member | system-support@Default | | | | all | False | | 144 | | member | system-support@Default | | | | all | False | |
745 | 203 | +--------+------------------------+------------------------+---------+--------+--------+-----------+ | 145 | +--------+------------------------+-------------------------+---------+--------+--------+-----------+ |
746 | 204 | 146 | ||
747 | 205 | .. warning:: | 147 | .. warning:: |
748 | 206 | 148 | ||
749 | 207 | Filtering system role assignments is currently broken and is being tracked | 149 | Filtering system role assignments is currently broken and is being tracked |
750 | 208 | as a `bug <https://bugs.launchpad.net/keystone/+bug/1846817>`_. | 150 | as a `bug <https://bugs.launchpad.net/keystone/+bug/1846817>`_. |
751 | 209 | 151 | ||
772 | 210 | --------------- | 152 | --------------------- |
753 | 211 | Domain Personas | ||
754 | 212 | --------------- | ||
755 | 213 | |||
756 | 214 | This section describes authorization personas for people who manage their own | ||
757 | 215 | domains, which contain projects, users, and groups. You can find all users with | ||
758 | 216 | role assignments on a specific domain using the following query: | ||
759 | 217 | |||
760 | 218 | .. code-block:: console | ||
761 | 219 | |||
762 | 220 | $ openstack role assignment list --names --domain foobar | ||
763 | 221 | +--------+-----------------+----------------------+---------+--------+--------+-----------+ | ||
764 | 222 | | Role | User | Group | Project | Domain | System | Inherited | | ||
765 | 223 | +--------+-----------------+----------------------+---------+--------+--------+-----------+ | ||
766 | 224 | | reader | support@Default | | | foobar | | False | | ||
767 | 225 | | admin | jsmith@Default | | | foobar | | False | | ||
768 | 226 | | admin | | foobar-admins@foobar | | foobar | | False | | ||
769 | 227 | | member | jdoe@foobar | | | foobar | | False | | ||
770 | 228 | +--------+-----------------+----------------------+---------+--------+--------+-----------+ | ||
771 | 229 | |||
773 | 230 | Domain Administrators | 153 | Domain Administrators |
775 | 231 | ===================== | 154 | --------------------- |
776 | 232 | 155 | ||
777 | 233 | *Domain administrators* can manage most aspects of the domain or its contents. | 156 | *Domain administrators* can manage most aspects of the domain or its contents. |
778 | 234 | These users can create new projects and users within their domain. They can | 157 | These users can create new projects and users within their domain. They can |
779 | @@ -251,18 +174,18 @@ assignment: | |||
780 | 251 | | admin | | foobar-admins@foobar | | foobar | | False | | 174 | | admin | | foobar-admins@foobar | | foobar | | False | |
781 | 252 | +-------+----------------+----------------------+---------+--------+--------+-----------+ | 175 | +-------+----------------+----------------------+---------+--------+--------+-----------+ |
782 | 253 | 176 | ||
783 | 177 | ------------------------------- | ||
784 | 254 | Domain Members & Domain Readers | 178 | Domain Members & Domain Readers |
786 | 255 | =============================== | 179 | ------------------------------- |
787 | 256 | 180 | ||
788 | 257 | Domain members and domain readers have the same relationship as system members | 181 | Domain members and domain readers have the same relationship as system members |
789 | 258 | and system readers. They're allowed to view resources and information about | 182 | and system readers. They're allowed to view resources and information about |
790 | 259 | their domain. They aren't allowed to access system-specific information or | 183 | their domain. They aren't allowed to access system-specific information or |
791 | 260 | information about projects, groups, and users outside their domain. | 184 | information about projects, groups, and users outside their domain. |
792 | 261 | 185 | ||
797 | 262 | The domain member and domain reader use-cases are great for support teams, | 186 | The domain member and domain reader use-cases are great for auditing, support, |
798 | 263 | monitoring the details of an account, or auditing resources within a domain | 187 | or monitoring the details of an account. You can find domain members and domain |
799 | 264 | assuming the audit doesn't validate sensitive information. You can find domain | 188 | readers with the following role assignments: |
796 | 265 | members and domain readers with the following role assignments: | ||
800 | 266 | 189 | ||
801 | 267 | .. code-block:: console | 190 | .. code-block:: console |
802 | 268 | 191 | ||
803 | @@ -276,35 +199,16 @@ members and domain readers with the following role assignments: | |||
804 | 276 | +--------+-----------------+-------+---------+--------+--------+-----------+ | 199 | +--------+-----------------+-------+---------+--------+--------+-----------+ |
805 | 277 | | Role | User | Group | Project | Domain | System | Inherited | | 200 | | Role | User | Group | Project | Domain | System | Inherited | |
806 | 278 | +--------+-----------------+-------+---------+--------+--------+-----------+ | 201 | +--------+-----------------+-------+---------+--------+--------+-----------+ |
808 | 279 | | reader | support@Default | | | foobar | | False | | 202 | | reader | auditor@Default | | | foobar | | False | |
809 | 280 | +--------+-----------------+-------+---------+--------+--------+-----------+ | 203 | +--------+-----------------+-------+---------+--------+--------+-----------+ |
810 | 281 | 204 | ||
811 | 282 | ---------------- | ||
812 | 283 | Project Personas | ||
813 | 284 | ---------------- | ||
814 | 285 | |||
815 | 286 | This section describes authorization personas for users operating within a | ||
816 | 287 | project. These personas are commonly used by end users. You can find all users | ||
817 | 288 | with role assignments on a specific project using the following query: | ||
818 | 289 | |||
819 | 290 | .. code-block:: console | ||
820 | 291 | |||
821 | 292 | $ openstack role assignment list --names --project production | ||
822 | 293 | +--------+----------------+----------------------------+-------------------+--------+--------+-----------+ | ||
823 | 294 | | Role | User | Group | Project | Domain | System | Inherited | | ||
824 | 295 | +--------+----------------+----------------------------+-------------------+--------+--------+-----------+ | ||
825 | 296 | | admin | jsmith@Default | | production@foobar | | | False | | ||
826 | 297 | | admin | | production-admins@foobar | production@foobar | | | False | | ||
827 | 298 | | member | | foobar-operators@Default | production@foobar | | | False | | ||
828 | 299 | | reader | alice@Default | | production@foobar | | | False | | ||
829 | 300 | | reader | | production-support@Default | production@foobar | | | False | | ||
830 | 301 | +--------+----------------+----------------------------+-------------------+--------+--------+-----------+ | ||
831 | 302 | 205 | ||
832 | 206 | ---------------------- | ||
833 | 303 | Project Administrators | 207 | Project Administrators |
835 | 304 | ====================== | 208 | ---------------------- |
836 | 305 | 209 | ||
839 | 306 | *Project administrators* can only view and modify data within the project they | 210 | *Project administrators* can only view and modify data within the project in |
840 | 307 | have authorization on. They're able to view information about their projects | 211 | their role assignment. They're able to view information about their projects |
841 | 308 | and set tags on their projects. They're not allowed to view system or domain | 212 | and set tags on their projects. They're not allowed to view system or domain |
842 | 309 | resources, as that would violate the tenancy of their role assignment. Since | 213 | resources, as that would violate the tenancy of their role assignment. Since |
843 | 310 | the majority of the resources in keystone's API are system and domain-specific, | 214 | the majority of the resources in keystone's API are system and domain-specific, |
844 | @@ -323,8 +227,9 @@ role assignment: | |||
845 | 323 | | admin | | production-admins@foobar | production@foobar | | | False | | 227 | | admin | | production-admins@foobar | production@foobar | | | False | |
846 | 324 | +-------+----------------+--------------------------+-------------------+--------+--------+-----------+ | 228 | +-------+----------------+--------------------------+-------------------+--------+--------+-----------+ |
847 | 325 | 229 | ||
848 | 230 | --------------------------------- | ||
849 | 326 | Project Members & Project Readers | 231 | Project Members & Project Readers |
851 | 327 | ================================= | 232 | --------------------------------- |
852 | 328 | 233 | ||
853 | 329 | *Project members* and *project readers* can discover information about their | 234 | *Project members* and *project readers* can discover information about their |
854 | 330 | projects. They can access important information like resource limits for their | 235 | projects. They can access important information like resource limits for their |
855 | @@ -344,12 +249,12 @@ the following role assignments: | |||
856 | 344 | | member | | foobar-operators@Default | production@foobar | | | False | | 249 | | member | | foobar-operators@Default | production@foobar | | | False | |
857 | 345 | +--------+------+--------------------------+-------------------+--------+--------+-----------+ | 250 | +--------+------+--------------------------+-------------------+--------+--------+-----------+ |
858 | 346 | $ openstack role assignment list --names --project production --role reader | 251 | $ openstack role assignment list --names --project production --role reader |
865 | 347 | +--------+---------------+----------------------------+-------------------+--------+--------+-----------+ | 252 | +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+ |
866 | 348 | | Role | User | Group | Project | Domain | System | Inherited | | 253 | | Role | User | Group | Project | Domain | System | Inherited | |
867 | 349 | +--------+---------------+----------------------------+-------------------+--------+--------+-----------+ | 254 | +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+ |
868 | 350 | | reader | alice@Default | | production@foobar | | | False | | 255 | | reader | auditor@Default | | production@foobar | | | False | |
869 | 351 | | reader | | production-support@Default | production@foobar | | | False | | 256 | | reader | | production-support@Default | production@foobar | | | False | |
870 | 352 | +--------+---------------+----------------------------+-------------------+--------+--------+-----------+ | 257 | +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+ |
871 | 353 | 258 | ||
872 | 354 | ---------------- | 259 | ---------------- |
873 | 355 | Writing Policies | 260 | Writing Policies |
874 | diff --git a/doc/source/admin/upgrading.rst b/doc/source/admin/upgrading.rst | |||
875 | index 709d98d..687dba4 100644 | |||
876 | --- a/doc/source/admin/upgrading.rst | |||
877 | +++ b/doc/source/admin/upgrading.rst | |||
878 | @@ -42,7 +42,7 @@ Plan your upgrade: | |||
879 | 42 | to re-read the release notes for the previous release (or two!). | 42 | to re-read the release notes for the previous release (or two!). |
880 | 43 | 43 | ||
881 | 44 | * Prepare your new configuration files, including ``keystone.conf``, | 44 | * Prepare your new configuration files, including ``keystone.conf``, |
883 | 45 | ``logging.conf``, ``policy.yaml``, ``keystone-paste.ini``, and anything else | 45 | ``logging.conf``, ``policy.json``, ``keystone-paste.ini``, and anything else |
884 | 46 | in ``/etc/keystone/``, by customizing the corresponding files from the next | 46 | in ``/etc/keystone/``, by customizing the corresponding files from the next |
885 | 47 | release. | 47 | release. |
886 | 48 | 48 | ||
887 | diff --git a/doc/source/conf.py b/doc/source/conf.py | |||
888 | index 45cd82f..819c1d9 100644 | |||
889 | --- a/doc/source/conf.py | |||
890 | +++ b/doc/source/conf.py | |||
891 | @@ -55,11 +55,7 @@ apidoc_output_dir = 'api' | |||
892 | 55 | apidoc_excluded_paths = [ | 55 | apidoc_excluded_paths = [ |
893 | 56 | 'tests/*', | 56 | 'tests/*', |
894 | 57 | 'tests', | 57 | 'tests', |
900 | 58 | 'test', | 58 | 'test'] |
896 | 59 | # TODO(gmann): with new release of SQLAlchemy(1.4.27) TypeDecorator used | ||
897 | 60 | # in common/sql/core.py file started failing. Remove this oncethe issue of | ||
898 | 61 | # TypeDecorator is fixed. | ||
899 | 62 | 'common/sql/core.py'] | ||
901 | 63 | apidoc_separate_modules = True | 59 | apidoc_separate_modules = True |
902 | 64 | 60 | ||
903 | 65 | # sphinxcontrib.seqdiag options | 61 | # sphinxcontrib.seqdiag options |
904 | diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst | |||
905 | index 3f80c5e..daafdea 100644 | |||
906 | --- a/doc/source/configuration/policy.rst | |||
907 | +++ b/doc/source/configuration/policy.rst | |||
908 | @@ -2,15 +2,6 @@ | |||
909 | 2 | Policy configuration | 2 | Policy configuration |
910 | 3 | ==================== | 3 | ==================== |
911 | 4 | 4 | ||
912 | 5 | .. warning:: | ||
913 | 6 | |||
914 | 7 | JSON formatted policy file is deprecated since Keystone 19.0.0 (Wallaby). | ||
915 | 8 | This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing | ||
916 | 9 | JSON-formatted policy file to YAML in a backward-compatible way. | ||
917 | 10 | |||
918 | 11 | .. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html | ||
919 | 12 | |||
920 | 13 | |||
921 | 14 | Configuration | 5 | Configuration |
922 | 15 | ~~~~~~~~~~~~~ | 6 | ~~~~~~~~~~~~~ |
923 | 16 | 7 | ||
924 | diff --git a/doc/source/contributor/how-can-i-help.rst b/doc/source/contributor/how-can-i-help.rst | |||
925 | index 47c2f4a..4e37af0 100644 | |||
926 | --- a/doc/source/contributor/how-can-i-help.rst | |||
927 | +++ b/doc/source/contributor/how-can-i-help.rst | |||
928 | @@ -50,7 +50,7 @@ become part of the team: | |||
929 | 50 | You can also subscribe to email notifications for new bugs. | 50 | You can also subscribe to email notifications for new bugs. |
930 | 51 | * Subscribe to the openstack-discuss@lists.openstack.org mailing list (filter on | 51 | * Subscribe to the openstack-discuss@lists.openstack.org mailing list (filter on |
931 | 52 | subject tag ``[keystone]``) and join the #openstack-keystone IRC channel on | 52 | subject tag ``[keystone]``) and join the #openstack-keystone IRC channel on |
933 | 53 | OFTC. Help answer user support questions if you or your organization has | 53 | freenode. Help answer user support questions if you or your organization has |
934 | 54 | faced and solved a similar problem, or chime in on design discussions that | 54 | faced and solved a similar problem, or chime in on design discussions that |
935 | 55 | will affect you and your organization. | 55 | will affect you and your organization. |
936 | 56 | * Check out the low hanging fruit bugs, submit patches to fix them: | 56 | * Check out the low hanging fruit bugs, submit patches to fix them: |
937 | diff --git a/doc/source/getting-started/community.rst b/doc/source/getting-started/community.rst | |||
938 | index 4598cd8..47145ad 100644 | |||
939 | --- a/doc/source/getting-started/community.rst | |||
940 | +++ b/doc/source/getting-started/community.rst | |||
941 | @@ -34,10 +34,10 @@ from feature designs to documentation to testing to deployment scripts. | |||
942 | 34 | .. _Launchpad: https://launchpad.net/keystone | 34 | .. _Launchpad: https://launchpad.net/keystone |
943 | 35 | .. _wiki: https://wiki.openstack.org/ | 35 | .. _wiki: https://wiki.openstack.org/ |
944 | 36 | 36 | ||
947 | 37 | #openstack-keystone on OFTC IRC Network | 37 | #openstack-keystone on Freenode IRC Network |
948 | 38 | --------------------------------------- | 38 | ------------------------------------------- |
949 | 39 | 39 | ||
951 | 40 | You can find Keystone folks in `<irc://oftc.net/#openstack-keystone>`_. | 40 | You can find Keystone folks in `<irc://freenode.net/#openstack-keystone>`_. |
952 | 41 | This is usually the best place to ask questions and find your way around. IRC | 41 | This is usually the best place to ask questions and find your way around. IRC |
953 | 42 | stands for Internet Relay Chat and it is a way to chat online in real time. | 42 | stands for Internet Relay Chat and it is a way to chat online in real time. |
954 | 43 | You can also ask a question and come back to the log files to read the answer | 43 | You can also ask a question and come back to the log files to read the answer |
955 | diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst | |||
956 | index a7cb27c..2975b45 100644 | |||
957 | --- a/doc/source/getting-started/policy_mapping.rst | |||
958 | +++ b/doc/source/getting-started/policy_mapping.rst | |||
959 | @@ -2,7 +2,7 @@ | |||
960 | 2 | Mapping of policy target to API | 2 | Mapping of policy target to API |
961 | 3 | =============================== | 3 | =============================== |
962 | 4 | 4 | ||
964 | 5 | The following table shows the target in the policy.yaml file for each API. | 5 | The following table shows the target in the policy.json file for each API. |
965 | 6 | 6 | ||
966 | 7 | ========================================================= === | 7 | ========================================================= === |
967 | 8 | Target API | 8 | Target API |
968 | diff --git a/keystone.egg-info/PKG-INFO b/keystone.egg-info/PKG-INFO | |||
969 | index 3b63a18..c4bc751 100644 | |||
970 | --- a/keystone.egg-info/PKG-INFO | |||
971 | +++ b/keystone.egg-info/PKG-INFO | |||
972 | @@ -1,11 +1,73 @@ | |||
973 | 1 | Metadata-Version: 2.1 | 1 | Metadata-Version: 2.1 |
974 | 2 | Name: keystone | 2 | Name: keystone |
976 | 3 | Version: 20.1.0.dev27 | 3 | Version: 18.1.0 |
977 | 4 | Summary: OpenStack Identity | 4 | Summary: OpenStack Identity |
978 | 5 | Home-page: https://docs.openstack.org/keystone/latest | 5 | Home-page: https://docs.openstack.org/keystone/latest |
979 | 6 | Author: OpenStack | 6 | Author: OpenStack |
980 | 7 | Author-email: openstack-discuss@lists.openstack.org | 7 | Author-email: openstack-discuss@lists.openstack.org |
981 | 8 | License: UNKNOWN | 8 | License: UNKNOWN |
982 | 9 | Description: ================== | ||
983 | 10 | OpenStack Keystone | ||
984 | 11 | ================== | ||
985 | 12 | |||
986 | 13 | .. image:: https://governance.openstack.org/tc/badges/keystone.svg | ||
987 | 14 | :target: https://governance.openstack.org/tc/reference/tags/index.html | ||
988 | 15 | |||
989 | 16 | .. Change things from this point on | ||
990 | 17 | |||
991 | 18 | OpenStack Keystone provides authentication, authorization and service discovery | ||
992 | 19 | mechanisms via HTTP primarily for use by projects in the OpenStack family. It | ||
993 | 20 | is most commonly deployed as an HTTP interface to existing identity systems, | ||
994 | 21 | such as LDAP. | ||
995 | 22 | |||
996 | 23 | Developer documentation, the source of which is in ``doc/source/``, is | ||
997 | 24 | published at: | ||
998 | 25 | |||
999 | 26 | https://docs.openstack.org/keystone/latest | ||
1000 | 27 | |||
1001 | 28 | The API reference and documentation are available at: | ||
1002 | 29 | |||
1003 | 30 | https://docs.openstack.org/api-ref/identity | ||
1004 | 31 | |||
1005 | 32 | The canonical client library is available at: | ||
1006 | 33 | |||
1007 | 34 | https://opendev.org/openstack/python-keystoneclient | ||
1008 | 35 | |||
1009 | 36 | Documentation for cloud administrators is available at: | ||
1010 | 37 | |||
1011 | 38 | https://docs.openstack.org/ | ||
1012 | 39 | |||
1013 | 40 | The source of documentation for cloud administrators is available at: | ||
1014 | 41 | |||
1015 | 42 | https://opendev.org/openstack/openstack-manuals | ||
1016 | 43 | |||
1017 | 44 | Information about our team meeting is available at: | ||
1018 | 45 | |||
1019 | 46 | https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting | ||
1020 | 47 | |||
1021 | 48 | Release notes is available at: | ||
1022 | 49 | |||
1023 | 50 | https://docs.openstack.org/releasenotes/keystone | ||
1024 | 51 | |||
1025 | 52 | Bugs and feature requests are tracked on Launchpad at: | ||
1026 | 53 | |||
1027 | 54 | https://bugs.launchpad.net/keystone | ||
1028 | 55 | |||
1029 | 56 | Future design work is tracked at: | ||
1030 | 57 | |||
1031 | 58 | https://specs.openstack.org/openstack/keystone-specs | ||
1032 | 59 | |||
1033 | 60 | Contributors are encouraged to join IRC (``#openstack-keystone`` on freenode): | ||
1034 | 61 | |||
1035 | 62 | https://wiki.openstack.org/wiki/IRC | ||
1036 | 63 | |||
1037 | 64 | Source for the project: | ||
1038 | 65 | |||
1039 | 66 | https://opendev.org/openstack/keystone | ||
1040 | 67 | |||
1041 | 68 | For information on contributing to Keystone, see ``CONTRIBUTING.rst``. | ||
1042 | 69 | |||
1043 | 70 | |||
1044 | 9 | Platform: UNKNOWN | 71 | Platform: UNKNOWN |
1045 | 10 | Classifier: Environment :: OpenStack | 72 | Classifier: Environment :: OpenStack |
1046 | 11 | Classifier: Intended Audience :: Information Technology | 73 | Classifier: Intended Audience :: Information Technology |
1047 | @@ -24,69 +86,3 @@ Provides-Extra: ldap | |||
1048 | 24 | Provides-Extra: memcache | 86 | Provides-Extra: memcache |
1049 | 25 | Provides-Extra: mongodb | 87 | Provides-Extra: mongodb |
1050 | 26 | Provides-Extra: test | 88 | Provides-Extra: test |
1051 | 27 | License-File: LICENSE | ||
1052 | 28 | License-File: AUTHORS | ||
1053 | 29 | |||
1054 | 30 | ================== | ||
1055 | 31 | OpenStack Keystone | ||
1056 | 32 | ================== | ||
1057 | 33 | |||
1058 | 34 | .. image:: https://governance.openstack.org/tc/badges/keystone.svg | ||
1059 | 35 | :target: https://governance.openstack.org/tc/reference/tags/index.html | ||
1060 | 36 | |||
1061 | 37 | .. Change things from this point on | ||
1062 | 38 | |||
1063 | 39 | OpenStack Keystone provides authentication, authorization and service discovery | ||
1064 | 40 | mechanisms via HTTP primarily for use by projects in the OpenStack family. It | ||
1065 | 41 | is most commonly deployed as an HTTP interface to existing identity systems, | ||
1066 | 42 | such as LDAP. | ||
1067 | 43 | |||
1068 | 44 | Developer documentation, the source of which is in ``doc/source/``, is | ||
1069 | 45 | published at: | ||
1070 | 46 | |||
1071 | 47 | https://docs.openstack.org/keystone/latest | ||
1072 | 48 | |||
1073 | 49 | The API reference and documentation are available at: | ||
1074 | 50 | |||
1075 | 51 | https://docs.openstack.org/api-ref/identity | ||
1076 | 52 | |||
1077 | 53 | The canonical client library is available at: | ||
1078 | 54 | |||
1079 | 55 | https://opendev.org/openstack/python-keystoneclient | ||
1080 | 56 | |||
1081 | 57 | Documentation for cloud administrators is available at: | ||
1082 | 58 | |||
1083 | 59 | https://docs.openstack.org/ | ||
1084 | 60 | |||
1085 | 61 | The source of documentation for cloud administrators is available at: | ||
1086 | 62 | |||
1087 | 63 | https://opendev.org/openstack/openstack-manuals | ||
1088 | 64 | |||
1089 | 65 | Information about our team meeting is available at: | ||
1090 | 66 | |||
1091 | 67 | https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting | ||
1092 | 68 | |||
1093 | 69 | Release notes is available at: | ||
1094 | 70 | |||
1095 | 71 | https://docs.openstack.org/releasenotes/keystone | ||
1096 | 72 | |||
1097 | 73 | Bugs and feature requests are tracked on Launchpad at: | ||
1098 | 74 | |||
1099 | 75 | https://bugs.launchpad.net/keystone | ||
1100 | 76 | |||
1101 | 77 | Future design work is tracked at: | ||
1102 | 78 | |||
1103 | 79 | https://specs.openstack.org/openstack/keystone-specs | ||
1104 | 80 | |||
1105 | 81 | Contributors are encouraged to join IRC (``#openstack-keystone`` on OFTC): | ||
1106 | 82 | |||
1107 | 83 | https://wiki.openstack.org/wiki/IRC | ||
1108 | 84 | |||
1109 | 85 | Source for the project: | ||
1110 | 86 | |||
1111 | 87 | https://opendev.org/openstack/keystone | ||
1112 | 88 | |||
1113 | 89 | For information on contributing to Keystone, see ``CONTRIBUTING.rst``. | ||
1114 | 90 | |||
1115 | 91 | |||
1116 | 92 | |||
1117 | diff --git a/keystone.egg-info/SOURCES.txt b/keystone.egg-info/SOURCES.txt | |||
1118 | index fc8c6b6..b1af601 100644 | |||
1119 | --- a/keystone.egg-info/SOURCES.txt | |||
1120 | +++ b/keystone.egg-info/SOURCES.txt | |||
1121 | @@ -315,7 +315,6 @@ devstack/files/federation/shib_apache_alias.txt | |||
1122 | 315 | devstack/files/federation/shib_apache_handler.txt | 315 | devstack/files/federation/shib_apache_handler.txt |
1123 | 316 | devstack/files/federation/shibboleth2.xml | 316 | devstack/files/federation/shibboleth2.xml |
1124 | 317 | devstack/lib/federation.sh | 317 | devstack/lib/federation.sh |
1125 | 318 | devstack/lib/scope.sh | ||
1126 | 319 | doc/Makefile | 318 | doc/Makefile |
1127 | 320 | doc/README.rst | 319 | doc/README.rst |
1128 | 321 | doc/requirements.txt | 320 | doc/requirements.txt |
1129 | @@ -473,7 +472,6 @@ keystone.egg-info/SOURCES.txt | |||
1130 | 473 | keystone.egg-info/dependency_links.txt | 472 | keystone.egg-info/dependency_links.txt |
1131 | 474 | keystone.egg-info/entry_points.txt | 473 | keystone.egg-info/entry_points.txt |
1132 | 475 | keystone.egg-info/not-zip-safe | 474 | keystone.egg-info/not-zip-safe |
1133 | 476 | keystone.egg-info/pbr.json | ||
1134 | 477 | keystone.egg-info/requires.txt | 475 | keystone.egg-info/requires.txt |
1135 | 478 | keystone.egg-info/top_level.txt | 476 | keystone.egg-info/top_level.txt |
1136 | 479 | keystone/api/__init__.py | 477 | keystone/api/__init__.py |
1137 | @@ -705,7 +703,6 @@ keystone/common/sql/contract_repo/versions/075_placeholder.py | |||
1138 | 705 | keystone/common/sql/contract_repo/versions/076_placeholder.py | 703 | keystone/common/sql/contract_repo/versions/076_placeholder.py |
1139 | 706 | keystone/common/sql/contract_repo/versions/077_placeholder.py | 704 | keystone/common/sql/contract_repo/versions/077_placeholder.py |
1140 | 707 | keystone/common/sql/contract_repo/versions/078_placeholder.py | 705 | keystone/common/sql/contract_repo/versions/078_placeholder.py |
1141 | 708 | keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py | ||
1142 | 709 | keystone/common/sql/contract_repo/versions/__init__.py | 706 | keystone/common/sql/contract_repo/versions/__init__.py |
1143 | 710 | keystone/common/sql/data_migration_repo/README | 707 | keystone/common/sql/data_migration_repo/README |
1144 | 711 | keystone/common/sql/data_migration_repo/__init__.py | 708 | keystone/common/sql/data_migration_repo/__init__.py |
1145 | @@ -789,7 +786,6 @@ keystone/common/sql/data_migration_repo/versions/075_placeholder.py | |||
1146 | 789 | keystone/common/sql/data_migration_repo/versions/076_placeholder.py | 786 | keystone/common/sql/data_migration_repo/versions/076_placeholder.py |
1147 | 790 | keystone/common/sql/data_migration_repo/versions/077_placeholder.py | 787 | keystone/common/sql/data_migration_repo/versions/077_placeholder.py |
1148 | 791 | keystone/common/sql/data_migration_repo/versions/078_placeholder.py | 788 | keystone/common/sql/data_migration_repo/versions/078_placeholder.py |
1149 | 792 | keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py | ||
1150 | 793 | keystone/common/sql/data_migration_repo/versions/__init__.py | 789 | keystone/common/sql/data_migration_repo/versions/__init__.py |
1151 | 794 | keystone/common/sql/expand_repo/README | 790 | keystone/common/sql/expand_repo/README |
1152 | 795 | keystone/common/sql/expand_repo/__init__.py | 791 | keystone/common/sql/expand_repo/__init__.py |
1153 | @@ -873,7 +869,6 @@ keystone/common/sql/expand_repo/versions/075_placeholder.py | |||
1154 | 873 | keystone/common/sql/expand_repo/versions/076_placeholder.py | 869 | keystone/common/sql/expand_repo/versions/076_placeholder.py |
1155 | 874 | keystone/common/sql/expand_repo/versions/077_placeholder.py | 870 | keystone/common/sql/expand_repo/versions/077_placeholder.py |
1156 | 875 | keystone/common/sql/expand_repo/versions/078_placeholder.py | 871 | keystone/common/sql/expand_repo/versions/078_placeholder.py |
1157 | 876 | keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py | ||
1158 | 877 | keystone/common/sql/expand_repo/versions/__init__.py | 872 | keystone/common/sql/expand_repo/versions/__init__.py |
1159 | 878 | keystone/common/sql/migrate_repo/README | 873 | keystone/common/sql/migrate_repo/README |
1160 | 879 | keystone/common/sql/migrate_repo/__init__.py | 874 | keystone/common/sql/migrate_repo/__init__.py |
1161 | @@ -1235,6 +1230,8 @@ keystone/tests/unit/config_files/backend_multi_ldap_sql.conf | |||
1162 | 1235 | keystone/tests/unit/config_files/backend_pool_liveldap.conf | 1230 | keystone/tests/unit/config_files/backend_pool_liveldap.conf |
1163 | 1236 | keystone/tests/unit/config_files/backend_sql.conf | 1231 | keystone/tests/unit/config_files/backend_sql.conf |
1164 | 1237 | keystone/tests/unit/config_files/backend_tls_liveldap.conf | 1232 | keystone/tests/unit/config_files/backend_tls_liveldap.conf |
1165 | 1233 | keystone/tests/unit/config_files/deprecated.conf | ||
1166 | 1234 | keystone/tests/unit/config_files/deprecated_override.conf | ||
1167 | 1238 | keystone/tests/unit/config_files/test_auth_plugin.conf | 1235 | keystone/tests/unit/config_files/test_auth_plugin.conf |
1168 | 1239 | keystone/tests/unit/config_files/domain_configs_default_ldap_one_sql/keystone.domain1.conf | 1236 | keystone/tests/unit/config_files/domain_configs_default_ldap_one_sql/keystone.domain1.conf |
1169 | 1240 | keystone/tests/unit/config_files/domain_configs_multi_ldap/keystone.Default.conf | 1237 | keystone/tests/unit/config_files/domain_configs_multi_ldap/keystone.Default.conf |
1170 | @@ -1281,7 +1278,6 @@ keystone/tests/unit/ksfixtures/key_repository.py | |||
1171 | 1281 | keystone/tests/unit/ksfixtures/ldapdb.py | 1278 | keystone/tests/unit/ksfixtures/ldapdb.py |
1172 | 1282 | keystone/tests/unit/ksfixtures/policy.py | 1279 | keystone/tests/unit/ksfixtures/policy.py |
1173 | 1283 | keystone/tests/unit/ksfixtures/temporaryfile.py | 1280 | keystone/tests/unit/ksfixtures/temporaryfile.py |
1174 | 1284 | keystone/tests/unit/ksfixtures/warnings.py | ||
1175 | 1285 | keystone/tests/unit/limit/__init__.py | 1281 | keystone/tests/unit/limit/__init__.py |
1176 | 1286 | keystone/tests/unit/limit/test_backends.py | 1282 | keystone/tests/unit/limit/test_backends.py |
1177 | 1287 | keystone/tests/unit/policy/__init__.py | 1283 | keystone/tests/unit/policy/__init__.py |
1178 | @@ -1328,7 +1324,6 @@ keystone/trust/backends/__init__.py | |||
1179 | 1328 | keystone/trust/backends/base.py | 1324 | keystone/trust/backends/base.py |
1180 | 1329 | keystone/trust/backends/sql.py | 1325 | keystone/trust/backends/sql.py |
1181 | 1330 | keystone_tempest_plugin/README.rst | 1326 | keystone_tempest_plugin/README.rst |
1182 | 1331 | playbooks/enable-fips.yaml | ||
1183 | 1332 | rally-jobs/README.rst | 1327 | rally-jobs/README.rst |
1184 | 1333 | rally-jobs/keystone.yaml | 1328 | rally-jobs/keystone.yaml |
1185 | 1334 | releasenotes/notes/.placeholder | 1329 | releasenotes/notes/.placeholder |
1186 | @@ -1573,11 +1568,8 @@ releasenotes/notes/bug-1885753-51df25f3ff1d9ae8.yaml | |||
1187 | 1573 | releasenotes/notes/bug-1886017-bc2ad648d57101a2.yaml | 1568 | releasenotes/notes/bug-1886017-bc2ad648d57101a2.yaml |
1188 | 1574 | releasenotes/notes/bug-1889936-78d6853b5212b8f1.yaml | 1569 | releasenotes/notes/bug-1889936-78d6853b5212b8f1.yaml |
1189 | 1575 | releasenotes/notes/bug-1896125-b17a4d12730fe493.yaml | 1570 | releasenotes/notes/bug-1896125-b17a4d12730fe493.yaml |
1190 | 1576 | releasenotes/notes/bug-1897280-e7065c4368a325ad.yaml | ||
1191 | 1577 | releasenotes/notes/bug-1901207-13762f85b8a04481.yaml | 1571 | releasenotes/notes/bug-1901207-13762f85b8a04481.yaml |
1192 | 1578 | releasenotes/notes/bug-1901654-69b9f35d11cd0c75.yaml | 1572 | releasenotes/notes/bug-1901654-69b9f35d11cd0c75.yaml |
1193 | 1579 | releasenotes/notes/bug-1929066-6e741c9182620a37.yaml | ||
1194 | 1580 | releasenotes/notes/bug-1941020-f694395a9bcea72f.yaml | ||
1195 | 1581 | releasenotes/notes/bug1828565-0790c4c60ba34100.yaml | 1573 | releasenotes/notes/bug1828565-0790c4c60ba34100.yaml |
1196 | 1582 | releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml | 1574 | releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml |
1197 | 1583 | releasenotes/notes/bug_1543048_and_1668503-7ead4e15faaab778.yaml | 1575 | releasenotes/notes/bug_1543048_and_1668503-7ead4e15faaab778.yaml |
1198 | @@ -1588,7 +1580,6 @@ releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml | |||
1199 | 1588 | releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml | 1580 | releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml |
1200 | 1589 | releasenotes/notes/convert-keystone-to-flask-80d980e239b662b0.yaml | 1581 | releasenotes/notes/convert-keystone-to-flask-80d980e239b662b0.yaml |
1201 | 1590 | releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml | 1582 | releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml |
1202 | 1591 | releasenotes/notes/deprecate-json-formatted-policy-file-95f6307f88358f58.yaml | ||
1203 | 1592 | releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml | 1583 | releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml |
1204 | 1593 | releasenotes/notes/deprecate-policies-api-b104fbd1d2367b1b.yaml | 1584 | releasenotes/notes/deprecate-policies-api-b104fbd1d2367b1b.yaml |
1205 | 1594 | releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml | 1585 | releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml |
1206 | @@ -1678,15 +1669,10 @@ releasenotes/source/stein.rst | |||
1207 | 1678 | releasenotes/source/train.rst | 1669 | releasenotes/source/train.rst |
1208 | 1679 | releasenotes/source/unreleased.rst | 1670 | releasenotes/source/unreleased.rst |
1209 | 1680 | releasenotes/source/ussuri.rst | 1671 | releasenotes/source/ussuri.rst |
1210 | 1681 | releasenotes/source/victoria.rst | ||
1211 | 1682 | releasenotes/source/wallaby.rst | ||
1212 | 1683 | releasenotes/source/xena.rst | ||
1213 | 1684 | releasenotes/source/_static/.placeholder | 1672 | releasenotes/source/_static/.placeholder |
1214 | 1685 | releasenotes/source/_templates/.placeholder | 1673 | releasenotes/source/_templates/.placeholder |
1215 | 1686 | releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po | 1674 | releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po |
1216 | 1687 | releasenotes/source/locale/fr/LC_MESSAGES/releasenotes.po | ||
1217 | 1688 | releasenotes/source/locale/ja/LC_MESSAGES/releasenotes.po | 1675 | releasenotes/source/locale/ja/LC_MESSAGES/releasenotes.po |
1218 | 1689 | releasenotes/source/locale/ko_KR/LC_MESSAGES/releasenotes.po | ||
1219 | 1690 | tools/cover.sh | 1676 | tools/cover.sh |
1220 | 1691 | tools/fast8.sh | 1677 | tools/fast8.sh |
1221 | 1692 | tools/sample_data.sh | 1678 | tools/sample_data.sh |
1222 | diff --git a/keystone.egg-info/pbr.json b/keystone.egg-info/pbr.json | |||
1223 | 1693 | deleted file mode 100644 | 1679 | deleted file mode 100644 |
1224 | index 7de0b70..0000000 | |||
1225 | --- a/keystone.egg-info/pbr.json | |||
1226 | +++ /dev/null | |||
1227 | @@ -1 +0,0 @@ | |||
1228 | 1 | {"git_version": "2ddf8f321", "is_release": false} | ||
1229 | 2 | \ No newline at end of file | 0 | \ No newline at end of file |
1230 | diff --git a/keystone.egg-info/requires.txt b/keystone.egg-info/requires.txt | |||
1231 | index 7ca68f2..b85b25d 100644 | |||
1232 | --- a/keystone.egg-info/requires.txt | |||
1233 | +++ b/keystone.egg-info/requires.txt | |||
1234 | @@ -11,16 +11,16 @@ keystonemiddleware>=7.0.0 | |||
1235 | 11 | msgpack>=0.5.0 | 11 | msgpack>=0.5.0 |
1236 | 12 | oauthlib>=0.6.2 | 12 | oauthlib>=0.6.2 |
1237 | 13 | oslo.cache>=1.26.0 | 13 | oslo.cache>=1.26.0 |
1239 | 14 | oslo.config>=6.8.0 | 14 | oslo.config>=5.2.0 |
1240 | 15 | oslo.context>=2.22.0 | 15 | oslo.context>=2.22.0 |
1241 | 16 | oslo.db>=6.0.0 | 16 | oslo.db>=6.0.0 |
1242 | 17 | oslo.i18n>=3.15.3 | 17 | oslo.i18n>=3.15.3 |
1243 | 18 | oslo.log>=3.44.0 | 18 | oslo.log>=3.44.0 |
1244 | 19 | oslo.messaging>=5.29.0 | 19 | oslo.messaging>=5.29.0 |
1245 | 20 | oslo.middleware>=3.31.0 | 20 | oslo.middleware>=3.31.0 |
1247 | 21 | oslo.policy>=3.7.0 | 21 | oslo.policy>=3.0.2 |
1248 | 22 | oslo.serialization!=2.19.1,>=2.18.0 | 22 | oslo.serialization!=2.19.1,>=2.18.0 |
1250 | 23 | oslo.upgradecheck>=1.3.0 | 23 | oslo.upgradecheck>=0.1.0 |
1251 | 24 | oslo.utils>=3.33.0 | 24 | oslo.utils>=3.33.0 |
1252 | 25 | osprofiler>=1.4.0 | 25 | osprofiler>=1.4.0 |
1253 | 26 | passlib>=1.7.0 | 26 | passlib>=1.7.0 |
1254 | diff --git a/keystone/api/s3tokens.py b/keystone/api/s3tokens.py | |||
1255 | index 4a8439d..73d0b39 100644 | |||
1256 | --- a/keystone/api/s3tokens.py | |||
1257 | +++ b/keystone/api/s3tokens.py | |||
1258 | @@ -56,10 +56,7 @@ def _calculate_signature_v4(string_to_sign, secret_key): | |||
1259 | 56 | if len(parts) != 4 or parts[0] != b'AWS4-HMAC-SHA256': | 56 | if len(parts) != 4 or parts[0] != b'AWS4-HMAC-SHA256': |
1260 | 57 | raise exception.Unauthorized(message=_('Invalid EC2 signature.')) | 57 | raise exception.Unauthorized(message=_('Invalid EC2 signature.')) |
1261 | 58 | scope = parts[2].split(b'/') | 58 | scope = parts[2].split(b'/') |
1266 | 59 | if len(scope) != 4 or scope[3] != b'aws4_request': | 59 | if len(scope) != 4 or scope[2] != b's3' or scope[3] != b'aws4_request': |
1263 | 60 | raise exception.Unauthorized(message=_('Invalid EC2 signature.')) | ||
1264 | 61 | allowed_services = [b's3', b'iam', b'sts'] | ||
1265 | 62 | if scope[2] not in allowed_services: | ||
1267 | 63 | raise exception.Unauthorized(message=_('Invalid EC2 signature.')) | 60 | raise exception.Unauthorized(message=_('Invalid EC2 signature.')) |
1268 | 64 | 61 | ||
1269 | 65 | def _sign(key, msg): | 62 | def _sign(key, msg): |
1270 | diff --git a/keystone/cmd/status.py b/keystone/cmd/status.py | |||
1271 | index 64b2e62..3585c2e 100644 | |||
1272 | --- a/keystone/cmd/status.py | |||
1273 | +++ b/keystone/cmd/status.py | |||
1274 | @@ -12,7 +12,6 @@ | |||
1275 | 12 | 12 | ||
1276 | 13 | from oslo_policy import _checks | 13 | from oslo_policy import _checks |
1277 | 14 | from oslo_policy import policy | 14 | from oslo_policy import policy |
1278 | 15 | from oslo_upgradecheck import common_checks | ||
1279 | 16 | from oslo_upgradecheck import upgradecheck | 15 | from oslo_upgradecheck import upgradecheck |
1280 | 17 | 16 | ||
1281 | 18 | from keystone.common import driver_hints | 17 | from keystone.common import driver_hints |
1282 | @@ -87,8 +86,6 @@ class Checks(upgradecheck.UpgradeCommands): | |||
1283 | 87 | check_trust_policies_are_not_empty), | 86 | check_trust_policies_are_not_empty), |
1284 | 88 | ("Check default roles are immutable", | 87 | ("Check default roles are immutable", |
1285 | 89 | check_default_roles_are_immutable), | 88 | check_default_roles_are_immutable), |
1286 | 90 | ("Policy File JSON to YAML Migration", | ||
1287 | 91 | (common_checks.check_policy_json, {'conf': CONF})), | ||
1288 | 92 | ) | 89 | ) |
1289 | 93 | 90 | ||
1290 | 94 | 91 | ||
1291 | diff --git a/keystone/common/policies/application_credential.py b/keystone/common/policies/application_credential.py | |||
1292 | index bae998a..e44c661 100644 | |||
1293 | --- a/keystone/common/policies/application_credential.py | |||
1294 | +++ b/keystone/common/policies/application_credential.py | |||
1295 | @@ -18,30 +18,23 @@ from keystone.common.policies import base | |||
1296 | 18 | collection_path = '/v3/users/{user_id}/application_credentials' | 18 | collection_path = '/v3/users/{user_id}/application_credentials' |
1297 | 19 | resource_path = collection_path + '/{application_credential_id}' | 19 | resource_path = collection_path + '/{application_credential_id}' |
1298 | 20 | 20 | ||
1299 | 21 | DEPRECATED_REASON = ( | ||
1300 | 22 | "The application credential API is now aware of system scope and default " | ||
1301 | 23 | "roles." | ||
1302 | 24 | ) | ||
1303 | 25 | |||
1304 | 26 | deprecated_list_application_credentials_for_user = policy.DeprecatedRule( | 21 | deprecated_list_application_credentials_for_user = policy.DeprecatedRule( |
1305 | 27 | name=base.IDENTITY % 'list_application_credentials', | 22 | name=base.IDENTITY % 'list_application_credentials', |
1309 | 28 | check_str=base.RULE_ADMIN_OR_OWNER, | 23 | check_str=base.RULE_ADMIN_OR_OWNER |
1307 | 29 | deprecated_reason=DEPRECATED_REASON, | ||
1308 | 30 | deprecated_since=versionutils.deprecated.TRAIN | ||
1310 | 31 | ) | 24 | ) |
1311 | 32 | deprecated_get_application_credentials_for_user = policy.DeprecatedRule( | 25 | deprecated_get_application_credentials_for_user = policy.DeprecatedRule( |
1312 | 33 | name=base.IDENTITY % 'get_application_credential', | 26 | name=base.IDENTITY % 'get_application_credential', |
1316 | 34 | check_str=base.RULE_ADMIN_OR_OWNER, | 27 | check_str=base.RULE_ADMIN_OR_OWNER |
1314 | 35 | deprecated_reason=DEPRECATED_REASON, | ||
1315 | 36 | deprecated_since=versionutils.deprecated.TRAIN | ||
1317 | 37 | ) | 28 | ) |
1318 | 38 | deprecated_delete_application_credentials_for_user = policy.DeprecatedRule( | 29 | deprecated_delete_application_credentials_for_user = policy.DeprecatedRule( |
1319 | 39 | name=base.IDENTITY % 'delete_application_credential', | 30 | name=base.IDENTITY % 'delete_application_credential', |
1323 | 40 | check_str=base.RULE_ADMIN_OR_OWNER, | 31 | check_str=base.RULE_ADMIN_OR_OWNER |
1321 | 41 | deprecated_reason=DEPRECATED_REASON, | ||
1322 | 42 | deprecated_since=versionutils.deprecated.TRAIN | ||
1324 | 43 | ) | 32 | ) |
1325 | 44 | 33 | ||
1326 | 34 | DEPRECATED_REASON = ( | ||
1327 | 35 | "The application credential API is now aware of system scope and default " | ||
1328 | 36 | "roles." | ||
1329 | 37 | ) | ||
1330 | 45 | 38 | ||
1331 | 46 | application_credential_policies = [ | 39 | application_credential_policies = [ |
1332 | 47 | policy.DocumentedRuleDefault( | 40 | policy.DocumentedRuleDefault( |
1333 | @@ -53,7 +46,9 @@ application_credential_policies = [ | |||
1334 | 53 | 'method': 'GET'}, | 46 | 'method': 'GET'}, |
1335 | 54 | {'path': resource_path, | 47 | {'path': resource_path, |
1336 | 55 | 'method': 'HEAD'}], | 48 | 'method': 'HEAD'}], |
1338 | 56 | deprecated_rule=deprecated_get_application_credentials_for_user), | 49 | deprecated_rule=deprecated_get_application_credentials_for_user, |
1339 | 50 | deprecated_reason=DEPRECATED_REASON, | ||
1340 | 51 | deprecated_since=versionutils.deprecated.TRAIN), | ||
1341 | 57 | policy.DocumentedRuleDefault( | 52 | policy.DocumentedRuleDefault( |
1342 | 58 | name=base.IDENTITY % 'list_application_credentials', | 53 | name=base.IDENTITY % 'list_application_credentials', |
1343 | 59 | check_str=base.RULE_SYSTEM_READER_OR_OWNER, | 54 | check_str=base.RULE_SYSTEM_READER_OR_OWNER, |
1344 | @@ -63,7 +58,9 @@ application_credential_policies = [ | |||
1345 | 63 | 'method': 'GET'}, | 58 | 'method': 'GET'}, |
1346 | 64 | {'path': collection_path, | 59 | {'path': collection_path, |
1347 | 65 | 'method': 'HEAD'}], | 60 | 'method': 'HEAD'}], |
1349 | 66 | deprecated_rule=deprecated_list_application_credentials_for_user), | 61 | deprecated_rule=deprecated_list_application_credentials_for_user, |
1350 | 62 | deprecated_reason=DEPRECATED_REASON, | ||
1351 | 63 | deprecated_since=versionutils.deprecated.TRAIN), | ||
1352 | 67 | policy.DocumentedRuleDefault( | 64 | policy.DocumentedRuleDefault( |
1353 | 68 | name=base.IDENTITY % 'create_application_credential', | 65 | name=base.IDENTITY % 'create_application_credential', |
1354 | 69 | check_str=base.RULE_OWNER, | 66 | check_str=base.RULE_OWNER, |
1355 | @@ -78,7 +75,9 @@ application_credential_policies = [ | |||
1356 | 78 | description='Delete an application credential.', | 75 | description='Delete an application credential.', |
1357 | 79 | operations=[{'path': resource_path, | 76 | operations=[{'path': resource_path, |
1358 | 80 | 'method': 'DELETE'}], | 77 | 'method': 'DELETE'}], |
1360 | 81 | deprecated_rule=deprecated_delete_application_credentials_for_user) | 78 | deprecated_rule=deprecated_delete_application_credentials_for_user, |
1361 | 79 | deprecated_reason=DEPRECATED_REASON, | ||
1362 | 80 | deprecated_since=versionutils.deprecated.TRAIN) | ||
1363 | 82 | ] | 81 | ] |
1364 | 83 | 82 | ||
1365 | 84 | 83 | ||
1366 | diff --git a/keystone/common/policies/consumer.py b/keystone/common/policies/consumer.py | |||
1367 | index 7931bf0..bf9a6bd 100644 | |||
1368 | --- a/keystone/common/policies/consumer.py | |||
1369 | +++ b/keystone/common/policies/consumer.py | |||
1370 | @@ -15,41 +15,30 @@ from oslo_policy import policy | |||
1371 | 15 | 15 | ||
1372 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
1373 | 17 | 17 | ||
1374 | 18 | DEPRECATED_REASON = ( | ||
1375 | 19 | "The OAUTH1 consumer API is now aware of system scope and default roles." | ||
1376 | 20 | ) | ||
1377 | 21 | |||
1378 | 22 | deprecated_get_consumer = policy.DeprecatedRule( | 18 | deprecated_get_consumer = policy.DeprecatedRule( |
1379 | 23 | name=base.IDENTITY % 'get_consumer', | 19 | name=base.IDENTITY % 'get_consumer', |
1383 | 24 | check_str=base.RULE_ADMIN_REQUIRED, | 20 | check_str=base.RULE_ADMIN_REQUIRED |
1381 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
1382 | 26 | deprecated_since=versionutils.deprecated.TRAIN | ||
1384 | 27 | ) | 21 | ) |
1385 | 28 | deprecated_list_consumers = policy.DeprecatedRule( | 22 | deprecated_list_consumers = policy.DeprecatedRule( |
1386 | 29 | name=base.IDENTITY % 'list_consumers', | 23 | name=base.IDENTITY % 'list_consumers', |
1390 | 30 | check_str=base.RULE_ADMIN_REQUIRED, | 24 | check_str=base.RULE_ADMIN_REQUIRED |
1388 | 31 | deprecated_reason=DEPRECATED_REASON, | ||
1389 | 32 | deprecated_since=versionutils.deprecated.TRAIN | ||
1391 | 33 | ) | 25 | ) |
1392 | 34 | deprecated_create_consumer = policy.DeprecatedRule( | 26 | deprecated_create_consumer = policy.DeprecatedRule( |
1393 | 35 | name=base.IDENTITY % 'create_consumer', | 27 | name=base.IDENTITY % 'create_consumer', |
1397 | 36 | check_str=base.RULE_ADMIN_REQUIRED, | 28 | check_str=base.RULE_ADMIN_REQUIRED |
1395 | 37 | deprecated_reason=DEPRECATED_REASON, | ||
1396 | 38 | deprecated_since=versionutils.deprecated.TRAIN | ||
1398 | 39 | ) | 29 | ) |
1399 | 40 | deprecated_update_consumer = policy.DeprecatedRule( | 30 | deprecated_update_consumer = policy.DeprecatedRule( |
1400 | 41 | name=base.IDENTITY % 'update_consumer', | 31 | name=base.IDENTITY % 'update_consumer', |
1404 | 42 | check_str=base.RULE_ADMIN_REQUIRED, | 32 | check_str=base.RULE_ADMIN_REQUIRED |
1402 | 43 | deprecated_reason=DEPRECATED_REASON, | ||
1403 | 44 | deprecated_since=versionutils.deprecated.TRAIN | ||
1405 | 45 | ) | 33 | ) |
1406 | 46 | deprecated_delete_consumer = policy.DeprecatedRule( | 34 | deprecated_delete_consumer = policy.DeprecatedRule( |
1407 | 47 | name=base.IDENTITY % 'delete_consumer', | 35 | name=base.IDENTITY % 'delete_consumer', |
1411 | 48 | check_str=base.RULE_ADMIN_REQUIRED, | 36 | check_str=base.RULE_ADMIN_REQUIRED |
1409 | 49 | deprecated_reason=DEPRECATED_REASON, | ||
1410 | 50 | deprecated_since=versionutils.deprecated.TRAIN | ||
1412 | 51 | ) | 37 | ) |
1413 | 52 | 38 | ||
1414 | 39 | DEPRECATED_REASON = ( | ||
1415 | 40 | "The OAUTH1 consumer API is now aware of system scope and default roles." | ||
1416 | 41 | ) | ||
1417 | 53 | 42 | ||
1418 | 54 | consumer_policies = [ | 43 | consumer_policies = [ |
1419 | 55 | policy.DocumentedRuleDefault( | 44 | policy.DocumentedRuleDefault( |
1420 | @@ -59,7 +48,9 @@ consumer_policies = [ | |||
1421 | 59 | description='Show OAUTH1 consumer details.', | 48 | description='Show OAUTH1 consumer details.', |
1422 | 60 | operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', | 49 | operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', |
1423 | 61 | 'method': 'GET'}], | 50 | 'method': 'GET'}], |
1425 | 62 | deprecated_rule=deprecated_get_consumer), | 51 | deprecated_rule=deprecated_get_consumer, |
1426 | 52 | deprecated_reason=DEPRECATED_REASON, | ||
1427 | 53 | deprecated_since=versionutils.deprecated.TRAIN), | ||
1428 | 63 | policy.DocumentedRuleDefault( | 54 | policy.DocumentedRuleDefault( |
1429 | 64 | name=base.IDENTITY % 'list_consumers', | 55 | name=base.IDENTITY % 'list_consumers', |
1430 | 65 | check_str=base.SYSTEM_READER, | 56 | check_str=base.SYSTEM_READER, |
1431 | @@ -67,7 +58,9 @@ consumer_policies = [ | |||
1432 | 67 | description='List OAUTH1 consumers.', | 58 | description='List OAUTH1 consumers.', |
1433 | 68 | operations=[{'path': '/v3/OS-OAUTH1/consumers', | 59 | operations=[{'path': '/v3/OS-OAUTH1/consumers', |
1434 | 69 | 'method': 'GET'}], | 60 | 'method': 'GET'}], |
1436 | 70 | deprecated_rule=deprecated_list_consumers), | 61 | deprecated_rule=deprecated_list_consumers, |
1437 | 62 | deprecated_reason=DEPRECATED_REASON, | ||
1438 | 63 | deprecated_since=versionutils.deprecated.TRAIN), | ||
1439 | 71 | policy.DocumentedRuleDefault( | 64 | policy.DocumentedRuleDefault( |
1440 | 72 | name=base.IDENTITY % 'create_consumer', | 65 | name=base.IDENTITY % 'create_consumer', |
1441 | 73 | check_str=base.SYSTEM_ADMIN, | 66 | check_str=base.SYSTEM_ADMIN, |
1442 | @@ -75,7 +68,9 @@ consumer_policies = [ | |||
1443 | 75 | description='Create OAUTH1 consumer.', | 68 | description='Create OAUTH1 consumer.', |
1444 | 76 | operations=[{'path': '/v3/OS-OAUTH1/consumers', | 69 | operations=[{'path': '/v3/OS-OAUTH1/consumers', |
1445 | 77 | 'method': 'POST'}], | 70 | 'method': 'POST'}], |
1447 | 78 | deprecated_rule=deprecated_create_consumer), | 71 | deprecated_rule=deprecated_create_consumer, |
1448 | 72 | deprecated_reason=DEPRECATED_REASON, | ||
1449 | 73 | deprecated_since=versionutils.deprecated.TRAIN), | ||
1450 | 79 | policy.DocumentedRuleDefault( | 74 | policy.DocumentedRuleDefault( |
1451 | 80 | name=base.IDENTITY % 'update_consumer', | 75 | name=base.IDENTITY % 'update_consumer', |
1452 | 81 | check_str=base.SYSTEM_ADMIN, | 76 | check_str=base.SYSTEM_ADMIN, |
1453 | @@ -83,7 +78,9 @@ consumer_policies = [ | |||
1454 | 83 | description='Update OAUTH1 consumer.', | 78 | description='Update OAUTH1 consumer.', |
1455 | 84 | operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', | 79 | operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', |
1456 | 85 | 'method': 'PATCH'}], | 80 | 'method': 'PATCH'}], |
1458 | 86 | deprecated_rule=deprecated_update_consumer), | 81 | deprecated_rule=deprecated_update_consumer, |
1459 | 82 | deprecated_reason=DEPRECATED_REASON, | ||
1460 | 83 | deprecated_since=versionutils.deprecated.TRAIN), | ||
1461 | 87 | policy.DocumentedRuleDefault( | 84 | policy.DocumentedRuleDefault( |
1462 | 88 | name=base.IDENTITY % 'delete_consumer', | 85 | name=base.IDENTITY % 'delete_consumer', |
1463 | 89 | check_str=base.SYSTEM_ADMIN, | 86 | check_str=base.SYSTEM_ADMIN, |
1464 | @@ -91,7 +88,9 @@ consumer_policies = [ | |||
1465 | 91 | description='Delete OAUTH1 consumer.', | 88 | description='Delete OAUTH1 consumer.', |
1466 | 92 | operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', | 89 | operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', |
1467 | 93 | 'method': 'DELETE'}], | 90 | 'method': 'DELETE'}], |
1469 | 94 | deprecated_rule=deprecated_delete_consumer), | 91 | deprecated_rule=deprecated_delete_consumer, |
1470 | 92 | deprecated_reason=DEPRECATED_REASON, | ||
1471 | 93 | deprecated_since=versionutils.deprecated.TRAIN), | ||
1472 | 95 | ] | 94 | ] |
1473 | 96 | 95 | ||
1474 | 97 | 96 | ||
1475 | diff --git a/keystone/common/policies/credential.py b/keystone/common/policies/credential.py | |||
1476 | index 675e318..52a9fa8 100644 | |||
1477 | --- a/keystone/common/policies/credential.py | |||
1478 | +++ b/keystone/common/policies/credential.py | |||
1479 | @@ -21,33 +21,23 @@ DEPRECATED_REASON = ( | |||
1480 | 21 | 21 | ||
1481 | 22 | deprecated_get_credential = policy.DeprecatedRule( | 22 | deprecated_get_credential = policy.DeprecatedRule( |
1482 | 23 | name=base.IDENTITY % 'get_credential', | 23 | name=base.IDENTITY % 'get_credential', |
1486 | 24 | check_str=base.RULE_ADMIN_REQUIRED, | 24 | check_str=base.RULE_ADMIN_REQUIRED |
1484 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
1485 | 26 | deprecated_since=versionutils.deprecated.STEIN | ||
1487 | 27 | ) | 25 | ) |
1488 | 28 | deprecated_list_credentials = policy.DeprecatedRule( | 26 | deprecated_list_credentials = policy.DeprecatedRule( |
1489 | 29 | name=base.IDENTITY % 'list_credentials', | 27 | name=base.IDENTITY % 'list_credentials', |
1493 | 30 | check_str=base.RULE_ADMIN_REQUIRED, | 28 | check_str=base.RULE_ADMIN_REQUIRED |
1491 | 31 | deprecated_reason=DEPRECATED_REASON, | ||
1492 | 32 | deprecated_since=versionutils.deprecated.STEIN | ||
1494 | 33 | ) | 29 | ) |
1495 | 34 | deprecated_create_credential = policy.DeprecatedRule( | 30 | deprecated_create_credential = policy.DeprecatedRule( |
1496 | 35 | name=base.IDENTITY % 'create_credential', | 31 | name=base.IDENTITY % 'create_credential', |
1500 | 36 | check_str=base.RULE_ADMIN_REQUIRED, | 32 | check_str=base.RULE_ADMIN_REQUIRED |
1498 | 37 | deprecated_reason=DEPRECATED_REASON, | ||
1499 | 38 | deprecated_since=versionutils.deprecated.STEIN | ||
1501 | 39 | ) | 33 | ) |
1502 | 40 | deprecated_update_credential = policy.DeprecatedRule( | 34 | deprecated_update_credential = policy.DeprecatedRule( |
1503 | 41 | name=base.IDENTITY % 'update_credential', | 35 | name=base.IDENTITY % 'update_credential', |
1507 | 42 | check_str=base.RULE_ADMIN_REQUIRED, | 36 | check_str=base.RULE_ADMIN_REQUIRED |
1505 | 43 | deprecated_reason=DEPRECATED_REASON, | ||
1506 | 44 | deprecated_since=versionutils.deprecated.STEIN | ||
1508 | 45 | ) | 37 | ) |
1509 | 46 | deprecated_delete_credential = policy.DeprecatedRule( | 38 | deprecated_delete_credential = policy.DeprecatedRule( |
1510 | 47 | name=base.IDENTITY % 'delete_credential', | 39 | name=base.IDENTITY % 'delete_credential', |
1514 | 48 | check_str=base.RULE_ADMIN_REQUIRED, | 40 | check_str=base.RULE_ADMIN_REQUIRED |
1512 | 49 | deprecated_reason=DEPRECATED_REASON, | ||
1513 | 50 | deprecated_since=versionutils.deprecated.STEIN | ||
1515 | 51 | ) | 41 | ) |
1516 | 52 | 42 | ||
1517 | 53 | 43 | ||
1518 | @@ -60,6 +50,8 @@ credential_policies = [ | |||
1519 | 60 | operations=[{'path': '/v3/credentials/{credential_id}', | 50 | operations=[{'path': '/v3/credentials/{credential_id}', |
1520 | 61 | 'method': 'GET'}], | 51 | 'method': 'GET'}], |
1521 | 62 | deprecated_rule=deprecated_get_credential, | 52 | deprecated_rule=deprecated_get_credential, |
1522 | 53 | deprecated_reason=DEPRECATED_REASON, | ||
1523 | 54 | deprecated_since=versionutils.deprecated.STEIN | ||
1524 | 63 | ), | 55 | ), |
1525 | 64 | policy.DocumentedRuleDefault( | 56 | policy.DocumentedRuleDefault( |
1526 | 65 | name=base.IDENTITY % 'list_credentials', | 57 | name=base.IDENTITY % 'list_credentials', |
1527 | @@ -69,6 +61,8 @@ credential_policies = [ | |||
1528 | 69 | operations=[{'path': '/v3/credentials', | 61 | operations=[{'path': '/v3/credentials', |
1529 | 70 | 'method': 'GET'}], | 62 | 'method': 'GET'}], |
1530 | 71 | deprecated_rule=deprecated_list_credentials, | 63 | deprecated_rule=deprecated_list_credentials, |
1531 | 64 | deprecated_reason=DEPRECATED_REASON, | ||
1532 | 65 | deprecated_since=versionutils.deprecated.STEIN | ||
1533 | 72 | ), | 66 | ), |
1534 | 73 | policy.DocumentedRuleDefault( | 67 | policy.DocumentedRuleDefault( |
1535 | 74 | name=base.IDENTITY % 'create_credential', | 68 | name=base.IDENTITY % 'create_credential', |
1536 | @@ -78,6 +72,8 @@ credential_policies = [ | |||
1537 | 78 | operations=[{'path': '/v3/credentials', | 72 | operations=[{'path': '/v3/credentials', |
1538 | 79 | 'method': 'POST'}], | 73 | 'method': 'POST'}], |
1539 | 80 | deprecated_rule=deprecated_create_credential, | 74 | deprecated_rule=deprecated_create_credential, |
1540 | 75 | deprecated_reason=DEPRECATED_REASON, | ||
1541 | 76 | deprecated_since=versionutils.deprecated.STEIN | ||
1542 | 81 | ), | 77 | ), |
1543 | 82 | policy.DocumentedRuleDefault( | 78 | policy.DocumentedRuleDefault( |
1544 | 83 | name=base.IDENTITY % 'update_credential', | 79 | name=base.IDENTITY % 'update_credential', |
1545 | @@ -87,6 +83,8 @@ credential_policies = [ | |||
1546 | 87 | operations=[{'path': '/v3/credentials/{credential_id}', | 83 | operations=[{'path': '/v3/credentials/{credential_id}', |
1547 | 88 | 'method': 'PATCH'}], | 84 | 'method': 'PATCH'}], |
1548 | 89 | deprecated_rule=deprecated_update_credential, | 85 | deprecated_rule=deprecated_update_credential, |
1549 | 86 | deprecated_reason=DEPRECATED_REASON, | ||
1550 | 87 | deprecated_since=versionutils.deprecated.STEIN | ||
1551 | 90 | ), | 88 | ), |
1552 | 91 | policy.DocumentedRuleDefault( | 89 | policy.DocumentedRuleDefault( |
1553 | 92 | name=base.IDENTITY % 'delete_credential', | 90 | name=base.IDENTITY % 'delete_credential', |
1554 | @@ -96,6 +94,8 @@ credential_policies = [ | |||
1555 | 96 | operations=[{'path': '/v3/credentials/{credential_id}', | 94 | operations=[{'path': '/v3/credentials/{credential_id}', |
1556 | 97 | 'method': 'DELETE'}], | 95 | 'method': 'DELETE'}], |
1557 | 98 | deprecated_rule=deprecated_delete_credential, | 96 | deprecated_rule=deprecated_delete_credential, |
1558 | 97 | deprecated_reason=DEPRECATED_REASON, | ||
1559 | 98 | deprecated_since=versionutils.deprecated.STEIN | ||
1560 | 99 | ) | 99 | ) |
1561 | 100 | ] | 100 | ] |
1562 | 101 | 101 | ||
1563 | diff --git a/keystone/common/policies/domain.py b/keystone/common/policies/domain.py | |||
1564 | index cd743ee..7d3e3d7 100644 | |||
1565 | --- a/keystone/common/policies/domain.py | |||
1566 | +++ b/keystone/common/policies/domain.py | |||
1567 | @@ -21,33 +21,23 @@ DEPRECATED_REASON = ( | |||
1568 | 21 | 21 | ||
1569 | 22 | deprecated_list_domains = policy.DeprecatedRule( | 22 | deprecated_list_domains = policy.DeprecatedRule( |
1570 | 23 | name=base.IDENTITY % 'list_domains', | 23 | name=base.IDENTITY % 'list_domains', |
1574 | 24 | check_str=base.RULE_ADMIN_REQUIRED, | 24 | check_str=base.RULE_ADMIN_REQUIRED |
1572 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
1573 | 26 | deprecated_since=versionutils.deprecated.STEIN | ||
1575 | 27 | ) | 25 | ) |
1576 | 28 | deprecated_get_domain = policy.DeprecatedRule( | 26 | deprecated_get_domain = policy.DeprecatedRule( |
1577 | 29 | name=base.IDENTITY % 'get_domain', | 27 | name=base.IDENTITY % 'get_domain', |
1581 | 30 | check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN, | 28 | check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN |
1579 | 31 | deprecated_reason=DEPRECATED_REASON, | ||
1580 | 32 | deprecated_since=versionutils.deprecated.STEIN | ||
1582 | 33 | ) | 29 | ) |
1583 | 34 | deprecated_update_domain = policy.DeprecatedRule( | 30 | deprecated_update_domain = policy.DeprecatedRule( |
1584 | 35 | name=base.IDENTITY % 'update_domain', | 31 | name=base.IDENTITY % 'update_domain', |
1588 | 36 | check_str=base.RULE_ADMIN_REQUIRED, | 32 | check_str=base.RULE_ADMIN_REQUIRED |
1586 | 37 | deprecated_reason=DEPRECATED_REASON, | ||
1587 | 38 | deprecated_since=versionutils.deprecated.STEIN | ||
1589 | 39 | ) | 33 | ) |
1590 | 40 | deprecated_create_domain = policy.DeprecatedRule( | 34 | deprecated_create_domain = policy.DeprecatedRule( |
1591 | 41 | name=base.IDENTITY % 'create_domain', | 35 | name=base.IDENTITY % 'create_domain', |
1595 | 42 | check_str=base.RULE_ADMIN_REQUIRED, | 36 | check_str=base.RULE_ADMIN_REQUIRED |
1593 | 43 | deprecated_reason=DEPRECATED_REASON, | ||
1594 | 44 | deprecated_since=versionutils.deprecated.STEIN | ||
1596 | 45 | ) | 37 | ) |
1597 | 46 | deprecated_delete_domain = policy.DeprecatedRule( | 38 | deprecated_delete_domain = policy.DeprecatedRule( |
1598 | 47 | name=base.IDENTITY % 'delete_domain', | 39 | name=base.IDENTITY % 'delete_domain', |
1602 | 48 | check_str=base.RULE_ADMIN_REQUIRED, | 40 | check_str=base.RULE_ADMIN_REQUIRED |
1600 | 49 | deprecated_reason=DEPRECATED_REASON, | ||
1601 | 50 | deprecated_since=versionutils.deprecated.STEIN | ||
1603 | 51 | ) | 41 | ) |
1604 | 52 | SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER = ( | 42 | SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER = ( |
1605 | 53 | '(role:reader and system_scope:all) or ' | 43 | '(role:reader and system_scope:all) or ' |
1606 | @@ -66,7 +56,9 @@ domain_policies = [ | |||
1607 | 66 | description='Show domain details.', | 56 | description='Show domain details.', |
1608 | 67 | operations=[{'path': '/v3/domains/{domain_id}', | 57 | operations=[{'path': '/v3/domains/{domain_id}', |
1609 | 68 | 'method': 'GET'}], | 58 | 'method': 'GET'}], |
1611 | 69 | deprecated_rule=deprecated_get_domain), | 59 | deprecated_rule=deprecated_get_domain, |
1612 | 60 | deprecated_reason=DEPRECATED_REASON, | ||
1613 | 61 | deprecated_since=versionutils.deprecated.STEIN), | ||
1614 | 70 | policy.DocumentedRuleDefault( | 62 | policy.DocumentedRuleDefault( |
1615 | 71 | name=base.IDENTITY % 'list_domains', | 63 | name=base.IDENTITY % 'list_domains', |
1616 | 72 | check_str=base.SYSTEM_READER, | 64 | check_str=base.SYSTEM_READER, |
1617 | @@ -74,7 +66,9 @@ domain_policies = [ | |||
1618 | 74 | description='List domains.', | 66 | description='List domains.', |
1619 | 75 | operations=[{'path': '/v3/domains', | 67 | operations=[{'path': '/v3/domains', |
1620 | 76 | 'method': 'GET'}], | 68 | 'method': 'GET'}], |
1622 | 77 | deprecated_rule=deprecated_list_domains), | 69 | deprecated_rule=deprecated_list_domains, |
1623 | 70 | deprecated_reason=DEPRECATED_REASON, | ||
1624 | 71 | deprecated_since=versionutils.deprecated.STEIN), | ||
1625 | 78 | policy.DocumentedRuleDefault( | 72 | policy.DocumentedRuleDefault( |
1626 | 79 | name=base.IDENTITY % 'create_domain', | 73 | name=base.IDENTITY % 'create_domain', |
1627 | 80 | check_str=base.SYSTEM_ADMIN, | 74 | check_str=base.SYSTEM_ADMIN, |
1628 | @@ -82,7 +76,9 @@ domain_policies = [ | |||
1629 | 82 | description='Create domain.', | 76 | description='Create domain.', |
1630 | 83 | operations=[{'path': '/v3/domains', | 77 | operations=[{'path': '/v3/domains', |
1631 | 84 | 'method': 'POST'}], | 78 | 'method': 'POST'}], |
1633 | 85 | deprecated_rule=deprecated_create_domain), | 79 | deprecated_rule=deprecated_create_domain, |
1634 | 80 | deprecated_reason=DEPRECATED_REASON, | ||
1635 | 81 | deprecated_since=versionutils.deprecated.STEIN), | ||
1636 | 86 | policy.DocumentedRuleDefault( | 82 | policy.DocumentedRuleDefault( |
1637 | 87 | name=base.IDENTITY % 'update_domain', | 83 | name=base.IDENTITY % 'update_domain', |
1638 | 88 | check_str=base.SYSTEM_ADMIN, | 84 | check_str=base.SYSTEM_ADMIN, |
1639 | @@ -90,7 +86,9 @@ domain_policies = [ | |||
1640 | 90 | description='Update domain.', | 86 | description='Update domain.', |
1641 | 91 | operations=[{'path': '/v3/domains/{domain_id}', | 87 | operations=[{'path': '/v3/domains/{domain_id}', |
1642 | 92 | 'method': 'PATCH'}], | 88 | 'method': 'PATCH'}], |
1644 | 93 | deprecated_rule=deprecated_update_domain), | 89 | deprecated_rule=deprecated_update_domain, |
1645 | 90 | deprecated_reason=DEPRECATED_REASON, | ||
1646 | 91 | deprecated_since=versionutils.deprecated.STEIN), | ||
1647 | 94 | policy.DocumentedRuleDefault( | 92 | policy.DocumentedRuleDefault( |
1648 | 95 | name=base.IDENTITY % 'delete_domain', | 93 | name=base.IDENTITY % 'delete_domain', |
1649 | 96 | check_str=base.SYSTEM_ADMIN, | 94 | check_str=base.SYSTEM_ADMIN, |
1650 | @@ -98,7 +96,9 @@ domain_policies = [ | |||
1651 | 98 | description='Delete domain.', | 96 | description='Delete domain.', |
1652 | 99 | operations=[{'path': '/v3/domains/{domain_id}', | 97 | operations=[{'path': '/v3/domains/{domain_id}', |
1653 | 100 | 'method': 'DELETE'}], | 98 | 'method': 'DELETE'}], |
1655 | 101 | deprecated_rule=deprecated_delete_domain), | 99 | deprecated_rule=deprecated_delete_domain, |
1656 | 100 | deprecated_reason=DEPRECATED_REASON, | ||
1657 | 101 | deprecated_since=versionutils.deprecated.STEIN), | ||
1658 | 102 | ] | 102 | ] |
1659 | 103 | 103 | ||
1660 | 104 | 104 | ||
1661 | diff --git a/keystone/common/policies/domain_config.py b/keystone/common/policies/domain_config.py | |||
1662 | index b1c8fda..a157f0d 100644 | |||
1663 | --- a/keystone/common/policies/domain_config.py | |||
1664 | +++ b/keystone/common/policies/domain_config.py | |||
1665 | @@ -15,46 +15,36 @@ from oslo_policy import policy | |||
1666 | 15 | 15 | ||
1667 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
1668 | 17 | 17 | ||
1669 | 18 | DEPRECATED_REASON = ( | ||
1670 | 19 | "The domain config API is now aware of system scope and default roles." | ||
1671 | 20 | ) | ||
1672 | 21 | |||
1673 | 22 | deprecated_get_domain_config = policy.DeprecatedRule( | 18 | deprecated_get_domain_config = policy.DeprecatedRule( |
1674 | 23 | name=base.IDENTITY % 'get_domain_config', | 19 | name=base.IDENTITY % 'get_domain_config', |
1675 | 24 | check_str=base.RULE_ADMIN_REQUIRED, | 20 | check_str=base.RULE_ADMIN_REQUIRED, |
1676 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
1677 | 26 | deprecated_since=versionutils.deprecated.TRAIN | ||
1678 | 27 | ) | 21 | ) |
1679 | 28 | 22 | ||
1680 | 29 | deprecated_get_domain_config_default = policy.DeprecatedRule( | 23 | deprecated_get_domain_config_default = policy.DeprecatedRule( |
1681 | 30 | name=base.IDENTITY % 'get_domain_config_default', | 24 | name=base.IDENTITY % 'get_domain_config_default', |
1682 | 31 | check_str=base.RULE_ADMIN_REQUIRED, | 25 | check_str=base.RULE_ADMIN_REQUIRED, |
1683 | 32 | deprecated_reason=DEPRECATED_REASON, | ||
1684 | 33 | deprecated_since=versionutils.deprecated.TRAIN | ||
1685 | 34 | ) | 26 | ) |
1686 | 35 | 27 | ||
1687 | 36 | deprecated_create_domain_config = policy.DeprecatedRule( | 28 | deprecated_create_domain_config = policy.DeprecatedRule( |
1688 | 37 | name=base.IDENTITY % 'create_domain_config', | 29 | name=base.IDENTITY % 'create_domain_config', |
1689 | 38 | check_str=base.RULE_ADMIN_REQUIRED, | 30 | check_str=base.RULE_ADMIN_REQUIRED, |
1690 | 39 | deprecated_reason=DEPRECATED_REASON, | ||
1691 | 40 | deprecated_since=versionutils.deprecated.TRAIN | ||
1692 | 41 | ) | 31 | ) |
1693 | 42 | 32 | ||
1694 | 43 | deprecated_update_domain_config = policy.DeprecatedRule( | 33 | deprecated_update_domain_config = policy.DeprecatedRule( |
1695 | 44 | name=base.IDENTITY % 'update_domain_config', | 34 | name=base.IDENTITY % 'update_domain_config', |
1696 | 45 | check_str=base.RULE_ADMIN_REQUIRED, | 35 | check_str=base.RULE_ADMIN_REQUIRED, |
1697 | 46 | deprecated_reason=DEPRECATED_REASON, | ||
1698 | 47 | deprecated_since=versionutils.deprecated.TRAIN | ||
1699 | 48 | ) | 36 | ) |
1700 | 49 | 37 | ||
1701 | 50 | deprecated_delete_domain_config = policy.DeprecatedRule( | 38 | deprecated_delete_domain_config = policy.DeprecatedRule( |
1702 | 51 | name=base.IDENTITY % 'delete_domain_config', | 39 | name=base.IDENTITY % 'delete_domain_config', |
1703 | 52 | check_str=base.RULE_ADMIN_REQUIRED, | 40 | check_str=base.RULE_ADMIN_REQUIRED, |
1704 | 53 | deprecated_reason=DEPRECATED_REASON, | ||
1705 | 54 | deprecated_since=versionutils.deprecated.TRAIN | ||
1706 | 55 | ) | 41 | ) |
1707 | 56 | 42 | ||
1708 | 57 | 43 | ||
1709 | 44 | DEPRECATED_REASON = ( | ||
1710 | 45 | "The domain config API is now aware of system scope and default roles." | ||
1711 | 46 | ) | ||
1712 | 47 | |||
1713 | 58 | domain_config_policies = [ | 48 | domain_config_policies = [ |
1714 | 59 | policy.DocumentedRuleDefault( | 49 | policy.DocumentedRuleDefault( |
1715 | 60 | name=base.IDENTITY % 'create_domain_config', | 50 | name=base.IDENTITY % 'create_domain_config', |
1716 | @@ -75,7 +65,9 @@ domain_config_policies = [ | |||
1717 | 75 | 'method': 'PUT' | 65 | 'method': 'PUT' |
1718 | 76 | } | 66 | } |
1719 | 77 | ], | 67 | ], |
1721 | 78 | deprecated_rule=deprecated_create_domain_config | 68 | deprecated_rule=deprecated_create_domain_config, |
1722 | 69 | deprecated_reason=DEPRECATED_REASON, | ||
1723 | 70 | deprecated_since=versionutils.deprecated.TRAIN | ||
1724 | 79 | ), | 71 | ), |
1725 | 80 | policy.DocumentedRuleDefault( | 72 | policy.DocumentedRuleDefault( |
1726 | 81 | name=base.IDENTITY % 'get_domain_config', | 73 | name=base.IDENTITY % 'get_domain_config', |
1727 | @@ -111,6 +103,8 @@ domain_config_policies = [ | |||
1728 | 111 | } | 103 | } |
1729 | 112 | ], | 104 | ], |
1730 | 113 | deprecated_rule=deprecated_get_domain_config, | 105 | deprecated_rule=deprecated_get_domain_config, |
1731 | 106 | deprecated_reason=DEPRECATED_REASON, | ||
1732 | 107 | deprecated_since=versionutils.deprecated.TRAIN | ||
1733 | 114 | ), | 108 | ), |
1734 | 115 | policy.DocumentedRuleDefault( | 109 | policy.DocumentedRuleDefault( |
1735 | 116 | name=base.IDENTITY % 'get_security_compliance_domain_config', | 110 | name=base.IDENTITY % 'get_security_compliance_domain_config', |
1736 | @@ -130,12 +124,12 @@ domain_config_policies = [ | |||
1737 | 130 | 'method': 'HEAD' | 124 | 'method': 'HEAD' |
1738 | 131 | }, | 125 | }, |
1739 | 132 | { | 126 | { |
1741 | 133 | 'path': ('/v3/domains/{domain_id}/config/' | 127 | 'path': ('v3/domains/{domain_id}/config/' |
1742 | 134 | 'security_compliance/{option}'), | 128 | 'security_compliance/{option}'), |
1743 | 135 | 'method': 'GET' | 129 | 'method': 'GET' |
1744 | 136 | }, | 130 | }, |
1745 | 137 | { | 131 | { |
1747 | 138 | 'path': ('/v3/domains/{domain_id}/config/' | 132 | 'path': ('v3/domains/{domain_id}/config/' |
1748 | 139 | 'security_compliance/{option}'), | 133 | 'security_compliance/{option}'), |
1749 | 140 | 'method': 'HEAD' | 134 | 'method': 'HEAD' |
1750 | 141 | } | 135 | } |
1751 | @@ -162,6 +156,8 @@ domain_config_policies = [ | |||
1752 | 162 | } | 156 | } |
1753 | 163 | ], | 157 | ], |
1754 | 164 | deprecated_rule=deprecated_update_domain_config, | 158 | deprecated_rule=deprecated_update_domain_config, |
1755 | 159 | deprecated_reason=DEPRECATED_REASON, | ||
1756 | 160 | deprecated_since=versionutils.deprecated.TRAIN | ||
1757 | 165 | ), | 161 | ), |
1758 | 166 | policy.DocumentedRuleDefault( | 162 | policy.DocumentedRuleDefault( |
1759 | 167 | name=base.IDENTITY % 'delete_domain_config', | 163 | name=base.IDENTITY % 'delete_domain_config', |
1760 | @@ -184,6 +180,8 @@ domain_config_policies = [ | |||
1761 | 184 | } | 180 | } |
1762 | 185 | ], | 181 | ], |
1763 | 186 | deprecated_rule=deprecated_delete_domain_config, | 182 | deprecated_rule=deprecated_delete_domain_config, |
1764 | 183 | deprecated_reason=DEPRECATED_REASON, | ||
1765 | 184 | deprecated_since=versionutils.deprecated.TRAIN | ||
1766 | 187 | ), | 185 | ), |
1767 | 188 | policy.DocumentedRuleDefault( | 186 | policy.DocumentedRuleDefault( |
1768 | 189 | name=base.IDENTITY % 'get_domain_config_default', | 187 | name=base.IDENTITY % 'get_domain_config_default', |
1769 | @@ -218,6 +216,8 @@ domain_config_policies = [ | |||
1770 | 218 | } | 216 | } |
1771 | 219 | ], | 217 | ], |
1772 | 220 | deprecated_rule=deprecated_get_domain_config_default, | 218 | deprecated_rule=deprecated_get_domain_config_default, |
1773 | 219 | deprecated_reason=DEPRECATED_REASON, | ||
1774 | 220 | deprecated_since=versionutils.deprecated.TRAIN | ||
1775 | 221 | ) | 221 | ) |
1776 | 222 | ] | 222 | ] |
1777 | 223 | 223 | ||
1778 | diff --git a/keystone/common/policies/ec2_credential.py b/keystone/common/policies/ec2_credential.py | |||
1779 | index 9e52709..266a80e 100644 | |||
1780 | --- a/keystone/common/policies/ec2_credential.py | |||
1781 | +++ b/keystone/common/policies/ec2_credential.py | |||
1782 | @@ -15,35 +15,26 @@ from oslo_policy import policy | |||
1783 | 15 | 15 | ||
1784 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
1785 | 17 | 17 | ||
1786 | 18 | DEPRECATED_REASON = ( | ||
1787 | 19 | "The EC2 credential API is now aware of system scope and default roles." | ||
1788 | 20 | ) | ||
1789 | 21 | |||
1790 | 22 | deprecated_ec2_get_credential = policy.DeprecatedRule( | 18 | deprecated_ec2_get_credential = policy.DeprecatedRule( |
1791 | 23 | name=base.IDENTITY % 'ec2_get_credential', | 19 | name=base.IDENTITY % 'ec2_get_credential', |
1795 | 24 | check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER, | 20 | check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER |
1793 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
1794 | 26 | deprecated_since=versionutils.deprecated.TRAIN | ||
1796 | 27 | ) | 21 | ) |
1797 | 28 | deprecated_ec2_list_credentials = policy.DeprecatedRule( | 22 | deprecated_ec2_list_credentials = policy.DeprecatedRule( |
1798 | 29 | name=base.IDENTITY % 'ec2_list_credentials', | 23 | name=base.IDENTITY % 'ec2_list_credentials', |
1802 | 30 | check_str=base.RULE_ADMIN_OR_OWNER, | 24 | check_str=base.RULE_ADMIN_OR_OWNER |
1800 | 31 | deprecated_reason=DEPRECATED_REASON, | ||
1801 | 32 | deprecated_since=versionutils.deprecated.TRAIN | ||
1803 | 33 | ) | 25 | ) |
1804 | 34 | deprecated_ec2_create_credential = policy.DeprecatedRule( | 26 | deprecated_ec2_create_credential = policy.DeprecatedRule( |
1805 | 35 | name=base.IDENTITY % 'ec2_create_credential', | 27 | name=base.IDENTITY % 'ec2_create_credential', |
1809 | 36 | check_str=base.RULE_ADMIN_OR_OWNER, | 28 | check_str=base.RULE_ADMIN_OR_OWNER |
1807 | 37 | deprecated_reason=DEPRECATED_REASON, | ||
1808 | 38 | deprecated_since=versionutils.deprecated.TRAIN | ||
1810 | 39 | ) | 29 | ) |
1811 | 40 | deprecated_ec2_delete_credential = policy.DeprecatedRule( | 30 | deprecated_ec2_delete_credential = policy.DeprecatedRule( |
1812 | 41 | name=base.IDENTITY % 'ec2_delete_credential', | 31 | name=base.IDENTITY % 'ec2_delete_credential', |
1816 | 42 | check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER, | 32 | check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER |
1814 | 43 | deprecated_reason=DEPRECATED_REASON, | ||
1815 | 44 | deprecated_since=versionutils.deprecated.TRAIN | ||
1817 | 45 | ) | 33 | ) |
1818 | 46 | 34 | ||
1819 | 35 | DEPRECATED_REASON = ( | ||
1820 | 36 | "The EC2 credential API is now aware of system scope and default roles." | ||
1821 | 37 | ) | ||
1822 | 47 | 38 | ||
1823 | 48 | ec2_credential_policies = [ | 39 | ec2_credential_policies = [ |
1824 | 49 | policy.DocumentedRuleDefault( | 40 | policy.DocumentedRuleDefault( |
1825 | @@ -54,7 +45,9 @@ ec2_credential_policies = [ | |||
1826 | 54 | operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/' | 45 | operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/' |
1827 | 55 | '{credential_id}'), | 46 | '{credential_id}'), |
1828 | 56 | 'method': 'GET'}], | 47 | 'method': 'GET'}], |
1830 | 57 | deprecated_rule=deprecated_ec2_get_credential | 48 | deprecated_rule=deprecated_ec2_get_credential, |
1831 | 49 | deprecated_reason=DEPRECATED_REASON, | ||
1832 | 50 | deprecated_since=versionutils.deprecated.TRAIN | ||
1833 | 58 | ), | 51 | ), |
1834 | 59 | policy.DocumentedRuleDefault( | 52 | policy.DocumentedRuleDefault( |
1835 | 60 | name=base.IDENTITY % 'ec2_list_credentials', | 53 | name=base.IDENTITY % 'ec2_list_credentials', |
1836 | @@ -64,6 +57,8 @@ ec2_credential_policies = [ | |||
1837 | 64 | operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2', | 57 | operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2', |
1838 | 65 | 'method': 'GET'}], | 58 | 'method': 'GET'}], |
1839 | 66 | deprecated_rule=deprecated_ec2_list_credentials, | 59 | deprecated_rule=deprecated_ec2_list_credentials, |
1840 | 60 | deprecated_reason=DEPRECATED_REASON, | ||
1841 | 61 | deprecated_since=versionutils.deprecated.TRAIN | ||
1842 | 67 | ), | 62 | ), |
1843 | 68 | policy.DocumentedRuleDefault( | 63 | policy.DocumentedRuleDefault( |
1844 | 69 | name=base.IDENTITY % 'ec2_create_credential', | 64 | name=base.IDENTITY % 'ec2_create_credential', |
1845 | @@ -73,6 +68,8 @@ ec2_credential_policies = [ | |||
1846 | 73 | operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2', | 68 | operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2', |
1847 | 74 | 'method': 'POST'}], | 69 | 'method': 'POST'}], |
1848 | 75 | deprecated_rule=deprecated_ec2_create_credential, | 70 | deprecated_rule=deprecated_ec2_create_credential, |
1849 | 71 | deprecated_reason=DEPRECATED_REASON, | ||
1850 | 72 | deprecated_since=versionutils.deprecated.TRAIN | ||
1851 | 76 | ), | 73 | ), |
1852 | 77 | policy.DocumentedRuleDefault( | 74 | policy.DocumentedRuleDefault( |
1853 | 78 | name=base.IDENTITY % 'ec2_delete_credential', | 75 | name=base.IDENTITY % 'ec2_delete_credential', |
1854 | @@ -83,6 +80,8 @@ ec2_credential_policies = [ | |||
1855 | 83 | '{credential_id}'), | 80 | '{credential_id}'), |
1856 | 84 | 'method': 'DELETE'}], | 81 | 'method': 'DELETE'}], |
1857 | 85 | deprecated_rule=deprecated_ec2_delete_credential, | 82 | deprecated_rule=deprecated_ec2_delete_credential, |
1858 | 83 | deprecated_reason=DEPRECATED_REASON, | ||
1859 | 84 | deprecated_since=versionutils.deprecated.TRAIN | ||
1860 | 86 | ) | 85 | ) |
1861 | 87 | ] | 86 | ] |
1862 | 88 | 87 | ||
1863 | diff --git a/keystone/common/policies/endpoint.py b/keystone/common/policies/endpoint.py | |||
1864 | index 7858249..b99a40e 100644 | |||
1865 | --- a/keystone/common/policies/endpoint.py | |||
1866 | +++ b/keystone/common/policies/endpoint.py | |||
1867 | @@ -15,34 +15,24 @@ from oslo_policy import policy | |||
1868 | 15 | 15 | ||
1869 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
1870 | 17 | 17 | ||
1871 | 18 | DEPRECATED_REASON = ( | ||
1872 | 19 | "The endpoint API is now aware of system scope and default roles." | ||
1873 | 20 | ) | ||
1874 | 21 | |||
1875 | 22 | deprecated_get_endpoint = policy.DeprecatedRule( | 18 | deprecated_get_endpoint = policy.DeprecatedRule( |
1876 | 23 | name=base.IDENTITY % 'get_endpoint', check_str=base.RULE_ADMIN_REQUIRED, | 19 | name=base.IDENTITY % 'get_endpoint', check_str=base.RULE_ADMIN_REQUIRED, |
1877 | 24 | deprecated_reason=DEPRECATED_REASON, | ||
1878 | 25 | deprecated_since=versionutils.deprecated.STEIN | ||
1879 | 26 | ) | 20 | ) |
1880 | 27 | deprecated_list_endpoints = policy.DeprecatedRule( | 21 | deprecated_list_endpoints = policy.DeprecatedRule( |
1881 | 28 | name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED, | 22 | name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED, |
1882 | 29 | deprecated_reason=DEPRECATED_REASON, | ||
1883 | 30 | deprecated_since=versionutils.deprecated.STEIN | ||
1884 | 31 | ) | 23 | ) |
1885 | 32 | deprecated_update_endpoint = policy.DeprecatedRule( | 24 | deprecated_update_endpoint = policy.DeprecatedRule( |
1886 | 33 | name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED, | 25 | name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED, |
1887 | 34 | deprecated_reason=DEPRECATED_REASON, | ||
1888 | 35 | deprecated_since=versionutils.deprecated.STEIN | ||
1889 | 36 | ) | 26 | ) |
1890 | 37 | deprecated_create_endpoint = policy.DeprecatedRule( | 27 | deprecated_create_endpoint = policy.DeprecatedRule( |
1891 | 38 | name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED, | 28 | name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED, |
1892 | 39 | deprecated_reason=DEPRECATED_REASON, | ||
1893 | 40 | deprecated_since=versionutils.deprecated.STEIN | ||
1894 | 41 | ) | 29 | ) |
1895 | 42 | deprecated_delete_endpoint = policy.DeprecatedRule( | 30 | deprecated_delete_endpoint = policy.DeprecatedRule( |
1896 | 43 | name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED, | 31 | name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED, |
1899 | 44 | deprecated_reason=DEPRECATED_REASON, | 32 | ) |
1900 | 45 | deprecated_since=versionutils.deprecated.STEIN | 33 | |
1901 | 34 | DEPRECATED_REASON = ( | ||
1902 | 35 | "The endpoint API is now aware of system scope and default roles." | ||
1903 | 46 | ) | 36 | ) |
1904 | 47 | 37 | ||
1905 | 48 | 38 | ||
1906 | @@ -54,7 +44,9 @@ endpoint_policies = [ | |||
1907 | 54 | description='Show endpoint details.', | 44 | description='Show endpoint details.', |
1908 | 55 | operations=[{'path': '/v3/endpoints/{endpoint_id}', | 45 | operations=[{'path': '/v3/endpoints/{endpoint_id}', |
1909 | 56 | 'method': 'GET'}], | 46 | 'method': 'GET'}], |
1911 | 57 | deprecated_rule=deprecated_get_endpoint), | 47 | deprecated_rule=deprecated_get_endpoint, |
1912 | 48 | deprecated_reason=DEPRECATED_REASON, | ||
1913 | 49 | deprecated_since=versionutils.deprecated.STEIN), | ||
1914 | 58 | policy.DocumentedRuleDefault( | 50 | policy.DocumentedRuleDefault( |
1915 | 59 | name=base.IDENTITY % 'list_endpoints', | 51 | name=base.IDENTITY % 'list_endpoints', |
1916 | 60 | check_str=base.SYSTEM_READER, | 52 | check_str=base.SYSTEM_READER, |
1917 | @@ -62,7 +54,9 @@ endpoint_policies = [ | |||
1918 | 62 | description='List endpoints.', | 54 | description='List endpoints.', |
1919 | 63 | operations=[{'path': '/v3/endpoints', | 55 | operations=[{'path': '/v3/endpoints', |
1920 | 64 | 'method': 'GET'}], | 56 | 'method': 'GET'}], |
1922 | 65 | deprecated_rule=deprecated_list_endpoints), | 57 | deprecated_rule=deprecated_list_endpoints, |
1923 | 58 | deprecated_reason=DEPRECATED_REASON, | ||
1924 | 59 | deprecated_since=versionutils.deprecated.STEIN), | ||
1925 | 66 | policy.DocumentedRuleDefault( | 60 | policy.DocumentedRuleDefault( |
1926 | 67 | name=base.IDENTITY % 'create_endpoint', | 61 | name=base.IDENTITY % 'create_endpoint', |
1927 | 68 | check_str=base.SYSTEM_ADMIN, | 62 | check_str=base.SYSTEM_ADMIN, |
1928 | @@ -70,7 +64,9 @@ endpoint_policies = [ | |||
1929 | 70 | description='Create endpoint.', | 64 | description='Create endpoint.', |
1930 | 71 | operations=[{'path': '/v3/endpoints', | 65 | operations=[{'path': '/v3/endpoints', |
1931 | 72 | 'method': 'POST'}], | 66 | 'method': 'POST'}], |
1933 | 73 | deprecated_rule=deprecated_create_endpoint), | 67 | deprecated_rule=deprecated_create_endpoint, |
1934 | 68 | deprecated_reason=DEPRECATED_REASON, | ||
1935 | 69 | deprecated_since=versionutils.deprecated.STEIN), | ||
1936 | 74 | policy.DocumentedRuleDefault( | 70 | policy.DocumentedRuleDefault( |
1937 | 75 | name=base.IDENTITY % 'update_endpoint', | 71 | name=base.IDENTITY % 'update_endpoint', |
1938 | 76 | check_str=base.SYSTEM_ADMIN, | 72 | check_str=base.SYSTEM_ADMIN, |
1939 | @@ -78,7 +74,9 @@ endpoint_policies = [ | |||
1940 | 78 | description='Update endpoint.', | 74 | description='Update endpoint.', |
1941 | 79 | operations=[{'path': '/v3/endpoints/{endpoint_id}', | 75 | operations=[{'path': '/v3/endpoints/{endpoint_id}', |
1942 | 80 | 'method': 'PATCH'}], | 76 | 'method': 'PATCH'}], |
1944 | 81 | deprecated_rule=deprecated_update_endpoint), | 77 | deprecated_rule=deprecated_update_endpoint, |
1945 | 78 | deprecated_reason=DEPRECATED_REASON, | ||
1946 | 79 | deprecated_since=versionutils.deprecated.STEIN), | ||
1947 | 82 | policy.DocumentedRuleDefault( | 80 | policy.DocumentedRuleDefault( |
1948 | 83 | name=base.IDENTITY % 'delete_endpoint', | 81 | name=base.IDENTITY % 'delete_endpoint', |
1949 | 84 | check_str=base.SYSTEM_ADMIN, | 82 | check_str=base.SYSTEM_ADMIN, |
1950 | @@ -86,7 +84,9 @@ endpoint_policies = [ | |||
1951 | 86 | description='Delete endpoint.', | 84 | description='Delete endpoint.', |
1952 | 87 | operations=[{'path': '/v3/endpoints/{endpoint_id}', | 85 | operations=[{'path': '/v3/endpoints/{endpoint_id}', |
1953 | 88 | 'method': 'DELETE'}], | 86 | 'method': 'DELETE'}], |
1955 | 89 | deprecated_rule=deprecated_delete_endpoint) | 87 | deprecated_rule=deprecated_delete_endpoint, |
1956 | 88 | deprecated_reason=DEPRECATED_REASON, | ||
1957 | 89 | deprecated_since=versionutils.deprecated.STEIN) | ||
1958 | 90 | ] | 90 | ] |
1959 | 91 | 91 | ||
1960 | 92 | 92 | ||
1961 | diff --git a/keystone/common/policies/endpoint_group.py b/keystone/common/policies/endpoint_group.py | |||
1962 | index 741e0b7..691a6fe 100644 | |||
1963 | --- a/keystone/common/policies/endpoint_group.py | |||
1964 | +++ b/keystone/common/policies/endpoint_group.py | |||
1965 | @@ -15,85 +15,64 @@ from oslo_policy import policy | |||
1966 | 15 | 15 | ||
1967 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
1968 | 17 | 17 | ||
1969 | 18 | DEPRECATED_REASON = ( | ||
1970 | 19 | "The endpoint groups API is now aware of system scope and default roles." | ||
1971 | 20 | ) | ||
1972 | 21 | |||
1973 | 22 | deprecated_list_endpoint_groups = policy.DeprecatedRule( | 18 | deprecated_list_endpoint_groups = policy.DeprecatedRule( |
1974 | 23 | name=base.IDENTITY % 'list_endpoint_groups', | 19 | name=base.IDENTITY % 'list_endpoint_groups', |
1975 | 24 | check_str=base.RULE_ADMIN_REQUIRED, | 20 | check_str=base.RULE_ADMIN_REQUIRED, |
1976 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
1977 | 26 | deprecated_since=versionutils.deprecated.TRAIN | ||
1978 | 27 | ) | 21 | ) |
1979 | 28 | 22 | ||
1980 | 29 | deprecated_get_endpoint_group = policy.DeprecatedRule( | 23 | deprecated_get_endpoint_group = policy.DeprecatedRule( |
1981 | 30 | name=base.IDENTITY % 'get_endpoint_group', | 24 | name=base.IDENTITY % 'get_endpoint_group', |
1982 | 31 | check_str=base.RULE_ADMIN_REQUIRED, | 25 | check_str=base.RULE_ADMIN_REQUIRED, |
1983 | 32 | deprecated_reason=DEPRECATED_REASON, | ||
1984 | 33 | deprecated_since=versionutils.deprecated.TRAIN | ||
1985 | 34 | ) | 26 | ) |
1986 | 35 | 27 | ||
1987 | 36 | deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule( | 28 | deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule( |
1988 | 37 | name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', | 29 | name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', |
1989 | 38 | check_str=base.RULE_ADMIN_REQUIRED, | 30 | check_str=base.RULE_ADMIN_REQUIRED, |
1990 | 39 | deprecated_reason=DEPRECATED_REASON, | ||
1991 | 40 | deprecated_since=versionutils.deprecated.TRAIN | ||
1992 | 41 | ) | 31 | ) |
1993 | 42 | 32 | ||
1994 | 43 | deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule( | 33 | deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule( |
1995 | 44 | name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', | 34 | name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', |
1996 | 45 | check_str=base.RULE_ADMIN_REQUIRED, | 35 | check_str=base.RULE_ADMIN_REQUIRED, |
1997 | 46 | deprecated_reason=DEPRECATED_REASON, | ||
1998 | 47 | deprecated_since=versionutils.deprecated.TRAIN | ||
1999 | 48 | ) | 36 | ) |
2000 | 49 | 37 | ||
2001 | 50 | deprecated_get_endpoint_group_in_project = policy.DeprecatedRule( | 38 | deprecated_get_endpoint_group_in_project = policy.DeprecatedRule( |
2002 | 51 | name=base.IDENTITY % 'get_endpoint_group_in_project', | 39 | name=base.IDENTITY % 'get_endpoint_group_in_project', |
2003 | 52 | check_str=base.RULE_ADMIN_REQUIRED, | 40 | check_str=base.RULE_ADMIN_REQUIRED, |
2004 | 53 | deprecated_reason=DEPRECATED_REASON, | ||
2005 | 54 | deprecated_since=versionutils.deprecated.TRAIN | ||
2006 | 55 | ) | 41 | ) |
2007 | 56 | 42 | ||
2008 | 57 | deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule( | 43 | deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule( |
2009 | 58 | name=base.IDENTITY % 'list_endpoint_groups_for_project', | 44 | name=base.IDENTITY % 'list_endpoint_groups_for_project', |
2010 | 59 | check_str=base.RULE_ADMIN_REQUIRED, | 45 | check_str=base.RULE_ADMIN_REQUIRED, |
2011 | 60 | deprecated_reason=DEPRECATED_REASON, | ||
2012 | 61 | deprecated_since=versionutils.deprecated.TRAIN | ||
2013 | 62 | ) | 46 | ) |
2014 | 63 | 47 | ||
2015 | 64 | deprecated_create_endpoint_group = policy.DeprecatedRule( | 48 | deprecated_create_endpoint_group = policy.DeprecatedRule( |
2016 | 65 | name=base.IDENTITY % 'create_endpoint_group', | 49 | name=base.IDENTITY % 'create_endpoint_group', |
2017 | 66 | check_str=base.RULE_ADMIN_REQUIRED, | 50 | check_str=base.RULE_ADMIN_REQUIRED, |
2018 | 67 | deprecated_reason=DEPRECATED_REASON, | ||
2019 | 68 | deprecated_since=versionutils.deprecated.TRAIN | ||
2020 | 69 | ) | 51 | ) |
2021 | 70 | 52 | ||
2022 | 71 | deprecated_update_endpoint_group = policy.DeprecatedRule( | 53 | deprecated_update_endpoint_group = policy.DeprecatedRule( |
2023 | 72 | name=base.IDENTITY % 'update_endpoint_group', | 54 | name=base.IDENTITY % 'update_endpoint_group', |
2024 | 73 | check_str=base.RULE_ADMIN_REQUIRED, | 55 | check_str=base.RULE_ADMIN_REQUIRED, |
2025 | 74 | deprecated_reason=DEPRECATED_REASON, | ||
2026 | 75 | deprecated_since=versionutils.deprecated.TRAIN | ||
2027 | 76 | ) | 56 | ) |
2028 | 77 | 57 | ||
2029 | 78 | deprecated_delete_endpoint_group = policy.DeprecatedRule( | 58 | deprecated_delete_endpoint_group = policy.DeprecatedRule( |
2030 | 79 | name=base.IDENTITY % 'delete_endpoint_group', | 59 | name=base.IDENTITY % 'delete_endpoint_group', |
2031 | 80 | check_str=base.RULE_ADMIN_REQUIRED, | 60 | check_str=base.RULE_ADMIN_REQUIRED, |
2032 | 81 | deprecated_reason=DEPRECATED_REASON, | ||
2033 | 82 | deprecated_since=versionutils.deprecated.TRAIN | ||
2034 | 83 | ) | 61 | ) |
2035 | 84 | 62 | ||
2036 | 85 | deprecated_add_endpoint_group_to_project = policy.DeprecatedRule( | 63 | deprecated_add_endpoint_group_to_project = policy.DeprecatedRule( |
2037 | 86 | name=base.IDENTITY % 'add_endpoint_group_to_project', | 64 | name=base.IDENTITY % 'add_endpoint_group_to_project', |
2038 | 87 | check_str=base.RULE_ADMIN_REQUIRED, | 65 | check_str=base.RULE_ADMIN_REQUIRED, |
2039 | 88 | deprecated_reason=DEPRECATED_REASON, | ||
2040 | 89 | deprecated_since=versionutils.deprecated.TRAIN | ||
2041 | 90 | ) | 66 | ) |
2042 | 91 | 67 | ||
2043 | 92 | deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule( | 68 | deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule( |
2044 | 93 | name=base.IDENTITY % 'remove_endpoint_group_from_project', | 69 | name=base.IDENTITY % 'remove_endpoint_group_from_project', |
2045 | 94 | check_str=base.RULE_ADMIN_REQUIRED, | 70 | check_str=base.RULE_ADMIN_REQUIRED, |
2048 | 95 | deprecated_reason=DEPRECATED_REASON, | 71 | ) |
2049 | 96 | deprecated_since=versionutils.deprecated.TRAIN | 72 | |
2050 | 73 | |||
2051 | 74 | DEPRECATED_REASON = ( | ||
2052 | 75 | "The endpoint groups API is now aware of system scope and default roles." | ||
2053 | 97 | ) | 76 | ) |
2054 | 98 | 77 | ||
2055 | 99 | 78 | ||
2056 | @@ -105,7 +84,9 @@ group_endpoint_policies = [ | |||
2057 | 105 | description='Create endpoint group.', | 84 | description='Create endpoint group.', |
2058 | 106 | operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups', | 85 | operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups', |
2059 | 107 | 'method': 'POST'}], | 86 | 'method': 'POST'}], |
2061 | 108 | deprecated_rule=deprecated_create_endpoint_group), | 87 | deprecated_rule=deprecated_create_endpoint_group, |
2062 | 88 | deprecated_reason=DEPRECATED_REASON, | ||
2063 | 89 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2064 | 109 | policy.DocumentedRuleDefault( | 90 | policy.DocumentedRuleDefault( |
2065 | 110 | name=base.IDENTITY % 'list_endpoint_groups', | 91 | name=base.IDENTITY % 'list_endpoint_groups', |
2066 | 111 | check_str=base.SYSTEM_READER, | 92 | check_str=base.SYSTEM_READER, |
2067 | @@ -113,7 +94,9 @@ group_endpoint_policies = [ | |||
2068 | 113 | description='List endpoint groups.', | 94 | description='List endpoint groups.', |
2069 | 114 | operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups', | 95 | operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups', |
2070 | 115 | 'method': 'GET'}], | 96 | 'method': 'GET'}], |
2072 | 116 | deprecated_rule=deprecated_list_endpoint_groups), | 97 | deprecated_rule=deprecated_list_endpoint_groups, |
2073 | 98 | deprecated_reason=DEPRECATED_REASON, | ||
2074 | 99 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2075 | 117 | policy.DocumentedRuleDefault( | 100 | policy.DocumentedRuleDefault( |
2076 | 118 | name=base.IDENTITY % 'get_endpoint_group', | 101 | name=base.IDENTITY % 'get_endpoint_group', |
2077 | 119 | check_str=base.SYSTEM_READER, | 102 | check_str=base.SYSTEM_READER, |
2078 | @@ -125,7 +108,9 @@ group_endpoint_policies = [ | |||
2079 | 125 | {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' | 108 | {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2080 | 126 | '{endpoint_group_id}'), | 109 | '{endpoint_group_id}'), |
2081 | 127 | 'method': 'HEAD'}], | 110 | 'method': 'HEAD'}], |
2083 | 128 | deprecated_rule=deprecated_get_endpoint_group), | 111 | deprecated_rule=deprecated_get_endpoint_group, |
2084 | 112 | deprecated_reason=DEPRECATED_REASON, | ||
2085 | 113 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2086 | 129 | policy.DocumentedRuleDefault( | 114 | policy.DocumentedRuleDefault( |
2087 | 130 | name=base.IDENTITY % 'update_endpoint_group', | 115 | name=base.IDENTITY % 'update_endpoint_group', |
2088 | 131 | check_str=base.SYSTEM_ADMIN, | 116 | check_str=base.SYSTEM_ADMIN, |
2089 | @@ -134,7 +119,9 @@ group_endpoint_policies = [ | |||
2090 | 134 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' | 119 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2091 | 135 | '{endpoint_group_id}'), | 120 | '{endpoint_group_id}'), |
2092 | 136 | 'method': 'PATCH'}], | 121 | 'method': 'PATCH'}], |
2094 | 137 | deprecated_rule=deprecated_update_endpoint_group), | 122 | deprecated_rule=deprecated_update_endpoint_group, |
2095 | 123 | deprecated_reason=DEPRECATED_REASON, | ||
2096 | 124 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2097 | 138 | policy.DocumentedRuleDefault( | 125 | policy.DocumentedRuleDefault( |
2098 | 139 | name=base.IDENTITY % 'delete_endpoint_group', | 126 | name=base.IDENTITY % 'delete_endpoint_group', |
2099 | 140 | check_str=base.SYSTEM_ADMIN, | 127 | check_str=base.SYSTEM_ADMIN, |
2100 | @@ -143,7 +130,9 @@ group_endpoint_policies = [ | |||
2101 | 143 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' | 130 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2102 | 144 | '{endpoint_group_id}'), | 131 | '{endpoint_group_id}'), |
2103 | 145 | 'method': 'DELETE'}], | 132 | 'method': 'DELETE'}], |
2105 | 146 | deprecated_rule=deprecated_delete_endpoint_group), | 133 | deprecated_rule=deprecated_delete_endpoint_group, |
2106 | 134 | deprecated_reason=DEPRECATED_REASON, | ||
2107 | 135 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2108 | 147 | policy.DocumentedRuleDefault( | 136 | policy.DocumentedRuleDefault( |
2109 | 148 | name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', | 137 | name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', |
2110 | 149 | check_str=base.SYSTEM_READER, | 138 | check_str=base.SYSTEM_READER, |
2111 | @@ -153,7 +142,9 @@ group_endpoint_policies = [ | |||
2112 | 153 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' | 142 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2113 | 154 | '{endpoint_group_id}/projects'), | 143 | '{endpoint_group_id}/projects'), |
2114 | 155 | 'method': 'GET'}], | 144 | 'method': 'GET'}], |
2116 | 156 | deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group), | 145 | deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group, |
2117 | 146 | deprecated_reason=DEPRECATED_REASON, | ||
2118 | 147 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2119 | 157 | policy.DocumentedRuleDefault( | 148 | policy.DocumentedRuleDefault( |
2120 | 158 | name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', | 149 | name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', |
2121 | 159 | check_str=base.SYSTEM_READER, | 150 | check_str=base.SYSTEM_READER, |
2122 | @@ -162,7 +153,9 @@ group_endpoint_policies = [ | |||
2123 | 162 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' | 153 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2124 | 163 | '{endpoint_group_id}/endpoints'), | 154 | '{endpoint_group_id}/endpoints'), |
2125 | 164 | 'method': 'GET'}], | 155 | 'method': 'GET'}], |
2127 | 165 | deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group), | 156 | deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group, |
2128 | 157 | deprecated_reason=DEPRECATED_REASON, | ||
2129 | 158 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2130 | 166 | policy.DocumentedRuleDefault( | 159 | policy.DocumentedRuleDefault( |
2131 | 167 | name=base.IDENTITY % 'get_endpoint_group_in_project', | 160 | name=base.IDENTITY % 'get_endpoint_group_in_project', |
2132 | 168 | check_str=base.SYSTEM_READER, | 161 | check_str=base.SYSTEM_READER, |
2133 | @@ -175,7 +168,9 @@ group_endpoint_policies = [ | |||
2134 | 175 | {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' | 168 | {'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2135 | 176 | '{endpoint_group_id}/projects/{project_id}'), | 169 | '{endpoint_group_id}/projects/{project_id}'), |
2136 | 177 | 'method': 'HEAD'}], | 170 | 'method': 'HEAD'}], |
2138 | 178 | deprecated_rule=deprecated_get_endpoint_group_in_project), | 171 | deprecated_rule=deprecated_get_endpoint_group_in_project, |
2139 | 172 | deprecated_reason=DEPRECATED_REASON, | ||
2140 | 173 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2141 | 179 | policy.DocumentedRuleDefault( | 174 | policy.DocumentedRuleDefault( |
2142 | 180 | name=base.IDENTITY % 'list_endpoint_groups_for_project', | 175 | name=base.IDENTITY % 'list_endpoint_groups_for_project', |
2143 | 181 | check_str=base.SYSTEM_READER, | 176 | check_str=base.SYSTEM_READER, |
2144 | @@ -184,7 +179,9 @@ group_endpoint_policies = [ | |||
2145 | 184 | operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' | 179 | operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' |
2146 | 185 | 'endpoint_groups'), | 180 | 'endpoint_groups'), |
2147 | 186 | 'method': 'GET'}], | 181 | 'method': 'GET'}], |
2149 | 187 | deprecated_rule=deprecated_list_endpoint_groups_for_project), | 182 | deprecated_rule=deprecated_list_endpoint_groups_for_project, |
2150 | 183 | deprecated_reason=DEPRECATED_REASON, | ||
2151 | 184 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2152 | 188 | policy.DocumentedRuleDefault( | 185 | policy.DocumentedRuleDefault( |
2153 | 189 | name=base.IDENTITY % 'add_endpoint_group_to_project', | 186 | name=base.IDENTITY % 'add_endpoint_group_to_project', |
2154 | 190 | check_str=base.SYSTEM_ADMIN, | 187 | check_str=base.SYSTEM_ADMIN, |
2155 | @@ -193,7 +190,9 @@ group_endpoint_policies = [ | |||
2156 | 193 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' | 190 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2157 | 194 | '{endpoint_group_id}/projects/{project_id}'), | 191 | '{endpoint_group_id}/projects/{project_id}'), |
2158 | 195 | 'method': 'PUT'}], | 192 | 'method': 'PUT'}], |
2160 | 196 | deprecated_rule=deprecated_add_endpoint_group_to_project), | 193 | deprecated_rule=deprecated_add_endpoint_group_to_project, |
2161 | 194 | deprecated_reason=DEPRECATED_REASON, | ||
2162 | 195 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2163 | 197 | policy.DocumentedRuleDefault( | 196 | policy.DocumentedRuleDefault( |
2164 | 198 | name=base.IDENTITY % 'remove_endpoint_group_from_project', | 197 | name=base.IDENTITY % 'remove_endpoint_group_from_project', |
2165 | 199 | check_str=base.SYSTEM_ADMIN, | 198 | check_str=base.SYSTEM_ADMIN, |
2166 | @@ -202,7 +201,9 @@ group_endpoint_policies = [ | |||
2167 | 202 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' | 201 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' |
2168 | 203 | '{endpoint_group_id}/projects/{project_id}'), | 202 | '{endpoint_group_id}/projects/{project_id}'), |
2169 | 204 | 'method': 'DELETE'}], | 203 | 'method': 'DELETE'}], |
2171 | 205 | deprecated_rule=deprecated_remove_endpoint_group_from_project) | 204 | deprecated_rule=deprecated_remove_endpoint_group_from_project, |
2172 | 205 | deprecated_reason=DEPRECATED_REASON, | ||
2173 | 206 | deprecated_since=versionutils.deprecated.TRAIN) | ||
2174 | 206 | ] | 207 | ] |
2175 | 207 | 208 | ||
2176 | 208 | 209 | ||
2177 | diff --git a/keystone/common/policies/grant.py b/keystone/common/policies/grant.py | |||
2178 | index 0e1b928..09ef1c9 100644 | |||
2179 | --- a/keystone/common/policies/grant.py | |||
2180 | +++ b/keystone/common/policies/grant.py | |||
2181 | @@ -66,79 +66,54 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = ( | |||
2182 | 66 | '(' + DOMAIN_MATCHES_ROLE + ')' | 66 | '(' + DOMAIN_MATCHES_ROLE + ')' |
2183 | 67 | ) | 67 | ) |
2184 | 68 | 68 | ||
2185 | 69 | DEPRECATED_REASON = ( | ||
2186 | 70 | "The assignment API is now aware of system scope and default roles." | ||
2187 | 71 | ) | ||
2188 | 72 | |||
2189 | 73 | deprecated_check_system_grant_for_user = policy.DeprecatedRule( | 69 | deprecated_check_system_grant_for_user = policy.DeprecatedRule( |
2190 | 74 | name=base.IDENTITY % 'check_system_grant_for_user', | 70 | name=base.IDENTITY % 'check_system_grant_for_user', |
2194 | 75 | check_str=base.RULE_ADMIN_REQUIRED, | 71 | check_str=base.RULE_ADMIN_REQUIRED |
2192 | 76 | deprecated_reason=DEPRECATED_REASON, | ||
2193 | 77 | deprecated_since=versionutils.deprecated.STEIN | ||
2195 | 78 | ) | 72 | ) |
2196 | 79 | deprecated_list_system_grants_for_user = policy.DeprecatedRule( | 73 | deprecated_list_system_grants_for_user = policy.DeprecatedRule( |
2197 | 80 | name=base.IDENTITY % 'list_system_grants_for_user', | 74 | name=base.IDENTITY % 'list_system_grants_for_user', |
2201 | 81 | check_str=base.RULE_ADMIN_REQUIRED, | 75 | check_str=base.RULE_ADMIN_REQUIRED |
2199 | 82 | deprecated_reason=DEPRECATED_REASON, | ||
2200 | 83 | deprecated_since=versionutils.deprecated.STEIN | ||
2202 | 84 | ) | 76 | ) |
2203 | 85 | deprecated_create_system_grant_for_user = policy.DeprecatedRule( | 77 | deprecated_create_system_grant_for_user = policy.DeprecatedRule( |
2204 | 86 | name=base.IDENTITY % 'create_system_grant_for_user', | 78 | name=base.IDENTITY % 'create_system_grant_for_user', |
2208 | 87 | check_str=base.RULE_ADMIN_REQUIRED, | 79 | check_str=base.RULE_ADMIN_REQUIRED |
2206 | 88 | deprecated_reason=DEPRECATED_REASON, | ||
2207 | 89 | deprecated_since=versionutils.deprecated.STEIN | ||
2209 | 90 | ) | 80 | ) |
2210 | 91 | deprecated_revoke_system_grant_for_user = policy.DeprecatedRule( | 81 | deprecated_revoke_system_grant_for_user = policy.DeprecatedRule( |
2211 | 92 | name=base.IDENTITY % 'revoke_system_grant_for_user', | 82 | name=base.IDENTITY % 'revoke_system_grant_for_user', |
2215 | 93 | check_str=base.RULE_ADMIN_REQUIRED, | 83 | check_str=base.RULE_ADMIN_REQUIRED |
2213 | 94 | deprecated_reason=DEPRECATED_REASON, | ||
2214 | 95 | deprecated_since=versionutils.deprecated.STEIN | ||
2216 | 96 | ) | 84 | ) |
2217 | 97 | deprecated_check_system_grant_for_group = policy.DeprecatedRule( | 85 | deprecated_check_system_grant_for_group = policy.DeprecatedRule( |
2218 | 98 | name=base.IDENTITY % 'check_system_grant_for_group', | 86 | name=base.IDENTITY % 'check_system_grant_for_group', |
2222 | 99 | check_str=base.RULE_ADMIN_REQUIRED, | 87 | check_str=base.RULE_ADMIN_REQUIRED |
2220 | 100 | deprecated_reason=DEPRECATED_REASON, | ||
2221 | 101 | deprecated_since=versionutils.deprecated.STEIN | ||
2223 | 102 | ) | 88 | ) |
2224 | 103 | deprecated_list_system_grants_for_group = policy.DeprecatedRule( | 89 | deprecated_list_system_grants_for_group = policy.DeprecatedRule( |
2225 | 104 | name=base.IDENTITY % 'list_system_grants_for_group', | 90 | name=base.IDENTITY % 'list_system_grants_for_group', |
2229 | 105 | check_str=base.RULE_ADMIN_REQUIRED, | 91 | check_str=base.RULE_ADMIN_REQUIRED |
2227 | 106 | deprecated_reason=DEPRECATED_REASON, | ||
2228 | 107 | deprecated_since=versionutils.deprecated.STEIN | ||
2230 | 108 | ) | 92 | ) |
2231 | 109 | deprecated_create_system_grant_for_group = policy.DeprecatedRule( | 93 | deprecated_create_system_grant_for_group = policy.DeprecatedRule( |
2232 | 110 | name=base.IDENTITY % 'create_system_grant_for_group', | 94 | name=base.IDENTITY % 'create_system_grant_for_group', |
2236 | 111 | check_str=base.RULE_ADMIN_REQUIRED, | 95 | check_str=base.RULE_ADMIN_REQUIRED |
2234 | 112 | deprecated_reason=DEPRECATED_REASON, | ||
2235 | 113 | deprecated_since=versionutils.deprecated.STEIN | ||
2237 | 114 | ) | 96 | ) |
2238 | 115 | deprecated_revoke_system_grant_for_group = policy.DeprecatedRule( | 97 | deprecated_revoke_system_grant_for_group = policy.DeprecatedRule( |
2239 | 116 | name=base.IDENTITY % 'revoke_system_grant_for_group', | 98 | name=base.IDENTITY % 'revoke_system_grant_for_group', |
2243 | 117 | check_str=base.RULE_ADMIN_REQUIRED, | 99 | check_str=base.RULE_ADMIN_REQUIRED |
2241 | 118 | deprecated_reason=DEPRECATED_REASON, | ||
2242 | 119 | deprecated_since=versionutils.deprecated.STEIN | ||
2244 | 120 | ) | 100 | ) |
2245 | 121 | deprecated_list_grants = policy.DeprecatedRule( | 101 | deprecated_list_grants = policy.DeprecatedRule( |
2249 | 122 | name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED, | 102 | name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED |
2247 | 123 | deprecated_reason=DEPRECATED_REASON, | ||
2248 | 124 | deprecated_since=versionutils.deprecated.STEIN | ||
2250 | 125 | ) | 103 | ) |
2251 | 126 | deprecated_check_grant = policy.DeprecatedRule( | 104 | deprecated_check_grant = policy.DeprecatedRule( |
2255 | 127 | name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED, | 105 | name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED |
2253 | 128 | deprecated_reason=DEPRECATED_REASON, | ||
2254 | 129 | deprecated_since=versionutils.deprecated.STEIN | ||
2256 | 130 | ) | 106 | ) |
2257 | 131 | deprecated_create_grant = policy.DeprecatedRule( | 107 | deprecated_create_grant = policy.DeprecatedRule( |
2261 | 132 | name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED, | 108 | name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED |
2259 | 133 | deprecated_reason=DEPRECATED_REASON, | ||
2260 | 134 | deprecated_since=versionutils.deprecated.STEIN | ||
2262 | 135 | ) | 109 | ) |
2263 | 136 | deprecated_revoke_grant = policy.DeprecatedRule( | 110 | deprecated_revoke_grant = policy.DeprecatedRule( |
2267 | 137 | name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED, | 111 | name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED |
2265 | 138 | deprecated_reason=DEPRECATED_REASON, | ||
2266 | 139 | deprecated_since=versionutils.deprecated.STEIN | ||
2268 | 140 | ) | 112 | ) |
2269 | 141 | 113 | ||
2270 | 114 | DEPRECATED_REASON = ( | ||
2271 | 115 | "The assignment API is now aware of system scope and default roles." | ||
2272 | 116 | ) | ||
2273 | 142 | 117 | ||
2274 | 143 | resource_paths = [ | 118 | resource_paths = [ |
2275 | 144 | '/projects/{project_id}/users/{user_id}/roles/{role_id}', | 119 | '/projects/{project_id}/users/{user_id}/roles/{role_id}', |
2276 | @@ -192,7 +167,9 @@ grant_policies = [ | |||
2277 | 192 | 'are inherited to all projects in the subtree, if ' | 167 | 'are inherited to all projects in the subtree, if ' |
2278 | 193 | 'applicable.'), | 168 | 'applicable.'), |
2279 | 194 | operations=list_operations(resource_paths, ['HEAD', 'GET']), | 169 | operations=list_operations(resource_paths, ['HEAD', 'GET']), |
2281 | 195 | deprecated_rule=deprecated_check_grant), | 170 | deprecated_rule=deprecated_check_grant, |
2282 | 171 | deprecated_reason=DEPRECATED_REASON, | ||
2283 | 172 | deprecated_since=versionutils.deprecated.STEIN), | ||
2284 | 196 | policy.DocumentedRuleDefault( | 173 | policy.DocumentedRuleDefault( |
2285 | 197 | name=base.IDENTITY % 'list_grants', | 174 | name=base.IDENTITY % 'list_grants', |
2286 | 198 | check_str=SYSTEM_READER_OR_DOMAIN_READER_LIST, | 175 | check_str=SYSTEM_READER_OR_DOMAIN_READER_LIST, |
2287 | @@ -204,7 +181,9 @@ grant_policies = [ | |||
2288 | 204 | 'domains, where grants are inherited to all projects ' | 181 | 'domains, where grants are inherited to all projects ' |
2289 | 205 | 'in the specified domain.'), | 182 | 'in the specified domain.'), |
2290 | 206 | operations=list_grants_operations, | 183 | operations=list_grants_operations, |
2292 | 207 | deprecated_rule=deprecated_list_grants), | 184 | deprecated_rule=deprecated_list_grants, |
2293 | 185 | deprecated_reason=DEPRECATED_REASON, | ||
2294 | 186 | deprecated_since=versionutils.deprecated.STEIN), | ||
2295 | 208 | policy.DocumentedRuleDefault( | 187 | policy.DocumentedRuleDefault( |
2296 | 209 | name=base.IDENTITY % 'create_grant', | 188 | name=base.IDENTITY % 'create_grant', |
2297 | 210 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, | 189 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
2298 | @@ -216,7 +195,9 @@ grant_policies = [ | |||
2299 | 216 | 'are inherited to all projects in the subtree, if ' | 195 | 'are inherited to all projects in the subtree, if ' |
2300 | 217 | 'applicable.'), | 196 | 'applicable.'), |
2301 | 218 | operations=list_operations(resource_paths, ['PUT']), | 197 | operations=list_operations(resource_paths, ['PUT']), |
2303 | 219 | deprecated_rule=deprecated_create_grant), | 198 | deprecated_rule=deprecated_create_grant, |
2304 | 199 | deprecated_reason=DEPRECATED_REASON, | ||
2305 | 200 | deprecated_since=versionutils.deprecated.STEIN), | ||
2306 | 220 | policy.DocumentedRuleDefault( | 201 | policy.DocumentedRuleDefault( |
2307 | 221 | name=base.IDENTITY % 'revoke_grant', | 202 | name=base.IDENTITY % 'revoke_grant', |
2308 | 222 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, | 203 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
2309 | @@ -230,7 +211,9 @@ grant_policies = [ | |||
2310 | 230 | 'the target would remove the logical effect of ' | 211 | 'the target would remove the logical effect of ' |
2311 | 231 | 'inheriting it to the target\'s projects subtree.'), | 212 | 'inheriting it to the target\'s projects subtree.'), |
2312 | 232 | operations=list_operations(resource_paths, ['DELETE']), | 213 | operations=list_operations(resource_paths, ['DELETE']), |
2314 | 233 | deprecated_rule=deprecated_revoke_grant), | 214 | deprecated_rule=deprecated_revoke_grant, |
2315 | 215 | deprecated_reason=DEPRECATED_REASON, | ||
2316 | 216 | deprecated_since=versionutils.deprecated.STEIN), | ||
2317 | 234 | policy.DocumentedRuleDefault( | 217 | policy.DocumentedRuleDefault( |
2318 | 235 | name=base.IDENTITY % 'list_system_grants_for_user', | 218 | name=base.IDENTITY % 'list_system_grants_for_user', |
2319 | 236 | check_str=base.SYSTEM_READER, | 219 | check_str=base.SYSTEM_READER, |
2320 | @@ -243,6 +226,8 @@ grant_policies = [ | |||
2321 | 243 | } | 226 | } |
2322 | 244 | ], | 227 | ], |
2323 | 245 | deprecated_rule=deprecated_list_system_grants_for_user, | 228 | deprecated_rule=deprecated_list_system_grants_for_user, |
2324 | 229 | deprecated_reason=DEPRECATED_REASON, | ||
2325 | 230 | deprecated_since=versionutils.deprecated.STEIN | ||
2326 | 246 | ), | 231 | ), |
2327 | 247 | policy.DocumentedRuleDefault( | 232 | policy.DocumentedRuleDefault( |
2328 | 248 | name=base.IDENTITY % 'check_system_grant_for_user', | 233 | name=base.IDENTITY % 'check_system_grant_for_user', |
2329 | @@ -256,6 +241,8 @@ grant_policies = [ | |||
2330 | 256 | } | 241 | } |
2331 | 257 | ], | 242 | ], |
2332 | 258 | deprecated_rule=deprecated_check_system_grant_for_user, | 243 | deprecated_rule=deprecated_check_system_grant_for_user, |
2333 | 244 | deprecated_reason=DEPRECATED_REASON, | ||
2334 | 245 | deprecated_since=versionutils.deprecated.STEIN | ||
2335 | 259 | ), | 246 | ), |
2336 | 260 | policy.DocumentedRuleDefault( | 247 | policy.DocumentedRuleDefault( |
2337 | 261 | name=base.IDENTITY % 'create_system_grant_for_user', | 248 | name=base.IDENTITY % 'create_system_grant_for_user', |
2338 | @@ -269,6 +256,8 @@ grant_policies = [ | |||
2339 | 269 | } | 256 | } |
2340 | 270 | ], | 257 | ], |
2341 | 271 | deprecated_rule=deprecated_create_system_grant_for_user, | 258 | deprecated_rule=deprecated_create_system_grant_for_user, |
2342 | 259 | deprecated_reason=DEPRECATED_REASON, | ||
2343 | 260 | deprecated_since=versionutils.deprecated.STEIN | ||
2344 | 272 | ), | 261 | ), |
2345 | 273 | policy.DocumentedRuleDefault( | 262 | policy.DocumentedRuleDefault( |
2346 | 274 | name=base.IDENTITY % 'revoke_system_grant_for_user', | 263 | name=base.IDENTITY % 'revoke_system_grant_for_user', |
2347 | @@ -282,6 +271,8 @@ grant_policies = [ | |||
2348 | 282 | } | 271 | } |
2349 | 283 | ], | 272 | ], |
2350 | 284 | deprecated_rule=deprecated_revoke_system_grant_for_user, | 273 | deprecated_rule=deprecated_revoke_system_grant_for_user, |
2351 | 274 | deprecated_reason=DEPRECATED_REASON, | ||
2352 | 275 | deprecated_since=versionutils.deprecated.STEIN | ||
2353 | 285 | ), | 276 | ), |
2354 | 286 | policy.DocumentedRuleDefault( | 277 | policy.DocumentedRuleDefault( |
2355 | 287 | name=base.IDENTITY % 'list_system_grants_for_group', | 278 | name=base.IDENTITY % 'list_system_grants_for_group', |
2356 | @@ -295,6 +286,8 @@ grant_policies = [ | |||
2357 | 295 | } | 286 | } |
2358 | 296 | ], | 287 | ], |
2359 | 297 | deprecated_rule=deprecated_list_system_grants_for_group, | 288 | deprecated_rule=deprecated_list_system_grants_for_group, |
2360 | 289 | deprecated_reason=DEPRECATED_REASON, | ||
2361 | 290 | deprecated_since=versionutils.deprecated.STEIN | ||
2362 | 298 | ), | 291 | ), |
2363 | 299 | policy.DocumentedRuleDefault( | 292 | policy.DocumentedRuleDefault( |
2364 | 300 | name=base.IDENTITY % 'check_system_grant_for_group', | 293 | name=base.IDENTITY % 'check_system_grant_for_group', |
2365 | @@ -308,6 +301,8 @@ grant_policies = [ | |||
2366 | 308 | } | 301 | } |
2367 | 309 | ], | 302 | ], |
2368 | 310 | deprecated_rule=deprecated_check_system_grant_for_group, | 303 | deprecated_rule=deprecated_check_system_grant_for_group, |
2369 | 304 | deprecated_reason=DEPRECATED_REASON, | ||
2370 | 305 | deprecated_since=versionutils.deprecated.STEIN | ||
2371 | 311 | ), | 306 | ), |
2372 | 312 | policy.DocumentedRuleDefault( | 307 | policy.DocumentedRuleDefault( |
2373 | 313 | name=base.IDENTITY % 'create_system_grant_for_group', | 308 | name=base.IDENTITY % 'create_system_grant_for_group', |
2374 | @@ -321,6 +316,8 @@ grant_policies = [ | |||
2375 | 321 | } | 316 | } |
2376 | 322 | ], | 317 | ], |
2377 | 323 | deprecated_rule=deprecated_create_system_grant_for_group, | 318 | deprecated_rule=deprecated_create_system_grant_for_group, |
2378 | 319 | deprecated_reason=DEPRECATED_REASON, | ||
2379 | 320 | deprecated_since=versionutils.deprecated.STEIN | ||
2380 | 324 | ), | 321 | ), |
2381 | 325 | policy.DocumentedRuleDefault( | 322 | policy.DocumentedRuleDefault( |
2382 | 326 | name=base.IDENTITY % 'revoke_system_grant_for_group', | 323 | name=base.IDENTITY % 'revoke_system_grant_for_group', |
2383 | @@ -334,6 +331,8 @@ grant_policies = [ | |||
2384 | 334 | } | 331 | } |
2385 | 335 | ], | 332 | ], |
2386 | 336 | deprecated_rule=deprecated_revoke_system_grant_for_group, | 333 | deprecated_rule=deprecated_revoke_system_grant_for_group, |
2387 | 334 | deprecated_reason=DEPRECATED_REASON, | ||
2388 | 335 | deprecated_since=versionutils.deprecated.STEIN | ||
2389 | 337 | ) | 336 | ) |
2390 | 338 | ] | 337 | ] |
2391 | 339 | 338 | ||
2392 | diff --git a/keystone/common/policies/group.py b/keystone/common/policies/group.py | |||
2393 | index 0106bad..d33da92 100644 | |||
2394 | --- a/keystone/common/policies/group.py | |||
2395 | +++ b/keystone/common/policies/group.py | |||
2396 | @@ -51,63 +51,43 @@ DEPRECATED_REASON = ( | |||
2397 | 51 | 51 | ||
2398 | 52 | deprecated_get_group = policy.DeprecatedRule( | 52 | deprecated_get_group = policy.DeprecatedRule( |
2399 | 53 | name=base.IDENTITY % 'get_group', | 53 | name=base.IDENTITY % 'get_group', |
2403 | 54 | check_str=base.RULE_ADMIN_REQUIRED, | 54 | check_str=base.RULE_ADMIN_REQUIRED |
2401 | 55 | deprecated_reason=DEPRECATED_REASON, | ||
2402 | 56 | deprecated_since=versionutils.deprecated.STEIN | ||
2404 | 57 | ) | 55 | ) |
2405 | 58 | deprecated_list_groups = policy.DeprecatedRule( | 56 | deprecated_list_groups = policy.DeprecatedRule( |
2406 | 59 | name=base.IDENTITY % 'list_groups', | 57 | name=base.IDENTITY % 'list_groups', |
2410 | 60 | check_str=base.RULE_ADMIN_REQUIRED, | 58 | check_str=base.RULE_ADMIN_REQUIRED |
2408 | 61 | deprecated_reason=DEPRECATED_REASON, | ||
2409 | 62 | deprecated_since=versionutils.deprecated.STEIN | ||
2411 | 63 | ) | 59 | ) |
2412 | 64 | deprecated_list_groups_for_user = policy.DeprecatedRule( | 60 | deprecated_list_groups_for_user = policy.DeprecatedRule( |
2413 | 65 | name=base.IDENTITY % 'list_groups_for_user', | 61 | name=base.IDENTITY % 'list_groups_for_user', |
2417 | 66 | check_str=base.RULE_ADMIN_OR_OWNER, | 62 | check_str=base.RULE_ADMIN_OR_OWNER |
2415 | 67 | deprecated_reason=DEPRECATED_REASON, | ||
2416 | 68 | deprecated_since=versionutils.deprecated.STEIN | ||
2418 | 69 | ) | 63 | ) |
2419 | 70 | deprecated_list_users_in_group = policy.DeprecatedRule( | 64 | deprecated_list_users_in_group = policy.DeprecatedRule( |
2420 | 71 | name=base.IDENTITY % 'list_users_in_group', | 65 | name=base.IDENTITY % 'list_users_in_group', |
2424 | 72 | check_str=base.RULE_ADMIN_REQUIRED, | 66 | check_str=base.RULE_ADMIN_REQUIRED |
2422 | 73 | deprecated_reason=DEPRECATED_REASON, | ||
2423 | 74 | deprecated_since=versionutils.deprecated.STEIN | ||
2425 | 75 | ) | 67 | ) |
2426 | 76 | deprecated_check_user_in_group = policy.DeprecatedRule( | 68 | deprecated_check_user_in_group = policy.DeprecatedRule( |
2427 | 77 | name=base.IDENTITY % 'check_user_in_group', | 69 | name=base.IDENTITY % 'check_user_in_group', |
2431 | 78 | check_str=base.RULE_ADMIN_REQUIRED, | 70 | check_str=base.RULE_ADMIN_REQUIRED |
2429 | 79 | deprecated_reason=DEPRECATED_REASON, | ||
2430 | 80 | deprecated_since=versionutils.deprecated.STEIN | ||
2432 | 81 | ) | 71 | ) |
2433 | 82 | deprecated_create_group = policy.DeprecatedRule( | 72 | deprecated_create_group = policy.DeprecatedRule( |
2434 | 83 | name=base.IDENTITY % 'create_group', | 73 | name=base.IDENTITY % 'create_group', |
2438 | 84 | check_str=base.RULE_ADMIN_REQUIRED, | 74 | check_str=base.RULE_ADMIN_REQUIRED |
2436 | 85 | deprecated_reason=DEPRECATED_REASON, | ||
2437 | 86 | deprecated_since=versionutils.deprecated.STEIN | ||
2439 | 87 | ) | 75 | ) |
2440 | 88 | deprecated_update_group = policy.DeprecatedRule( | 76 | deprecated_update_group = policy.DeprecatedRule( |
2441 | 89 | name=base.IDENTITY % 'update_group', | 77 | name=base.IDENTITY % 'update_group', |
2445 | 90 | check_str=base.RULE_ADMIN_REQUIRED, | 78 | check_str=base.RULE_ADMIN_REQUIRED |
2443 | 91 | deprecated_reason=DEPRECATED_REASON, | ||
2444 | 92 | deprecated_since=versionutils.deprecated.STEIN | ||
2446 | 93 | ) | 79 | ) |
2447 | 94 | deprecated_delete_group = policy.DeprecatedRule( | 80 | deprecated_delete_group = policy.DeprecatedRule( |
2448 | 95 | name=base.IDENTITY % 'delete_group', | 81 | name=base.IDENTITY % 'delete_group', |
2452 | 96 | check_str=base.RULE_ADMIN_REQUIRED, | 82 | check_str=base.RULE_ADMIN_REQUIRED |
2450 | 97 | deprecated_reason=DEPRECATED_REASON, | ||
2451 | 98 | deprecated_since=versionutils.deprecated.STEIN | ||
2453 | 99 | ) | 83 | ) |
2454 | 100 | deprecated_remove_user_from_group = policy.DeprecatedRule( | 84 | deprecated_remove_user_from_group = policy.DeprecatedRule( |
2455 | 101 | name=base.IDENTITY % 'remove_user_from_group', | 85 | name=base.IDENTITY % 'remove_user_from_group', |
2459 | 102 | check_str=base.RULE_ADMIN_REQUIRED, | 86 | check_str=base.RULE_ADMIN_REQUIRED |
2457 | 103 | deprecated_reason=DEPRECATED_REASON, | ||
2458 | 104 | deprecated_since=versionutils.deprecated.STEIN | ||
2460 | 105 | ) | 87 | ) |
2461 | 106 | deprecated_add_user_to_group = policy.DeprecatedRule( | 88 | deprecated_add_user_to_group = policy.DeprecatedRule( |
2462 | 107 | name=base.IDENTITY % 'add_user_to_group', | 89 | name=base.IDENTITY % 'add_user_to_group', |
2466 | 108 | check_str=base.RULE_ADMIN_REQUIRED, | 90 | check_str=base.RULE_ADMIN_REQUIRED |
2464 | 109 | deprecated_reason=DEPRECATED_REASON, | ||
2465 | 110 | deprecated_since=versionutils.deprecated.STEIN | ||
2467 | 111 | ) | 91 | ) |
2468 | 112 | 92 | ||
2469 | 113 | group_policies = [ | 93 | group_policies = [ |
2470 | @@ -120,7 +100,9 @@ group_policies = [ | |||
2471 | 120 | 'method': 'GET'}, | 100 | 'method': 'GET'}, |
2472 | 121 | {'path': '/v3/groups/{group_id}', | 101 | {'path': '/v3/groups/{group_id}', |
2473 | 122 | 'method': 'HEAD'}], | 102 | 'method': 'HEAD'}], |
2475 | 123 | deprecated_rule=deprecated_get_group), | 103 | deprecated_rule=deprecated_get_group, |
2476 | 104 | deprecated_reason=DEPRECATED_REASON, | ||
2477 | 105 | deprecated_since=versionutils.deprecated.STEIN), | ||
2478 | 124 | policy.DocumentedRuleDefault( | 106 | policy.DocumentedRuleDefault( |
2479 | 125 | name=base.IDENTITY % 'list_groups', | 107 | name=base.IDENTITY % 'list_groups', |
2480 | 126 | check_str=SYSTEM_READER_OR_DOMAIN_READER, | 108 | check_str=SYSTEM_READER_OR_DOMAIN_READER, |
2481 | @@ -130,7 +112,9 @@ group_policies = [ | |||
2482 | 130 | 'method': 'GET'}, | 112 | 'method': 'GET'}, |
2483 | 131 | {'path': '/v3/groups', | 113 | {'path': '/v3/groups', |
2484 | 132 | 'method': 'HEAD'}], | 114 | 'method': 'HEAD'}], |
2486 | 133 | deprecated_rule=deprecated_list_groups), | 115 | deprecated_rule=deprecated_list_groups, |
2487 | 116 | deprecated_reason=DEPRECATED_REASON, | ||
2488 | 117 | deprecated_since=versionutils.deprecated.STEIN), | ||
2489 | 134 | policy.DocumentedRuleDefault( | 118 | policy.DocumentedRuleDefault( |
2490 | 135 | name=base.IDENTITY % 'list_groups_for_user', | 119 | name=base.IDENTITY % 'list_groups_for_user', |
2491 | 136 | check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER, | 120 | check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER, |
2492 | @@ -140,7 +124,9 @@ group_policies = [ | |||
2493 | 140 | 'method': 'GET'}, | 124 | 'method': 'GET'}, |
2494 | 141 | {'path': '/v3/users/{user_id}/groups', | 125 | {'path': '/v3/users/{user_id}/groups', |
2495 | 142 | 'method': 'HEAD'}], | 126 | 'method': 'HEAD'}], |
2497 | 143 | deprecated_rule=deprecated_list_groups_for_user), | 127 | deprecated_rule=deprecated_list_groups_for_user, |
2498 | 128 | deprecated_reason=DEPRECATED_REASON, | ||
2499 | 129 | deprecated_since=versionutils.deprecated.STEIN), | ||
2500 | 144 | policy.DocumentedRuleDefault( | 130 | policy.DocumentedRuleDefault( |
2501 | 145 | name=base.IDENTITY % 'create_group', | 131 | name=base.IDENTITY % 'create_group', |
2502 | 146 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, | 132 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
2503 | @@ -148,7 +134,9 @@ group_policies = [ | |||
2504 | 148 | description='Create group.', | 134 | description='Create group.', |
2505 | 149 | operations=[{'path': '/v3/groups', | 135 | operations=[{'path': '/v3/groups', |
2506 | 150 | 'method': 'POST'}], | 136 | 'method': 'POST'}], |
2508 | 151 | deprecated_rule=deprecated_create_group), | 137 | deprecated_rule=deprecated_create_group, |
2509 | 138 | deprecated_reason=DEPRECATED_REASON, | ||
2510 | 139 | deprecated_since=versionutils.deprecated.STEIN), | ||
2511 | 152 | policy.DocumentedRuleDefault( | 140 | policy.DocumentedRuleDefault( |
2512 | 153 | name=base.IDENTITY % 'update_group', | 141 | name=base.IDENTITY % 'update_group', |
2513 | 154 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, | 142 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
2514 | @@ -156,7 +144,9 @@ group_policies = [ | |||
2515 | 156 | description='Update group.', | 144 | description='Update group.', |
2516 | 157 | operations=[{'path': '/v3/groups/{group_id}', | 145 | operations=[{'path': '/v3/groups/{group_id}', |
2517 | 158 | 'method': 'PATCH'}], | 146 | 'method': 'PATCH'}], |
2519 | 159 | deprecated_rule=deprecated_update_group), | 147 | deprecated_rule=deprecated_update_group, |
2520 | 148 | deprecated_reason=DEPRECATED_REASON, | ||
2521 | 149 | deprecated_since=versionutils.deprecated.STEIN), | ||
2522 | 160 | policy.DocumentedRuleDefault( | 150 | policy.DocumentedRuleDefault( |
2523 | 161 | name=base.IDENTITY % 'delete_group', | 151 | name=base.IDENTITY % 'delete_group', |
2524 | 162 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, | 152 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
2525 | @@ -164,7 +154,9 @@ group_policies = [ | |||
2526 | 164 | description='Delete group.', | 154 | description='Delete group.', |
2527 | 165 | operations=[{'path': '/v3/groups/{group_id}', | 155 | operations=[{'path': '/v3/groups/{group_id}', |
2528 | 166 | 'method': 'DELETE'}], | 156 | 'method': 'DELETE'}], |
2530 | 167 | deprecated_rule=deprecated_delete_group), | 157 | deprecated_rule=deprecated_delete_group, |
2531 | 158 | deprecated_reason=DEPRECATED_REASON, | ||
2532 | 159 | deprecated_since=versionutils.deprecated.STEIN), | ||
2533 | 168 | policy.DocumentedRuleDefault( | 160 | policy.DocumentedRuleDefault( |
2534 | 169 | name=base.IDENTITY % 'list_users_in_group', | 161 | name=base.IDENTITY % 'list_users_in_group', |
2535 | 170 | check_str=SYSTEM_READER_OR_DOMAIN_READER, | 162 | check_str=SYSTEM_READER_OR_DOMAIN_READER, |
2536 | @@ -174,7 +166,9 @@ group_policies = [ | |||
2537 | 174 | 'method': 'GET'}, | 166 | 'method': 'GET'}, |
2538 | 175 | {'path': '/v3/groups/{group_id}/users', | 167 | {'path': '/v3/groups/{group_id}/users', |
2539 | 176 | 'method': 'HEAD'}], | 168 | 'method': 'HEAD'}], |
2541 | 177 | deprecated_rule=deprecated_list_users_in_group), | 169 | deprecated_rule=deprecated_list_users_in_group, |
2542 | 170 | deprecated_reason=DEPRECATED_REASON, | ||
2543 | 171 | deprecated_since=versionutils.deprecated.STEIN), | ||
2544 | 178 | policy.DocumentedRuleDefault( | 172 | policy.DocumentedRuleDefault( |
2545 | 179 | name=base.IDENTITY % 'remove_user_from_group', | 173 | name=base.IDENTITY % 'remove_user_from_group', |
2546 | 180 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER, | 174 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER, |
2547 | @@ -182,7 +176,9 @@ group_policies = [ | |||
2548 | 182 | description='Remove user from group.', | 176 | description='Remove user from group.', |
2549 | 183 | operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', | 177 | operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', |
2550 | 184 | 'method': 'DELETE'}], | 178 | 'method': 'DELETE'}], |
2552 | 185 | deprecated_rule=deprecated_remove_user_from_group), | 179 | deprecated_rule=deprecated_remove_user_from_group, |
2553 | 180 | deprecated_reason=DEPRECATED_REASON, | ||
2554 | 181 | deprecated_since=versionutils.deprecated.STEIN), | ||
2555 | 186 | policy.DocumentedRuleDefault( | 182 | policy.DocumentedRuleDefault( |
2556 | 187 | name=base.IDENTITY % 'check_user_in_group', | 183 | name=base.IDENTITY % 'check_user_in_group', |
2557 | 188 | check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER, | 184 | check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER, |
2558 | @@ -192,7 +188,9 @@ group_policies = [ | |||
2559 | 192 | 'method': 'HEAD'}, | 188 | 'method': 'HEAD'}, |
2560 | 193 | {'path': '/v3/groups/{group_id}/users/{user_id}', | 189 | {'path': '/v3/groups/{group_id}/users/{user_id}', |
2561 | 194 | 'method': 'GET'}], | 190 | 'method': 'GET'}], |
2563 | 195 | deprecated_rule=deprecated_check_user_in_group), | 191 | deprecated_rule=deprecated_check_user_in_group, |
2564 | 192 | deprecated_reason=DEPRECATED_REASON, | ||
2565 | 193 | deprecated_since=versionutils.deprecated.STEIN), | ||
2566 | 196 | policy.DocumentedRuleDefault( | 194 | policy.DocumentedRuleDefault( |
2567 | 197 | name=base.IDENTITY % 'add_user_to_group', | 195 | name=base.IDENTITY % 'add_user_to_group', |
2568 | 198 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER, | 196 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER, |
2569 | @@ -200,7 +198,9 @@ group_policies = [ | |||
2570 | 200 | description='Add user to group.', | 198 | description='Add user to group.', |
2571 | 201 | operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', | 199 | operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', |
2572 | 202 | 'method': 'PUT'}], | 200 | 'method': 'PUT'}], |
2574 | 203 | deprecated_rule=deprecated_add_user_to_group) | 201 | deprecated_rule=deprecated_add_user_to_group, |
2575 | 202 | deprecated_reason=DEPRECATED_REASON, | ||
2576 | 203 | deprecated_since=versionutils.deprecated.STEIN) | ||
2577 | 204 | ] | 204 | ] |
2578 | 205 | 205 | ||
2579 | 206 | 206 | ||
2580 | diff --git a/keystone/common/policies/identity_provider.py b/keystone/common/policies/identity_provider.py | |||
2581 | index c1b4d5a..8d6ad46 100644 | |||
2582 | --- a/keystone/common/policies/identity_provider.py | |||
2583 | +++ b/keystone/common/policies/identity_provider.py | |||
2584 | @@ -15,41 +15,30 @@ from oslo_policy import policy | |||
2585 | 15 | 15 | ||
2586 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
2587 | 17 | 17 | ||
2588 | 18 | DEPRECATED_REASON = ( | ||
2589 | 19 | "The identity provider API is now aware of system scope and default roles." | ||
2590 | 20 | ) | ||
2591 | 21 | |||
2592 | 22 | deprecated_get_idp = policy.DeprecatedRule( | 18 | deprecated_get_idp = policy.DeprecatedRule( |
2593 | 23 | name=base.IDENTITY % 'get_identity_provider', | 19 | name=base.IDENTITY % 'get_identity_provider', |
2597 | 24 | check_str=base.RULE_ADMIN_REQUIRED, | 20 | check_str=base.RULE_ADMIN_REQUIRED |
2595 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
2596 | 26 | deprecated_since=versionutils.deprecated.STEIN | ||
2598 | 27 | ) | 21 | ) |
2599 | 28 | deprecated_list_idp = policy.DeprecatedRule( | 22 | deprecated_list_idp = policy.DeprecatedRule( |
2600 | 29 | name=base.IDENTITY % 'list_identity_providers', | 23 | name=base.IDENTITY % 'list_identity_providers', |
2604 | 30 | check_str=base.RULE_ADMIN_REQUIRED, | 24 | check_str=base.RULE_ADMIN_REQUIRED |
2602 | 31 | deprecated_reason=DEPRECATED_REASON, | ||
2603 | 32 | deprecated_since=versionutils.deprecated.STEIN | ||
2605 | 33 | ) | 25 | ) |
2606 | 34 | deprecated_update_idp = policy.DeprecatedRule( | 26 | deprecated_update_idp = policy.DeprecatedRule( |
2607 | 35 | name=base.IDENTITY % 'update_identity_provider', | 27 | name=base.IDENTITY % 'update_identity_provider', |
2611 | 36 | check_str=base.RULE_ADMIN_REQUIRED, | 28 | check_str=base.RULE_ADMIN_REQUIRED |
2609 | 37 | deprecated_reason=DEPRECATED_REASON, | ||
2610 | 38 | deprecated_since=versionutils.deprecated.STEIN | ||
2612 | 39 | ) | 29 | ) |
2613 | 40 | deprecated_create_idp = policy.DeprecatedRule( | 30 | deprecated_create_idp = policy.DeprecatedRule( |
2614 | 41 | name=base.IDENTITY % 'create_identity_provider', | 31 | name=base.IDENTITY % 'create_identity_provider', |
2618 | 42 | check_str=base.RULE_ADMIN_REQUIRED, | 32 | check_str=base.RULE_ADMIN_REQUIRED |
2616 | 43 | deprecated_reason=DEPRECATED_REASON, | ||
2617 | 44 | deprecated_since=versionutils.deprecated.STEIN | ||
2619 | 45 | ) | 33 | ) |
2620 | 46 | deprecated_delete_idp = policy.DeprecatedRule( | 34 | deprecated_delete_idp = policy.DeprecatedRule( |
2621 | 47 | name=base.IDENTITY % 'delete_identity_provider', | 35 | name=base.IDENTITY % 'delete_identity_provider', |
2625 | 48 | check_str=base.RULE_ADMIN_REQUIRED, | 36 | check_str=base.RULE_ADMIN_REQUIRED |
2623 | 49 | deprecated_reason=DEPRECATED_REASON, | ||
2624 | 50 | deprecated_since=versionutils.deprecated.STEIN | ||
2626 | 51 | ) | 37 | ) |
2627 | 52 | 38 | ||
2628 | 39 | DEPRECATED_REASON = ( | ||
2629 | 40 | "The identity provider API is now aware of system scope and default roles." | ||
2630 | 41 | ) | ||
2631 | 53 | 42 | ||
2632 | 54 | identity_provider_policies = [ | 43 | identity_provider_policies = [ |
2633 | 55 | policy.DocumentedRuleDefault( | 44 | policy.DocumentedRuleDefault( |
2634 | @@ -65,7 +54,9 @@ identity_provider_policies = [ | |||
2635 | 65 | description='Create identity provider.', | 54 | description='Create identity provider.', |
2636 | 66 | operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', | 55 | operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', |
2637 | 67 | 'method': 'PUT'}], | 56 | 'method': 'PUT'}], |
2639 | 68 | deprecated_rule=deprecated_create_idp), | 57 | deprecated_rule=deprecated_create_idp, |
2640 | 58 | deprecated_reason=DEPRECATED_REASON, | ||
2641 | 59 | deprecated_since=versionutils.deprecated.STEIN), | ||
2642 | 69 | policy.DocumentedRuleDefault( | 60 | policy.DocumentedRuleDefault( |
2643 | 70 | name=base.IDENTITY % 'list_identity_providers', | 61 | name=base.IDENTITY % 'list_identity_providers', |
2644 | 71 | check_str=base.SYSTEM_READER, | 62 | check_str=base.SYSTEM_READER, |
2645 | @@ -82,6 +73,8 @@ identity_provider_policies = [ | |||
2646 | 82 | } | 73 | } |
2647 | 83 | ], | 74 | ], |
2648 | 84 | deprecated_rule=deprecated_list_idp, | 75 | deprecated_rule=deprecated_list_idp, |
2649 | 76 | deprecated_reason=DEPRECATED_REASON, | ||
2650 | 77 | deprecated_since=versionutils.deprecated.STEIN | ||
2651 | 85 | ), | 78 | ), |
2652 | 86 | policy.DocumentedRuleDefault( | 79 | policy.DocumentedRuleDefault( |
2653 | 87 | name=base.IDENTITY % 'get_identity_provider', | 80 | name=base.IDENTITY % 'get_identity_provider', |
2654 | @@ -99,6 +92,8 @@ identity_provider_policies = [ | |||
2655 | 99 | } | 92 | } |
2656 | 100 | ], | 93 | ], |
2657 | 101 | deprecated_rule=deprecated_get_idp, | 94 | deprecated_rule=deprecated_get_idp, |
2658 | 95 | deprecated_reason=DEPRECATED_REASON, | ||
2659 | 96 | deprecated_since=versionutils.deprecated.STEIN | ||
2660 | 102 | ), | 97 | ), |
2661 | 103 | policy.DocumentedRuleDefault( | 98 | policy.DocumentedRuleDefault( |
2662 | 104 | name=base.IDENTITY % 'update_identity_provider', | 99 | name=base.IDENTITY % 'update_identity_provider', |
2663 | @@ -107,7 +102,9 @@ identity_provider_policies = [ | |||
2664 | 107 | description='Update identity provider.', | 102 | description='Update identity provider.', |
2665 | 108 | operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', | 103 | operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', |
2666 | 109 | 'method': 'PATCH'}], | 104 | 'method': 'PATCH'}], |
2668 | 110 | deprecated_rule=deprecated_update_idp), | 105 | deprecated_rule=deprecated_update_idp, |
2669 | 106 | deprecated_reason=DEPRECATED_REASON, | ||
2670 | 107 | deprecated_since=versionutils.deprecated.STEIN), | ||
2671 | 111 | policy.DocumentedRuleDefault( | 108 | policy.DocumentedRuleDefault( |
2672 | 112 | name=base.IDENTITY % 'delete_identity_provider', | 109 | name=base.IDENTITY % 'delete_identity_provider', |
2673 | 113 | check_str=base.SYSTEM_ADMIN, | 110 | check_str=base.SYSTEM_ADMIN, |
2674 | @@ -115,7 +112,9 @@ identity_provider_policies = [ | |||
2675 | 115 | description='Delete identity provider.', | 112 | description='Delete identity provider.', |
2676 | 116 | operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', | 113 | operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', |
2677 | 117 | 'method': 'DELETE'}], | 114 | 'method': 'DELETE'}], |
2679 | 118 | deprecated_rule=deprecated_delete_idp), | 115 | deprecated_rule=deprecated_delete_idp, |
2680 | 116 | deprecated_reason=DEPRECATED_REASON, | ||
2681 | 117 | deprecated_since=versionutils.deprecated.STEIN), | ||
2682 | 119 | ] | 118 | ] |
2683 | 120 | 119 | ||
2684 | 121 | 120 | ||
2685 | diff --git a/keystone/common/policies/implied_role.py b/keystone/common/policies/implied_role.py | |||
2686 | index 01bcc00..6d164b0 100644 | |||
2687 | --- a/keystone/common/policies/implied_role.py | |||
2688 | +++ b/keystone/common/policies/implied_role.py | |||
2689 | @@ -15,45 +15,33 @@ from oslo_policy import policy | |||
2690 | 15 | 15 | ||
2691 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
2692 | 17 | 17 | ||
2693 | 18 | DEPRECATED_REASON = ( | ||
2694 | 19 | "The implied role API is now aware of system scope and default roles." | ||
2695 | 20 | ) | ||
2696 | 21 | |||
2697 | 22 | deprecated_get_implied_role = policy.DeprecatedRule( | 18 | deprecated_get_implied_role = policy.DeprecatedRule( |
2698 | 23 | name=base.IDENTITY % 'get_implied_role', | 19 | name=base.IDENTITY % 'get_implied_role', |
2702 | 24 | check_str=base.RULE_ADMIN_REQUIRED, | 20 | check_str=base.RULE_ADMIN_REQUIRED |
2700 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
2701 | 26 | deprecated_since=versionutils.deprecated.TRAIN | ||
2703 | 27 | ) | 21 | ) |
2704 | 28 | deprecated_list_implied_roles = policy.DeprecatedRule( | 22 | deprecated_list_implied_roles = policy.DeprecatedRule( |
2705 | 29 | name=base.IDENTITY % 'list_implied_roles', | 23 | name=base.IDENTITY % 'list_implied_roles', |
2706 | 30 | check_str=base.RULE_ADMIN_REQUIRED, | 24 | check_str=base.RULE_ADMIN_REQUIRED, |
2707 | 31 | deprecated_reason=DEPRECATED_REASON, | ||
2708 | 32 | deprecated_since=versionutils.deprecated.TRAIN | ||
2709 | 33 | ) | 25 | ) |
2710 | 34 | deprecated_list_role_inference_rules = policy.DeprecatedRule( | 26 | deprecated_list_role_inference_rules = policy.DeprecatedRule( |
2711 | 35 | name=base.IDENTITY % 'list_role_inference_rules', | 27 | name=base.IDENTITY % 'list_role_inference_rules', |
2712 | 36 | check_str=base.RULE_ADMIN_REQUIRED, | 28 | check_str=base.RULE_ADMIN_REQUIRED, |
2713 | 37 | deprecated_reason=DEPRECATED_REASON, | ||
2714 | 38 | deprecated_since=versionutils.deprecated.TRAIN | ||
2715 | 39 | ) | 29 | ) |
2716 | 40 | deprecated_check_implied_role = policy.DeprecatedRule( | 30 | deprecated_check_implied_role = policy.DeprecatedRule( |
2717 | 41 | name=base.IDENTITY % 'check_implied_role', | 31 | name=base.IDENTITY % 'check_implied_role', |
2718 | 42 | check_str=base.RULE_ADMIN_REQUIRED, | 32 | check_str=base.RULE_ADMIN_REQUIRED, |
2719 | 43 | deprecated_reason=DEPRECATED_REASON, | ||
2720 | 44 | deprecated_since=versionutils.deprecated.TRAIN | ||
2721 | 45 | ) | 33 | ) |
2722 | 46 | deprecated_create_implied_role = policy.DeprecatedRule( | 34 | deprecated_create_implied_role = policy.DeprecatedRule( |
2723 | 47 | name=base.IDENTITY % 'create_implied_role', | 35 | name=base.IDENTITY % 'create_implied_role', |
2724 | 48 | check_str=base.RULE_ADMIN_REQUIRED, | 36 | check_str=base.RULE_ADMIN_REQUIRED, |
2725 | 49 | deprecated_reason=DEPRECATED_REASON, | ||
2726 | 50 | deprecated_since=versionutils.deprecated.TRAIN | ||
2727 | 51 | ) | 37 | ) |
2728 | 52 | deprecated_delete_implied_role = policy.DeprecatedRule( | 38 | deprecated_delete_implied_role = policy.DeprecatedRule( |
2729 | 53 | name=base.IDENTITY % 'delete_implied_role', | 39 | name=base.IDENTITY % 'delete_implied_role', |
2730 | 54 | check_str=base.RULE_ADMIN_REQUIRED, | 40 | check_str=base.RULE_ADMIN_REQUIRED, |
2733 | 55 | deprecated_reason=DEPRECATED_REASON, | 41 | ) |
2734 | 56 | deprecated_since=versionutils.deprecated.TRAIN | 42 | |
2735 | 43 | DEPRECATED_REASON = ( | ||
2736 | 44 | "The implied role API is now aware of system scope and default roles." | ||
2737 | 57 | ) | 45 | ) |
2738 | 58 | 46 | ||
2739 | 59 | 47 | ||
2740 | @@ -73,7 +61,9 @@ implied_role_policies = [ | |||
2741 | 73 | operations=[ | 61 | operations=[ |
2742 | 74 | {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', | 62 | {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', |
2743 | 75 | 'method': 'GET'}], | 63 | 'method': 'GET'}], |
2745 | 76 | deprecated_rule=deprecated_get_implied_role), | 64 | deprecated_rule=deprecated_get_implied_role, |
2746 | 65 | deprecated_reason=DEPRECATED_REASON, | ||
2747 | 66 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2748 | 77 | policy.DocumentedRuleDefault( | 67 | policy.DocumentedRuleDefault( |
2749 | 78 | name=base.IDENTITY % 'list_implied_roles', | 68 | name=base.IDENTITY % 'list_implied_roles', |
2750 | 79 | check_str=base.SYSTEM_READER, | 69 | check_str=base.SYSTEM_READER, |
2751 | @@ -87,7 +77,9 @@ implied_role_policies = [ | |||
2752 | 87 | operations=[ | 77 | operations=[ |
2753 | 88 | {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'GET'}, | 78 | {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'GET'}, |
2754 | 89 | {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'HEAD'}], | 79 | {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'HEAD'}], |
2756 | 90 | deprecated_rule=deprecated_list_implied_roles), | 80 | deprecated_rule=deprecated_list_implied_roles, |
2757 | 81 | deprecated_reason=DEPRECATED_REASON, | ||
2758 | 82 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2759 | 91 | policy.DocumentedRuleDefault( | 83 | policy.DocumentedRuleDefault( |
2760 | 92 | name=base.IDENTITY % 'create_implied_role', | 84 | name=base.IDENTITY % 'create_implied_role', |
2761 | 93 | check_str=base.SYSTEM_ADMIN, | 85 | check_str=base.SYSTEM_ADMIN, |
2762 | @@ -99,7 +91,9 @@ implied_role_policies = [ | |||
2763 | 99 | operations=[ | 91 | operations=[ |
2764 | 100 | {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', | 92 | {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', |
2765 | 101 | 'method': 'PUT'}], | 93 | 'method': 'PUT'}], |
2767 | 102 | deprecated_rule=deprecated_create_implied_role), | 94 | deprecated_rule=deprecated_create_implied_role, |
2768 | 95 | deprecated_reason=DEPRECATED_REASON, | ||
2769 | 96 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2770 | 103 | policy.DocumentedRuleDefault( | 97 | policy.DocumentedRuleDefault( |
2771 | 104 | name=base.IDENTITY % 'delete_implied_role', | 98 | name=base.IDENTITY % 'delete_implied_role', |
2772 | 105 | check_str=base.SYSTEM_ADMIN, | 99 | check_str=base.SYSTEM_ADMIN, |
2773 | @@ -112,7 +106,9 @@ implied_role_policies = [ | |||
2774 | 112 | operations=[ | 106 | operations=[ |
2775 | 113 | {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', | 107 | {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', |
2776 | 114 | 'method': 'DELETE'}], | 108 | 'method': 'DELETE'}], |
2778 | 115 | deprecated_rule=deprecated_delete_implied_role), | 109 | deprecated_rule=deprecated_delete_implied_role, |
2779 | 110 | deprecated_reason=DEPRECATED_REASON, | ||
2780 | 111 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2781 | 116 | policy.DocumentedRuleDefault( | 112 | policy.DocumentedRuleDefault( |
2782 | 117 | name=base.IDENTITY % 'list_role_inference_rules', | 113 | name=base.IDENTITY % 'list_role_inference_rules', |
2783 | 118 | check_str=base.SYSTEM_READER, | 114 | check_str=base.SYSTEM_READER, |
2784 | @@ -124,7 +120,9 @@ implied_role_policies = [ | |||
2785 | 124 | operations=[ | 120 | operations=[ |
2786 | 125 | {'path': '/v3/role_inferences', 'method': 'GET'}, | 121 | {'path': '/v3/role_inferences', 'method': 'GET'}, |
2787 | 126 | {'path': '/v3/role_inferences', 'method': 'HEAD'}], | 122 | {'path': '/v3/role_inferences', 'method': 'HEAD'}], |
2789 | 127 | deprecated_rule=deprecated_list_role_inference_rules), | 123 | deprecated_rule=deprecated_list_role_inference_rules, |
2790 | 124 | deprecated_reason=DEPRECATED_REASON, | ||
2791 | 125 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2792 | 128 | policy.DocumentedRuleDefault( | 126 | policy.DocumentedRuleDefault( |
2793 | 129 | name=base.IDENTITY % 'check_implied_role', | 127 | name=base.IDENTITY % 'check_implied_role', |
2794 | 130 | check_str=base.SYSTEM_READER, | 128 | check_str=base.SYSTEM_READER, |
2795 | @@ -136,7 +134,9 @@ implied_role_policies = [ | |||
2796 | 136 | operations=[ | 134 | operations=[ |
2797 | 137 | {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', | 135 | {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}', |
2798 | 138 | 'method': 'HEAD'}], | 136 | 'method': 'HEAD'}], |
2800 | 139 | deprecated_rule=deprecated_check_implied_role), | 137 | deprecated_rule=deprecated_check_implied_role, |
2801 | 138 | deprecated_reason=DEPRECATED_REASON, | ||
2802 | 139 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2803 | 140 | ] | 140 | ] |
2804 | 141 | 141 | ||
2805 | 142 | 142 | ||
2806 | diff --git a/keystone/common/policies/mapping.py b/keystone/common/policies/mapping.py | |||
2807 | index 6c4f0de..498bc7c 100644 | |||
2808 | --- a/keystone/common/policies/mapping.py | |||
2809 | +++ b/keystone/common/policies/mapping.py | |||
2810 | @@ -15,41 +15,30 @@ from oslo_policy import policy | |||
2811 | 15 | 15 | ||
2812 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
2813 | 17 | 17 | ||
2814 | 18 | DEPRECATED_REASON = ( | ||
2815 | 19 | "The federated mapping API is now aware of system scope and default roles." | ||
2816 | 20 | ) | ||
2817 | 21 | |||
2818 | 22 | deprecated_get_mapping = policy.DeprecatedRule( | 18 | deprecated_get_mapping = policy.DeprecatedRule( |
2819 | 23 | name=base.IDENTITY % 'get_mapping', | 19 | name=base.IDENTITY % 'get_mapping', |
2823 | 24 | check_str=base.RULE_ADMIN_REQUIRED, | 20 | check_str=base.RULE_ADMIN_REQUIRED |
2821 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
2822 | 26 | deprecated_since=versionutils.deprecated.STEIN | ||
2824 | 27 | ) | 21 | ) |
2825 | 28 | deprecated_list_mappings = policy.DeprecatedRule( | 22 | deprecated_list_mappings = policy.DeprecatedRule( |
2826 | 29 | name=base.IDENTITY % 'list_mappings', | 23 | name=base.IDENTITY % 'list_mappings', |
2830 | 30 | check_str=base.RULE_ADMIN_REQUIRED, | 24 | check_str=base.RULE_ADMIN_REQUIRED |
2828 | 31 | deprecated_reason=DEPRECATED_REASON, | ||
2829 | 32 | deprecated_since=versionutils.deprecated.STEIN | ||
2831 | 33 | ) | 25 | ) |
2832 | 34 | deprecated_update_mapping = policy.DeprecatedRule( | 26 | deprecated_update_mapping = policy.DeprecatedRule( |
2833 | 35 | name=base.IDENTITY % 'update_mapping', | 27 | name=base.IDENTITY % 'update_mapping', |
2837 | 36 | check_str=base.RULE_ADMIN_REQUIRED, | 28 | check_str=base.RULE_ADMIN_REQUIRED |
2835 | 37 | deprecated_reason=DEPRECATED_REASON, | ||
2836 | 38 | deprecated_since=versionutils.deprecated.STEIN | ||
2838 | 39 | ) | 29 | ) |
2839 | 40 | deprecated_create_mapping = policy.DeprecatedRule( | 30 | deprecated_create_mapping = policy.DeprecatedRule( |
2840 | 41 | name=base.IDENTITY % 'create_mapping', | 31 | name=base.IDENTITY % 'create_mapping', |
2844 | 42 | check_str=base.RULE_ADMIN_REQUIRED, | 32 | check_str=base.RULE_ADMIN_REQUIRED |
2842 | 43 | deprecated_reason=DEPRECATED_REASON, | ||
2843 | 44 | deprecated_since=versionutils.deprecated.STEIN | ||
2845 | 45 | ) | 33 | ) |
2846 | 46 | deprecated_delete_mapping = policy.DeprecatedRule( | 34 | deprecated_delete_mapping = policy.DeprecatedRule( |
2847 | 47 | name=base.IDENTITY % 'delete_mapping', | 35 | name=base.IDENTITY % 'delete_mapping', |
2851 | 48 | check_str=base.RULE_ADMIN_REQUIRED, | 36 | check_str=base.RULE_ADMIN_REQUIRED |
2849 | 49 | deprecated_reason=DEPRECATED_REASON, | ||
2850 | 50 | deprecated_since=versionutils.deprecated.STEIN | ||
2852 | 51 | ) | 37 | ) |
2853 | 52 | 38 | ||
2854 | 39 | DEPRECATED_REASON = ( | ||
2855 | 40 | "The federated mapping API is now aware of system scope and default roles." | ||
2856 | 41 | ) | ||
2857 | 53 | 42 | ||
2858 | 54 | mapping_policies = [ | 43 | mapping_policies = [ |
2859 | 55 | policy.DocumentedRuleDefault( | 44 | policy.DocumentedRuleDefault( |
2860 | @@ -66,7 +55,9 @@ mapping_policies = [ | |||
2861 | 66 | 'more sets of rules.'), | 55 | 'more sets of rules.'), |
2862 | 67 | operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', | 56 | operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', |
2863 | 68 | 'method': 'PUT'}], | 57 | 'method': 'PUT'}], |
2865 | 69 | deprecated_rule=deprecated_create_mapping), | 58 | deprecated_rule=deprecated_create_mapping, |
2866 | 59 | deprecated_reason=DEPRECATED_REASON, | ||
2867 | 60 | deprecated_since=versionutils.deprecated.STEIN), | ||
2868 | 70 | policy.DocumentedRuleDefault( | 61 | policy.DocumentedRuleDefault( |
2869 | 71 | name=base.IDENTITY % 'get_mapping', | 62 | name=base.IDENTITY % 'get_mapping', |
2870 | 72 | check_str=base.SYSTEM_READER, | 63 | check_str=base.SYSTEM_READER, |
2871 | @@ -82,7 +73,9 @@ mapping_policies = [ | |||
2872 | 82 | 'method': 'HEAD' | 73 | 'method': 'HEAD' |
2873 | 83 | } | 74 | } |
2874 | 84 | ], | 75 | ], |
2876 | 85 | deprecated_rule=deprecated_get_mapping | 76 | deprecated_rule=deprecated_get_mapping, |
2877 | 77 | deprecated_reason=DEPRECATED_REASON, | ||
2878 | 78 | deprecated_since=versionutils.deprecated.STEIN | ||
2879 | 86 | ), | 79 | ), |
2880 | 87 | policy.DocumentedRuleDefault( | 80 | policy.DocumentedRuleDefault( |
2881 | 88 | name=base.IDENTITY % 'list_mappings', | 81 | name=base.IDENTITY % 'list_mappings', |
2882 | @@ -100,6 +93,8 @@ mapping_policies = [ | |||
2883 | 100 | } | 93 | } |
2884 | 101 | ], | 94 | ], |
2885 | 102 | deprecated_rule=deprecated_list_mappings, | 95 | deprecated_rule=deprecated_list_mappings, |
2886 | 96 | deprecated_reason=DEPRECATED_REASON, | ||
2887 | 97 | deprecated_since=versionutils.deprecated.STEIN | ||
2888 | 103 | ), | 98 | ), |
2889 | 104 | policy.DocumentedRuleDefault( | 99 | policy.DocumentedRuleDefault( |
2890 | 105 | name=base.IDENTITY % 'delete_mapping', | 100 | name=base.IDENTITY % 'delete_mapping', |
2891 | @@ -108,7 +103,9 @@ mapping_policies = [ | |||
2892 | 108 | description='Delete a federated mapping.', | 103 | description='Delete a federated mapping.', |
2893 | 109 | operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', | 104 | operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', |
2894 | 110 | 'method': 'DELETE'}], | 105 | 'method': 'DELETE'}], |
2896 | 111 | deprecated_rule=deprecated_delete_mapping), | 106 | deprecated_rule=deprecated_delete_mapping, |
2897 | 107 | deprecated_reason=DEPRECATED_REASON, | ||
2898 | 108 | deprecated_since=versionutils.deprecated.STEIN), | ||
2899 | 112 | policy.DocumentedRuleDefault( | 109 | policy.DocumentedRuleDefault( |
2900 | 113 | name=base.IDENTITY % 'update_mapping', | 110 | name=base.IDENTITY % 'update_mapping', |
2901 | 114 | check_str=base.SYSTEM_ADMIN, | 111 | check_str=base.SYSTEM_ADMIN, |
2902 | @@ -116,7 +113,9 @@ mapping_policies = [ | |||
2903 | 116 | description='Update a federated mapping.', | 113 | description='Update a federated mapping.', |
2904 | 117 | operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', | 114 | operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}', |
2905 | 118 | 'method': 'PATCH'}], | 115 | 'method': 'PATCH'}], |
2907 | 119 | deprecated_rule=deprecated_update_mapping) | 116 | deprecated_rule=deprecated_update_mapping, |
2908 | 117 | deprecated_reason=DEPRECATED_REASON, | ||
2909 | 118 | deprecated_since=versionutils.deprecated.STEIN) | ||
2910 | 120 | ] | 119 | ] |
2911 | 121 | 120 | ||
2912 | 122 | 121 | ||
2913 | diff --git a/keystone/common/policies/policy.py b/keystone/common/policies/policy.py | |||
2914 | index 502fa9d..4c912f3 100644 | |||
2915 | --- a/keystone/common/policies/policy.py | |||
2916 | +++ b/keystone/common/policies/policy.py | |||
2917 | @@ -15,43 +15,33 @@ from oslo_policy import policy | |||
2918 | 15 | 15 | ||
2919 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
2920 | 17 | 17 | ||
2921 | 18 | DEPRECATED_REASON = ( | ||
2922 | 19 | "The policy API is now aware of system scope and default roles." | ||
2923 | 20 | ) | ||
2924 | 21 | |||
2925 | 22 | deprecated_get_policy = policy.DeprecatedRule( | 18 | deprecated_get_policy = policy.DeprecatedRule( |
2926 | 23 | name=base.IDENTITY % 'get_policy', | 19 | name=base.IDENTITY % 'get_policy', |
2927 | 24 | check_str=base.RULE_ADMIN_REQUIRED, | 20 | check_str=base.RULE_ADMIN_REQUIRED, |
2928 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
2929 | 26 | deprecated_since=versionutils.deprecated.TRAIN | ||
2930 | 27 | ) | 21 | ) |
2931 | 28 | 22 | ||
2932 | 29 | deprecated_list_policies = policy.DeprecatedRule( | 23 | deprecated_list_policies = policy.DeprecatedRule( |
2933 | 30 | name=base.IDENTITY % 'list_policies', | 24 | name=base.IDENTITY % 'list_policies', |
2934 | 31 | check_str=base.RULE_ADMIN_REQUIRED, | 25 | check_str=base.RULE_ADMIN_REQUIRED, |
2935 | 32 | deprecated_reason=DEPRECATED_REASON, | ||
2936 | 33 | deprecated_since=versionutils.deprecated.TRAIN | ||
2937 | 34 | ) | 26 | ) |
2938 | 35 | 27 | ||
2939 | 36 | deprecated_update_policy = policy.DeprecatedRule( | 28 | deprecated_update_policy = policy.DeprecatedRule( |
2940 | 37 | name=base.IDENTITY % 'update_policy', | 29 | name=base.IDENTITY % 'update_policy', |
2941 | 38 | check_str=base.RULE_ADMIN_REQUIRED, | 30 | check_str=base.RULE_ADMIN_REQUIRED, |
2942 | 39 | deprecated_reason=DEPRECATED_REASON, | ||
2943 | 40 | deprecated_since=versionutils.deprecated.TRAIN | ||
2944 | 41 | ) | 31 | ) |
2945 | 42 | 32 | ||
2946 | 43 | deprecated_create_policy = policy.DeprecatedRule( | 33 | deprecated_create_policy = policy.DeprecatedRule( |
2947 | 44 | name=base.IDENTITY % 'create_policy', | 34 | name=base.IDENTITY % 'create_policy', |
2948 | 45 | check_str=base.RULE_ADMIN_REQUIRED, | 35 | check_str=base.RULE_ADMIN_REQUIRED, |
2949 | 46 | deprecated_reason=DEPRECATED_REASON, | ||
2950 | 47 | deprecated_since=versionutils.deprecated.TRAIN | ||
2951 | 48 | ) | 36 | ) |
2952 | 49 | 37 | ||
2953 | 50 | deprecated_delete_policy = policy.DeprecatedRule( | 38 | deprecated_delete_policy = policy.DeprecatedRule( |
2954 | 51 | name=base.IDENTITY % 'delete_policy', | 39 | name=base.IDENTITY % 'delete_policy', |
2955 | 52 | check_str=base.RULE_ADMIN_REQUIRED, | 40 | check_str=base.RULE_ADMIN_REQUIRED, |
2958 | 53 | deprecated_reason=DEPRECATED_REASON, | 41 | ) |
2959 | 54 | deprecated_since=versionutils.deprecated.TRAIN | 42 | |
2960 | 43 | DEPRECATED_REASON = ( | ||
2961 | 44 | "The policy API is now aware of system scope and default roles." | ||
2962 | 55 | ) | 45 | ) |
2963 | 56 | 46 | ||
2964 | 57 | 47 | ||
2965 | @@ -65,7 +55,9 @@ policy_policies = [ | |||
2966 | 65 | description='Show policy details.', | 55 | description='Show policy details.', |
2967 | 66 | operations=[{'path': '/v3/policies/{policy_id}', | 56 | operations=[{'path': '/v3/policies/{policy_id}', |
2968 | 67 | 'method': 'GET'}], | 57 | 'method': 'GET'}], |
2970 | 68 | deprecated_rule=deprecated_get_policy), | 58 | deprecated_rule=deprecated_get_policy, |
2971 | 59 | deprecated_reason=DEPRECATED_REASON, | ||
2972 | 60 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2973 | 69 | policy.DocumentedRuleDefault( | 61 | policy.DocumentedRuleDefault( |
2974 | 70 | name=base.IDENTITY % 'list_policies', | 62 | name=base.IDENTITY % 'list_policies', |
2975 | 71 | check_str=base.SYSTEM_READER, | 63 | check_str=base.SYSTEM_READER, |
2976 | @@ -73,7 +65,9 @@ policy_policies = [ | |||
2977 | 73 | description='List policies.', | 65 | description='List policies.', |
2978 | 74 | operations=[{'path': '/v3/policies', | 66 | operations=[{'path': '/v3/policies', |
2979 | 75 | 'method': 'GET'}], | 67 | 'method': 'GET'}], |
2981 | 76 | deprecated_rule=deprecated_list_policies), | 68 | deprecated_rule=deprecated_list_policies, |
2982 | 69 | deprecated_reason=DEPRECATED_REASON, | ||
2983 | 70 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2984 | 77 | policy.DocumentedRuleDefault( | 71 | policy.DocumentedRuleDefault( |
2985 | 78 | name=base.IDENTITY % 'create_policy', | 72 | name=base.IDENTITY % 'create_policy', |
2986 | 79 | check_str=base.SYSTEM_ADMIN, | 73 | check_str=base.SYSTEM_ADMIN, |
2987 | @@ -81,7 +75,9 @@ policy_policies = [ | |||
2988 | 81 | description='Create policy.', | 75 | description='Create policy.', |
2989 | 82 | operations=[{'path': '/v3/policies', | 76 | operations=[{'path': '/v3/policies', |
2990 | 83 | 'method': 'POST'}], | 77 | 'method': 'POST'}], |
2992 | 84 | deprecated_rule=deprecated_create_policy), | 78 | deprecated_rule=deprecated_create_policy, |
2993 | 79 | deprecated_reason=DEPRECATED_REASON, | ||
2994 | 80 | deprecated_since=versionutils.deprecated.TRAIN), | ||
2995 | 85 | policy.DocumentedRuleDefault( | 81 | policy.DocumentedRuleDefault( |
2996 | 86 | name=base.IDENTITY % 'update_policy', | 82 | name=base.IDENTITY % 'update_policy', |
2997 | 87 | check_str=base.SYSTEM_ADMIN, | 83 | check_str=base.SYSTEM_ADMIN, |
2998 | @@ -89,7 +85,9 @@ policy_policies = [ | |||
2999 | 89 | description='Update policy.', | 85 | description='Update policy.', |
3000 | 90 | operations=[{'path': '/v3/policies/{policy_id}', | 86 | operations=[{'path': '/v3/policies/{policy_id}', |
3001 | 91 | 'method': 'PATCH'}], | 87 | 'method': 'PATCH'}], |
3003 | 92 | deprecated_rule=deprecated_update_policy), | 88 | deprecated_rule=deprecated_update_policy, |
3004 | 89 | deprecated_reason=DEPRECATED_REASON, | ||
3005 | 90 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3006 | 93 | policy.DocumentedRuleDefault( | 91 | policy.DocumentedRuleDefault( |
3007 | 94 | name=base.IDENTITY % 'delete_policy', | 92 | name=base.IDENTITY % 'delete_policy', |
3008 | 95 | check_str=base.SYSTEM_ADMIN, | 93 | check_str=base.SYSTEM_ADMIN, |
3009 | @@ -97,7 +95,9 @@ policy_policies = [ | |||
3010 | 97 | description='Delete policy.', | 95 | description='Delete policy.', |
3011 | 98 | operations=[{'path': '/v3/policies/{policy_id}', | 96 | operations=[{'path': '/v3/policies/{policy_id}', |
3012 | 99 | 'method': 'DELETE'}], | 97 | 'method': 'DELETE'}], |
3014 | 100 | deprecated_rule=deprecated_delete_policy) | 98 | deprecated_rule=deprecated_delete_policy, |
3015 | 99 | deprecated_reason=DEPRECATED_REASON, | ||
3016 | 100 | deprecated_since=versionutils.deprecated.TRAIN) | ||
3017 | 101 | ] | 101 | ] |
3018 | 102 | 102 | ||
3019 | 103 | 103 | ||
3020 | diff --git a/keystone/common/policies/policy_association.py b/keystone/common/policies/policy_association.py | |||
3021 | index 1cf6f86..af57900 100644 | |||
3022 | --- a/keystone/common/policies/policy_association.py | |||
3023 | +++ b/keystone/common/policies/policy_association.py | |||
3024 | @@ -19,88 +19,65 @@ from keystone.common.policies import base | |||
3025 | 19 | # System-scoped tokens should be required to manage policy associations to | 19 | # System-scoped tokens should be required to manage policy associations to |
3026 | 20 | # existing system-level resources. | 20 | # existing system-level resources. |
3027 | 21 | 21 | ||
3028 | 22 | DEPRECATED_REASON = ( | ||
3029 | 23 | "The policy association API is now aware of system scope and default " | ||
3030 | 24 | "roles." | ||
3031 | 25 | ) | ||
3032 | 26 | |||
3033 | 27 | deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule( | 22 | deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule( |
3034 | 28 | name=base.IDENTITY % 'check_policy_association_for_endpoint', | 23 | name=base.IDENTITY % 'check_policy_association_for_endpoint', |
3035 | 29 | check_str=base.RULE_ADMIN_REQUIRED, | 24 | check_str=base.RULE_ADMIN_REQUIRED, |
3036 | 30 | deprecated_reason=DEPRECATED_REASON, | ||
3037 | 31 | deprecated_since=versionutils.deprecated.TRAIN | ||
3038 | 32 | ) | 25 | ) |
3039 | 33 | 26 | ||
3040 | 34 | deprecated_check_policy_assoc_for_service = policy.DeprecatedRule( | 27 | deprecated_check_policy_assoc_for_service = policy.DeprecatedRule( |
3041 | 35 | name=base.IDENTITY % 'check_policy_association_for_service', | 28 | name=base.IDENTITY % 'check_policy_association_for_service', |
3042 | 36 | check_str=base.RULE_ADMIN_REQUIRED, | 29 | check_str=base.RULE_ADMIN_REQUIRED, |
3043 | 37 | deprecated_reason=DEPRECATED_REASON, | ||
3044 | 38 | deprecated_since=versionutils.deprecated.TRAIN | ||
3045 | 39 | ) | 30 | ) |
3046 | 40 | 31 | ||
3047 | 41 | deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule( | 32 | deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule( |
3048 | 42 | name=base.IDENTITY % 'check_policy_association_for_region_and_service', | 33 | name=base.IDENTITY % 'check_policy_association_for_region_and_service', |
3049 | 43 | check_str=base.RULE_ADMIN_REQUIRED, | 34 | check_str=base.RULE_ADMIN_REQUIRED, |
3050 | 44 | deprecated_reason=DEPRECATED_REASON, | ||
3051 | 45 | deprecated_since=versionutils.deprecated.TRAIN | ||
3052 | 46 | ) | 35 | ) |
3053 | 47 | 36 | ||
3054 | 48 | deprecated_get_policy_for_endpoint = policy.DeprecatedRule( | 37 | deprecated_get_policy_for_endpoint = policy.DeprecatedRule( |
3055 | 49 | name=base.IDENTITY % 'get_policy_for_endpoint', | 38 | name=base.IDENTITY % 'get_policy_for_endpoint', |
3056 | 50 | check_str=base.RULE_ADMIN_REQUIRED, | 39 | check_str=base.RULE_ADMIN_REQUIRED, |
3057 | 51 | deprecated_reason=DEPRECATED_REASON, | ||
3058 | 52 | deprecated_since=versionutils.deprecated.TRAIN | ||
3059 | 53 | ) | 40 | ) |
3060 | 54 | 41 | ||
3061 | 55 | deprecated_list_endpoints_for_policy = policy.DeprecatedRule( | 42 | deprecated_list_endpoints_for_policy = policy.DeprecatedRule( |
3062 | 56 | name=base.IDENTITY % 'list_endpoints_for_policy', | 43 | name=base.IDENTITY % 'list_endpoints_for_policy', |
3063 | 57 | check_str=base.RULE_ADMIN_REQUIRED, | 44 | check_str=base.RULE_ADMIN_REQUIRED, |
3064 | 58 | deprecated_reason=DEPRECATED_REASON, | ||
3065 | 59 | deprecated_since=versionutils.deprecated.TRAIN | ||
3066 | 60 | ) | 45 | ) |
3067 | 61 | 46 | ||
3068 | 62 | deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule( | 47 | deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule( |
3069 | 63 | name=base.IDENTITY % 'create_policy_association_for_endpoint', | 48 | name=base.IDENTITY % 'create_policy_association_for_endpoint', |
3070 | 64 | check_str=base.RULE_ADMIN_REQUIRED, | 49 | check_str=base.RULE_ADMIN_REQUIRED, |
3071 | 65 | deprecated_reason=DEPRECATED_REASON, | ||
3072 | 66 | deprecated_since=versionutils.deprecated.TRAIN | ||
3073 | 67 | ) | 50 | ) |
3074 | 68 | 51 | ||
3075 | 69 | deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule( | 52 | deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule( |
3076 | 70 | name=base.IDENTITY % 'delete_policy_association_for_endpoint', | 53 | name=base.IDENTITY % 'delete_policy_association_for_endpoint', |
3077 | 71 | check_str=base.RULE_ADMIN_REQUIRED, | 54 | check_str=base.RULE_ADMIN_REQUIRED, |
3078 | 72 | deprecated_reason=DEPRECATED_REASON, | ||
3079 | 73 | deprecated_since=versionutils.deprecated.TRAIN | ||
3080 | 74 | ) | 55 | ) |
3081 | 75 | 56 | ||
3082 | 76 | deprecated_create_policy_assoc_for_service = policy.DeprecatedRule( | 57 | deprecated_create_policy_assoc_for_service = policy.DeprecatedRule( |
3083 | 77 | name=base.IDENTITY % 'create_policy_association_for_service', | 58 | name=base.IDENTITY % 'create_policy_association_for_service', |
3084 | 78 | check_str=base.RULE_ADMIN_REQUIRED, | 59 | check_str=base.RULE_ADMIN_REQUIRED, |
3085 | 79 | deprecated_reason=DEPRECATED_REASON, | ||
3086 | 80 | deprecated_since=versionutils.deprecated.TRAIN | ||
3087 | 81 | ) | 60 | ) |
3088 | 82 | 61 | ||
3089 | 83 | deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule( | 62 | deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule( |
3090 | 84 | name=base.IDENTITY % 'delete_policy_association_for_service', | 63 | name=base.IDENTITY % 'delete_policy_association_for_service', |
3091 | 85 | check_str=base.RULE_ADMIN_REQUIRED, | 64 | check_str=base.RULE_ADMIN_REQUIRED, |
3092 | 86 | deprecated_reason=DEPRECATED_REASON, | ||
3093 | 87 | deprecated_since=versionutils.deprecated.TRAIN | ||
3094 | 88 | ) | 65 | ) |
3095 | 89 | 66 | ||
3096 | 90 | deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule( | 67 | deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule( |
3097 | 91 | name=base.IDENTITY % 'create_policy_association_for_region_and_service', | 68 | name=base.IDENTITY % 'create_policy_association_for_region_and_service', |
3098 | 92 | check_str=base.RULE_ADMIN_REQUIRED, | 69 | check_str=base.RULE_ADMIN_REQUIRED, |
3099 | 93 | deprecated_reason=DEPRECATED_REASON, | ||
3100 | 94 | deprecated_since=versionutils.deprecated.TRAIN | ||
3101 | 95 | ) | 70 | ) |
3102 | 96 | 71 | ||
3103 | 97 | deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule( | 72 | deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule( |
3104 | 98 | name=base.IDENTITY % 'delete_policy_association_for_region_and_service', | 73 | name=base.IDENTITY % 'delete_policy_association_for_region_and_service', |
3105 | 99 | check_str=base.RULE_ADMIN_REQUIRED, | 74 | check_str=base.RULE_ADMIN_REQUIRED, |
3106 | 100 | deprecated_reason=DEPRECATED_REASON, | ||
3107 | 101 | deprecated_since=versionutils.deprecated.TRAIN | ||
3108 | 102 | ) | 75 | ) |
3109 | 103 | 76 | ||
3110 | 77 | DEPRECATED_REASON = ( | ||
3111 | 78 | "The policy association API is now aware of system scope and default " | ||
3112 | 79 | "roles." | ||
3113 | 80 | ) | ||
3114 | 104 | 81 | ||
3115 | 105 | policy_association_policies = [ | 82 | policy_association_policies = [ |
3116 | 106 | policy.DocumentedRuleDefault( | 83 | policy.DocumentedRuleDefault( |
3117 | @@ -111,7 +88,9 @@ policy_association_policies = [ | |||
3118 | 111 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' | 88 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3119 | 112 | 'endpoints/{endpoint_id}'), | 89 | 'endpoints/{endpoint_id}'), |
3120 | 113 | 'method': 'PUT'}], | 90 | 'method': 'PUT'}], |
3122 | 114 | deprecated_rule=deprecated_create_policy_assoc_for_endpoint), | 91 | deprecated_rule=deprecated_create_policy_assoc_for_endpoint, |
3123 | 92 | deprecated_reason=DEPRECATED_REASON, | ||
3124 | 93 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3125 | 115 | policy.DocumentedRuleDefault( | 94 | policy.DocumentedRuleDefault( |
3126 | 116 | name=base.IDENTITY % 'check_policy_association_for_endpoint', | 95 | name=base.IDENTITY % 'check_policy_association_for_endpoint', |
3127 | 117 | check_str=base.SYSTEM_READER, | 96 | check_str=base.SYSTEM_READER, |
3128 | @@ -123,7 +102,9 @@ policy_association_policies = [ | |||
3129 | 123 | {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' | 102 | {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3130 | 124 | 'endpoints/{endpoint_id}'), | 103 | 'endpoints/{endpoint_id}'), |
3131 | 125 | 'method': 'HEAD'}], | 104 | 'method': 'HEAD'}], |
3133 | 126 | deprecated_rule=deprecated_check_policy_assoc_for_endpoint), | 105 | deprecated_rule=deprecated_check_policy_assoc_for_endpoint, |
3134 | 106 | deprecated_reason=DEPRECATED_REASON, | ||
3135 | 107 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3136 | 127 | policy.DocumentedRuleDefault( | 108 | policy.DocumentedRuleDefault( |
3137 | 128 | name=base.IDENTITY % 'delete_policy_association_for_endpoint', | 109 | name=base.IDENTITY % 'delete_policy_association_for_endpoint', |
3138 | 129 | check_str=base.SYSTEM_ADMIN, | 110 | check_str=base.SYSTEM_ADMIN, |
3139 | @@ -132,7 +113,9 @@ policy_association_policies = [ | |||
3140 | 132 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' | 113 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3141 | 133 | 'endpoints/{endpoint_id}'), | 114 | 'endpoints/{endpoint_id}'), |
3142 | 134 | 'method': 'DELETE'}], | 115 | 'method': 'DELETE'}], |
3144 | 135 | deprecated_rule=deprecated_delete_policy_assoc_for_endpoint), | 116 | deprecated_rule=deprecated_delete_policy_assoc_for_endpoint, |
3145 | 117 | deprecated_reason=DEPRECATED_REASON, | ||
3146 | 118 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3147 | 136 | policy.DocumentedRuleDefault( | 119 | policy.DocumentedRuleDefault( |
3148 | 137 | name=base.IDENTITY % 'create_policy_association_for_service', | 120 | name=base.IDENTITY % 'create_policy_association_for_service', |
3149 | 138 | check_str=base.SYSTEM_ADMIN, | 121 | check_str=base.SYSTEM_ADMIN, |
3150 | @@ -141,7 +124,9 @@ policy_association_policies = [ | |||
3151 | 141 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' | 124 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3152 | 142 | 'services/{service_id}'), | 125 | 'services/{service_id}'), |
3153 | 143 | 'method': 'PUT'}], | 126 | 'method': 'PUT'}], |
3155 | 144 | deprecated_rule=deprecated_create_policy_assoc_for_service), | 127 | deprecated_rule=deprecated_create_policy_assoc_for_service, |
3156 | 128 | deprecated_reason=DEPRECATED_REASON, | ||
3157 | 129 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3158 | 145 | policy.DocumentedRuleDefault( | 130 | policy.DocumentedRuleDefault( |
3159 | 146 | name=base.IDENTITY % 'check_policy_association_for_service', | 131 | name=base.IDENTITY % 'check_policy_association_for_service', |
3160 | 147 | check_str=base.SYSTEM_READER, | 132 | check_str=base.SYSTEM_READER, |
3161 | @@ -153,7 +138,9 @@ policy_association_policies = [ | |||
3162 | 153 | {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' | 138 | {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3163 | 154 | 'services/{service_id}'), | 139 | 'services/{service_id}'), |
3164 | 155 | 'method': 'HEAD'}], | 140 | 'method': 'HEAD'}], |
3166 | 156 | deprecated_rule=deprecated_check_policy_assoc_for_service), | 141 | deprecated_rule=deprecated_check_policy_assoc_for_service, |
3167 | 142 | deprecated_reason=DEPRECATED_REASON, | ||
3168 | 143 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3169 | 157 | policy.DocumentedRuleDefault( | 144 | policy.DocumentedRuleDefault( |
3170 | 158 | name=base.IDENTITY % 'delete_policy_association_for_service', | 145 | name=base.IDENTITY % 'delete_policy_association_for_service', |
3171 | 159 | check_str=base.SYSTEM_ADMIN, | 146 | check_str=base.SYSTEM_ADMIN, |
3172 | @@ -162,7 +149,9 @@ policy_association_policies = [ | |||
3173 | 162 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' | 149 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3174 | 163 | 'services/{service_id}'), | 150 | 'services/{service_id}'), |
3175 | 164 | 'method': 'DELETE'}], | 151 | 'method': 'DELETE'}], |
3177 | 165 | deprecated_rule=deprecated_delete_policy_assoc_for_service), | 152 | deprecated_rule=deprecated_delete_policy_assoc_for_service, |
3178 | 153 | deprecated_reason=DEPRECATED_REASON, | ||
3179 | 154 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3180 | 166 | policy.DocumentedRuleDefault( | 155 | policy.DocumentedRuleDefault( |
3181 | 167 | name=base.IDENTITY % ( | 156 | name=base.IDENTITY % ( |
3182 | 168 | 'create_policy_association_for_region_and_service'), | 157 | 'create_policy_association_for_region_and_service'), |
3183 | @@ -173,7 +162,9 @@ policy_association_policies = [ | |||
3184 | 173 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' | 162 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3185 | 174 | 'services/{service_id}/regions/{region_id}'), | 163 | 'services/{service_id}/regions/{region_id}'), |
3186 | 175 | 'method': 'PUT'}], | 164 | 'method': 'PUT'}], |
3188 | 176 | deprecated_rule=deprecated_create_policy_assoc_for_region_and_service), | 165 | deprecated_rule=deprecated_create_policy_assoc_for_region_and_service, |
3189 | 166 | deprecated_reason=DEPRECATED_REASON, | ||
3190 | 167 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3191 | 177 | policy.DocumentedRuleDefault( | 168 | policy.DocumentedRuleDefault( |
3192 | 178 | name=base.IDENTITY % 'check_policy_association_for_region_and_service', | 169 | name=base.IDENTITY % 'check_policy_association_for_region_and_service', |
3193 | 179 | check_str=base.SYSTEM_READER, | 170 | check_str=base.SYSTEM_READER, |
3194 | @@ -185,7 +176,9 @@ policy_association_policies = [ | |||
3195 | 185 | {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' | 176 | {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3196 | 186 | 'services/{service_id}/regions/{region_id}'), | 177 | 'services/{service_id}/regions/{region_id}'), |
3197 | 187 | 'method': 'HEAD'}], | 178 | 'method': 'HEAD'}], |
3199 | 188 | deprecated_rule=deprecated_check_policy_assoc_for_region_and_service), | 179 | deprecated_rule=deprecated_check_policy_assoc_for_region_and_service, |
3200 | 180 | deprecated_reason=DEPRECATED_REASON, | ||
3201 | 181 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3202 | 189 | policy.DocumentedRuleDefault( | 182 | policy.DocumentedRuleDefault( |
3203 | 190 | name=base.IDENTITY % ( | 183 | name=base.IDENTITY % ( |
3204 | 191 | 'delete_policy_association_for_region_and_service'), | 184 | 'delete_policy_association_for_region_and_service'), |
3205 | @@ -195,7 +188,9 @@ policy_association_policies = [ | |||
3206 | 195 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' | 188 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3207 | 196 | 'services/{service_id}/regions/{region_id}'), | 189 | 'services/{service_id}/regions/{region_id}'), |
3208 | 197 | 'method': 'DELETE'}], | 190 | 'method': 'DELETE'}], |
3210 | 198 | deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service), | 191 | deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service, |
3211 | 192 | deprecated_reason=DEPRECATED_REASON, | ||
3212 | 193 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3213 | 199 | policy.DocumentedRuleDefault( | 194 | policy.DocumentedRuleDefault( |
3214 | 200 | name=base.IDENTITY % 'get_policy_for_endpoint', | 195 | name=base.IDENTITY % 'get_policy_for_endpoint', |
3215 | 201 | check_str=base.SYSTEM_READER, | 196 | check_str=base.SYSTEM_READER, |
3216 | @@ -207,7 +202,9 @@ policy_association_policies = [ | |||
3217 | 207 | {'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/' | 202 | {'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/' |
3218 | 208 | 'policy'), | 203 | 'policy'), |
3219 | 209 | 'method': 'HEAD'}], | 204 | 'method': 'HEAD'}], |
3221 | 210 | deprecated_rule=deprecated_get_policy_for_endpoint), | 205 | deprecated_rule=deprecated_get_policy_for_endpoint, |
3222 | 206 | deprecated_reason=DEPRECATED_REASON, | ||
3223 | 207 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3224 | 211 | policy.DocumentedRuleDefault( | 208 | policy.DocumentedRuleDefault( |
3225 | 212 | name=base.IDENTITY % 'list_endpoints_for_policy', | 209 | name=base.IDENTITY % 'list_endpoints_for_policy', |
3226 | 213 | check_str=base.SYSTEM_READER, | 210 | check_str=base.SYSTEM_READER, |
3227 | @@ -216,7 +213,9 @@ policy_association_policies = [ | |||
3228 | 216 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' | 213 | operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' |
3229 | 217 | 'endpoints'), | 214 | 'endpoints'), |
3230 | 218 | 'method': 'GET'}], | 215 | 'method': 'GET'}], |
3232 | 219 | deprecated_rule=deprecated_list_endpoints_for_policy) | 216 | deprecated_rule=deprecated_list_endpoints_for_policy, |
3233 | 217 | deprecated_reason=DEPRECATED_REASON, | ||
3234 | 218 | deprecated_since=versionutils.deprecated.TRAIN) | ||
3235 | 220 | ] | 219 | ] |
3236 | 221 | 220 | ||
3237 | 222 | 221 | ||
3238 | diff --git a/keystone/common/policies/project.py b/keystone/common/policies/project.py | |||
3239 | index db7cdee..c7b7c0a 100644 | |||
3240 | --- a/keystone/common/policies/project.py | |||
3241 | +++ b/keystone/common/policies/project.py | |||
3242 | @@ -52,84 +52,60 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = ( | |||
3243 | 52 | '(role:admin and domain_id:%(target.project.domain_id)s)' | 52 | '(role:admin and domain_id:%(target.project.domain_id)s)' |
3244 | 53 | ) | 53 | ) |
3245 | 54 | 54 | ||
3246 | 55 | DEPRECATED_REASON = ( | ||
3247 | 56 | "The project API is now aware of system scope and default roles." | ||
3248 | 57 | ) | ||
3249 | 58 | |||
3250 | 59 | deprecated_list_projects = policy.DeprecatedRule( | 55 | deprecated_list_projects = policy.DeprecatedRule( |
3251 | 60 | name=base.IDENTITY % 'list_projects', | 56 | name=base.IDENTITY % 'list_projects', |
3255 | 61 | check_str=base.RULE_ADMIN_REQUIRED, | 57 | check_str=base.RULE_ADMIN_REQUIRED |
3253 | 62 | deprecated_reason=DEPRECATED_REASON, | ||
3254 | 63 | deprecated_since=versionutils.deprecated.STEIN | ||
3256 | 64 | ) | 58 | ) |
3257 | 65 | deprecated_get_project = policy.DeprecatedRule( | 59 | deprecated_get_project = policy.DeprecatedRule( |
3258 | 66 | name=base.IDENTITY % 'get_project', | 60 | name=base.IDENTITY % 'get_project', |
3262 | 67 | check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, | 61 | check_str=base.RULE_ADMIN_OR_TARGET_PROJECT |
3260 | 68 | deprecated_reason=DEPRECATED_REASON, | ||
3261 | 69 | deprecated_since=versionutils.deprecated.STEIN | ||
3263 | 70 | ) | 62 | ) |
3264 | 71 | deprecated_list_user_projects = policy.DeprecatedRule( | 63 | deprecated_list_user_projects = policy.DeprecatedRule( |
3265 | 72 | name=base.IDENTITY % 'list_user_projects', | 64 | name=base.IDENTITY % 'list_user_projects', |
3269 | 73 | check_str=base.RULE_ADMIN_OR_OWNER, | 65 | check_str=base.RULE_ADMIN_OR_OWNER |
3267 | 74 | deprecated_reason=DEPRECATED_REASON, | ||
3268 | 75 | deprecated_since=versionutils.deprecated.STEIN | ||
3270 | 76 | ) | 66 | ) |
3271 | 77 | deprecated_create_project = policy.DeprecatedRule( | 67 | deprecated_create_project = policy.DeprecatedRule( |
3272 | 78 | name=base.IDENTITY % 'create_project', | 68 | name=base.IDENTITY % 'create_project', |
3276 | 79 | check_str=base.RULE_ADMIN_REQUIRED, | 69 | check_str=base.RULE_ADMIN_REQUIRED |
3274 | 80 | deprecated_reason=DEPRECATED_REASON, | ||
3275 | 81 | deprecated_since=versionutils.deprecated.STEIN | ||
3277 | 82 | ) | 70 | ) |
3278 | 83 | deprecated_update_project = policy.DeprecatedRule( | 71 | deprecated_update_project = policy.DeprecatedRule( |
3279 | 84 | name=base.IDENTITY % 'update_project', | 72 | name=base.IDENTITY % 'update_project', |
3283 | 85 | check_str=base.RULE_ADMIN_REQUIRED, | 73 | check_str=base.RULE_ADMIN_REQUIRED |
3281 | 86 | deprecated_reason=DEPRECATED_REASON, | ||
3282 | 87 | deprecated_since=versionutils.deprecated.STEIN | ||
3284 | 88 | ) | 74 | ) |
3285 | 89 | deprecated_delete_project = policy.DeprecatedRule( | 75 | deprecated_delete_project = policy.DeprecatedRule( |
3286 | 90 | name=base.IDENTITY % 'delete_project', | 76 | name=base.IDENTITY % 'delete_project', |
3290 | 91 | check_str=base.RULE_ADMIN_REQUIRED, | 77 | check_str=base.RULE_ADMIN_REQUIRED |
3288 | 92 | deprecated_reason=DEPRECATED_REASON, | ||
3289 | 93 | deprecated_since=versionutils.deprecated.STEIN | ||
3291 | 94 | ) | 78 | ) |
3292 | 95 | deprecated_list_project_tags = policy.DeprecatedRule( | 79 | deprecated_list_project_tags = policy.DeprecatedRule( |
3293 | 96 | name=base.IDENTITY % 'list_project_tags', | 80 | name=base.IDENTITY % 'list_project_tags', |
3297 | 97 | check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, | 81 | check_str=base.RULE_ADMIN_OR_TARGET_PROJECT |
3295 | 98 | deprecated_reason=DEPRECATED_REASON, | ||
3296 | 99 | deprecated_since=versionutils.deprecated.TRAIN | ||
3298 | 100 | ) | 82 | ) |
3299 | 101 | deprecated_get_project_tag = policy.DeprecatedRule( | 83 | deprecated_get_project_tag = policy.DeprecatedRule( |
3300 | 102 | name=base.IDENTITY % 'get_project_tag', | 84 | name=base.IDENTITY % 'get_project_tag', |
3304 | 103 | check_str=base.RULE_ADMIN_OR_TARGET_PROJECT, | 85 | check_str=base.RULE_ADMIN_OR_TARGET_PROJECT |
3302 | 104 | deprecated_reason=DEPRECATED_REASON, | ||
3303 | 105 | deprecated_since=versionutils.deprecated.TRAIN | ||
3305 | 106 | ) | 86 | ) |
3306 | 107 | deprecated_update_project_tag = policy.DeprecatedRule( | 87 | deprecated_update_project_tag = policy.DeprecatedRule( |
3307 | 108 | name=base.IDENTITY % 'update_project_tags', | 88 | name=base.IDENTITY % 'update_project_tags', |
3311 | 109 | check_str=base.RULE_ADMIN_REQUIRED, | 89 | check_str=base.RULE_ADMIN_REQUIRED |
3309 | 110 | deprecated_reason=DEPRECATED_REASON, | ||
3310 | 111 | deprecated_since=versionutils.deprecated.TRAIN | ||
3312 | 112 | ) | 90 | ) |
3313 | 113 | deprecated_create_project_tag = policy.DeprecatedRule( | 91 | deprecated_create_project_tag = policy.DeprecatedRule( |
3314 | 114 | name=base.IDENTITY % 'create_project_tag', | 92 | name=base.IDENTITY % 'create_project_tag', |
3318 | 115 | check_str=base.RULE_ADMIN_REQUIRED, | 93 | check_str=base.RULE_ADMIN_REQUIRED |
3316 | 116 | deprecated_reason=DEPRECATED_REASON, | ||
3317 | 117 | deprecated_since=versionutils.deprecated.TRAIN | ||
3319 | 118 | ) | 94 | ) |
3320 | 119 | deprecated_delete_project_tag = policy.DeprecatedRule( | 95 | deprecated_delete_project_tag = policy.DeprecatedRule( |
3321 | 120 | name=base.IDENTITY % 'delete_project_tag', | 96 | name=base.IDENTITY % 'delete_project_tag', |
3325 | 121 | check_str=base.RULE_ADMIN_REQUIRED, | 97 | check_str=base.RULE_ADMIN_REQUIRED |
3323 | 122 | deprecated_reason=DEPRECATED_REASON, | ||
3324 | 123 | deprecated_since=versionutils.deprecated.TRAIN | ||
3326 | 124 | ) | 98 | ) |
3327 | 125 | deprecated_delete_project_tags = policy.DeprecatedRule( | 99 | deprecated_delete_project_tags = policy.DeprecatedRule( |
3328 | 126 | name=base.IDENTITY % 'delete_project_tags', | 100 | name=base.IDENTITY % 'delete_project_tags', |
3332 | 127 | check_str=base.RULE_ADMIN_REQUIRED, | 101 | check_str=base.RULE_ADMIN_REQUIRED |
3330 | 128 | deprecated_reason=DEPRECATED_REASON, | ||
3331 | 129 | deprecated_since=versionutils.deprecated.TRAIN | ||
3333 | 130 | ) | 102 | ) |
3334 | 131 | 103 | ||
3335 | 132 | 104 | ||
3336 | 105 | DEPRECATED_REASON = ( | ||
3337 | 106 | "The project API is now aware of system scope and default roles." | ||
3338 | 107 | ) | ||
3339 | 108 | |||
3340 | 133 | TAGS_DEPRECATED_REASON = """ | 109 | TAGS_DEPRECATED_REASON = """ |
3341 | 134 | As of the Train release, the project tags API understands how to handle | 110 | As of the Train release, the project tags API understands how to handle |
3342 | 135 | system-scoped tokens in addition to project and domain tokens, making the API | 111 | system-scoped tokens in addition to project and domain tokens, making the API |
3343 | @@ -146,7 +122,9 @@ project_policies = [ | |||
3344 | 146 | description='Show project details.', | 122 | description='Show project details.', |
3345 | 147 | operations=[{'path': '/v3/projects/{project_id}', | 123 | operations=[{'path': '/v3/projects/{project_id}', |
3346 | 148 | 'method': 'GET'}], | 124 | 'method': 'GET'}], |
3348 | 149 | deprecated_rule=deprecated_get_project), | 125 | deprecated_rule=deprecated_get_project, |
3349 | 126 | deprecated_reason=DEPRECATED_REASON, | ||
3350 | 127 | deprecated_since=versionutils.deprecated.STEIN), | ||
3351 | 150 | policy.DocumentedRuleDefault( | 128 | policy.DocumentedRuleDefault( |
3352 | 151 | name=base.IDENTITY % 'list_projects', | 129 | name=base.IDENTITY % 'list_projects', |
3353 | 152 | check_str=SYSTEM_READER_OR_DOMAIN_READER, | 130 | check_str=SYSTEM_READER_OR_DOMAIN_READER, |
3354 | @@ -158,7 +136,9 @@ project_policies = [ | |||
3355 | 158 | description='List projects.', | 136 | description='List projects.', |
3356 | 159 | operations=[{'path': '/v3/projects', | 137 | operations=[{'path': '/v3/projects', |
3357 | 160 | 'method': 'GET'}], | 138 | 'method': 'GET'}], |
3359 | 161 | deprecated_rule=deprecated_list_projects), | 139 | deprecated_rule=deprecated_list_projects, |
3360 | 140 | deprecated_reason=DEPRECATED_REASON, | ||
3361 | 141 | deprecated_since=versionutils.deprecated.STEIN), | ||
3362 | 162 | policy.DocumentedRuleDefault( | 142 | policy.DocumentedRuleDefault( |
3363 | 163 | name=base.IDENTITY % 'list_user_projects', | 143 | name=base.IDENTITY % 'list_user_projects', |
3364 | 164 | check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER, | 144 | check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER, |
3365 | @@ -166,7 +146,9 @@ project_policies = [ | |||
3366 | 166 | description='List projects for user.', | 146 | description='List projects for user.', |
3367 | 167 | operations=[{'path': '/v3/users/{user_id}/projects', | 147 | operations=[{'path': '/v3/users/{user_id}/projects', |
3368 | 168 | 'method': 'GET'}], | 148 | 'method': 'GET'}], |
3370 | 169 | deprecated_rule=deprecated_list_user_projects), | 149 | deprecated_rule=deprecated_list_user_projects, |
3371 | 150 | deprecated_reason=DEPRECATED_REASON, | ||
3372 | 151 | deprecated_since=versionutils.deprecated.STEIN), | ||
3373 | 170 | policy.DocumentedRuleDefault( | 152 | policy.DocumentedRuleDefault( |
3374 | 171 | name=base.IDENTITY % 'create_project', | 153 | name=base.IDENTITY % 'create_project', |
3375 | 172 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, | 154 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
3376 | @@ -174,7 +156,9 @@ project_policies = [ | |||
3377 | 174 | description='Create project.', | 156 | description='Create project.', |
3378 | 175 | operations=[{'path': '/v3/projects', | 157 | operations=[{'path': '/v3/projects', |
3379 | 176 | 'method': 'POST'}], | 158 | 'method': 'POST'}], |
3381 | 177 | deprecated_rule=deprecated_create_project), | 159 | deprecated_rule=deprecated_create_project, |
3382 | 160 | deprecated_reason=DEPRECATED_REASON, | ||
3383 | 161 | deprecated_since=versionutils.deprecated.STEIN), | ||
3384 | 178 | policy.DocumentedRuleDefault( | 162 | policy.DocumentedRuleDefault( |
3385 | 179 | name=base.IDENTITY % 'update_project', | 163 | name=base.IDENTITY % 'update_project', |
3386 | 180 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, | 164 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
3387 | @@ -182,7 +166,9 @@ project_policies = [ | |||
3388 | 182 | description='Update project.', | 166 | description='Update project.', |
3389 | 183 | operations=[{'path': '/v3/projects/{project_id}', | 167 | operations=[{'path': '/v3/projects/{project_id}', |
3390 | 184 | 'method': 'PATCH'}], | 168 | 'method': 'PATCH'}], |
3392 | 185 | deprecated_rule=deprecated_update_project), | 169 | deprecated_rule=deprecated_update_project, |
3393 | 170 | deprecated_reason=DEPRECATED_REASON, | ||
3394 | 171 | deprecated_since=versionutils.deprecated.STEIN), | ||
3395 | 186 | policy.DocumentedRuleDefault( | 172 | policy.DocumentedRuleDefault( |
3396 | 187 | name=base.IDENTITY % 'delete_project', | 173 | name=base.IDENTITY % 'delete_project', |
3397 | 188 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, | 174 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
3398 | @@ -190,7 +176,9 @@ project_policies = [ | |||
3399 | 190 | description='Delete project.', | 176 | description='Delete project.', |
3400 | 191 | operations=[{'path': '/v3/projects/{project_id}', | 177 | operations=[{'path': '/v3/projects/{project_id}', |
3401 | 192 | 'method': 'DELETE'}], | 178 | 'method': 'DELETE'}], |
3403 | 193 | deprecated_rule=deprecated_delete_project), | 179 | deprecated_rule=deprecated_delete_project, |
3404 | 180 | deprecated_reason=DEPRECATED_REASON, | ||
3405 | 181 | deprecated_since=versionutils.deprecated.STEIN), | ||
3406 | 194 | policy.DocumentedRuleDefault( | 182 | policy.DocumentedRuleDefault( |
3407 | 195 | name=base.IDENTITY % 'list_project_tags', | 183 | name=base.IDENTITY % 'list_project_tags', |
3408 | 196 | check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER, | 184 | check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER, |
3409 | @@ -200,7 +188,9 @@ project_policies = [ | |||
3410 | 200 | 'method': 'GET'}, | 188 | 'method': 'GET'}, |
3411 | 201 | {'path': '/v3/projects/{project_id}/tags', | 189 | {'path': '/v3/projects/{project_id}/tags', |
3412 | 202 | 'method': 'HEAD'}], | 190 | 'method': 'HEAD'}], |
3414 | 203 | deprecated_rule=deprecated_list_project_tags), | 191 | deprecated_rule=deprecated_list_project_tags, |
3415 | 192 | deprecated_reason=TAGS_DEPRECATED_REASON, | ||
3416 | 193 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3417 | 204 | policy.DocumentedRuleDefault( | 194 | policy.DocumentedRuleDefault( |
3418 | 205 | name=base.IDENTITY % 'get_project_tag', | 195 | name=base.IDENTITY % 'get_project_tag', |
3419 | 206 | check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER, | 196 | check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER, |
3420 | @@ -210,7 +200,9 @@ project_policies = [ | |||
3421 | 210 | 'method': 'GET'}, | 200 | 'method': 'GET'}, |
3422 | 211 | {'path': '/v3/projects/{project_id}/tags/{value}', | 201 | {'path': '/v3/projects/{project_id}/tags/{value}', |
3423 | 212 | 'method': 'HEAD'}], | 202 | 'method': 'HEAD'}], |
3425 | 213 | deprecated_rule=deprecated_get_project_tag), | 203 | deprecated_rule=deprecated_get_project_tag, |
3426 | 204 | deprecated_reason=TAGS_DEPRECATED_REASON, | ||
3427 | 205 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3428 | 214 | policy.DocumentedRuleDefault( | 206 | policy.DocumentedRuleDefault( |
3429 | 215 | name=base.IDENTITY % 'update_project_tags', | 207 | name=base.IDENTITY % 'update_project_tags', |
3430 | 216 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, | 208 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, |
3431 | @@ -218,7 +210,9 @@ project_policies = [ | |||
3432 | 218 | description='Replace all tags on a project with the new set of tags.', | 210 | description='Replace all tags on a project with the new set of tags.', |
3433 | 219 | operations=[{'path': '/v3/projects/{project_id}/tags', | 211 | operations=[{'path': '/v3/projects/{project_id}/tags', |
3434 | 220 | 'method': 'PUT'}], | 212 | 'method': 'PUT'}], |
3436 | 221 | deprecated_rule=deprecated_update_project_tag), | 213 | deprecated_rule=deprecated_update_project_tag, |
3437 | 214 | deprecated_reason=TAGS_DEPRECATED_REASON, | ||
3438 | 215 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3439 | 222 | policy.DocumentedRuleDefault( | 216 | policy.DocumentedRuleDefault( |
3440 | 223 | name=base.IDENTITY % 'create_project_tag', | 217 | name=base.IDENTITY % 'create_project_tag', |
3441 | 224 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, | 218 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, |
3442 | @@ -226,7 +220,9 @@ project_policies = [ | |||
3443 | 226 | description='Add a single tag to a project.', | 220 | description='Add a single tag to a project.', |
3444 | 227 | operations=[{'path': '/v3/projects/{project_id}/tags/{value}', | 221 | operations=[{'path': '/v3/projects/{project_id}/tags/{value}', |
3445 | 228 | 'method': 'PUT'}], | 222 | 'method': 'PUT'}], |
3447 | 229 | deprecated_rule=deprecated_create_project_tag), | 223 | deprecated_rule=deprecated_create_project_tag, |
3448 | 224 | deprecated_reason=TAGS_DEPRECATED_REASON, | ||
3449 | 225 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3450 | 230 | policy.DocumentedRuleDefault( | 226 | policy.DocumentedRuleDefault( |
3451 | 231 | name=base.IDENTITY % 'delete_project_tags', | 227 | name=base.IDENTITY % 'delete_project_tags', |
3452 | 232 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, | 228 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, |
3453 | @@ -234,7 +230,9 @@ project_policies = [ | |||
3454 | 234 | description='Remove all tags from a project.', | 230 | description='Remove all tags from a project.', |
3455 | 235 | operations=[{'path': '/v3/projects/{project_id}/tags', | 231 | operations=[{'path': '/v3/projects/{project_id}/tags', |
3456 | 236 | 'method': 'DELETE'}], | 232 | 'method': 'DELETE'}], |
3458 | 237 | deprecated_rule=deprecated_delete_project_tags), | 233 | deprecated_rule=deprecated_delete_project_tags, |
3459 | 234 | deprecated_reason=TAGS_DEPRECATED_REASON, | ||
3460 | 235 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3461 | 238 | policy.DocumentedRuleDefault( | 236 | policy.DocumentedRuleDefault( |
3462 | 239 | name=base.IDENTITY % 'delete_project_tag', | 237 | name=base.IDENTITY % 'delete_project_tag', |
3463 | 240 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, | 238 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN, |
3464 | @@ -242,7 +240,9 @@ project_policies = [ | |||
3465 | 242 | description='Delete a specified tag from project.', | 240 | description='Delete a specified tag from project.', |
3466 | 243 | operations=[{'path': '/v3/projects/{project_id}/tags/{value}', | 241 | operations=[{'path': '/v3/projects/{project_id}/tags/{value}', |
3467 | 244 | 'method': 'DELETE'}], | 242 | 'method': 'DELETE'}], |
3469 | 245 | deprecated_rule=deprecated_delete_project_tag) | 243 | deprecated_rule=deprecated_delete_project_tag, |
3470 | 244 | deprecated_reason=TAGS_DEPRECATED_REASON, | ||
3471 | 245 | deprecated_since=versionutils.deprecated.TRAIN) | ||
3472 | 246 | ] | 246 | ] |
3473 | 247 | 247 | ||
3474 | 248 | 248 | ||
3475 | diff --git a/keystone/common/policies/project_endpoint.py b/keystone/common/policies/project_endpoint.py | |||
3476 | index 86a020e..c04cddd 100644 | |||
3477 | --- a/keystone/common/policies/project_endpoint.py | |||
3478 | +++ b/keystone/common/policies/project_endpoint.py | |||
3479 | @@ -15,49 +15,39 @@ from oslo_policy import policy | |||
3480 | 15 | 15 | ||
3481 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
3482 | 17 | 17 | ||
3483 | 18 | DEPRECATED_REASON = """ | ||
3484 | 19 | As of the Train release, the project endpoint API now understands default | ||
3485 | 20 | roles and system-scoped tokens, making the API more granular by default without | ||
3486 | 21 | compromising security. The new policy defaults account for these changes | ||
3487 | 22 | automatically. Be sure to take these new defaults into consideration if you are | ||
3488 | 23 | relying on overrides in your deployment for the project endpoint API. | ||
3489 | 24 | """ | ||
3490 | 25 | |||
3491 | 26 | deprecated_list_projects_for_endpoint = policy.DeprecatedRule( | 18 | deprecated_list_projects_for_endpoint = policy.DeprecatedRule( |
3492 | 27 | name=base.IDENTITY % 'list_projects_for_endpoint', | 19 | name=base.IDENTITY % 'list_projects_for_endpoint', |
3493 | 28 | check_str=base.RULE_ADMIN_REQUIRED, | 20 | check_str=base.RULE_ADMIN_REQUIRED, |
3494 | 29 | deprecated_reason=DEPRECATED_REASON, | ||
3495 | 30 | deprecated_since=versionutils.deprecated.TRAIN | ||
3496 | 31 | ) | 21 | ) |
3497 | 32 | 22 | ||
3498 | 33 | deprecated_add_endpoint_to_project = policy.DeprecatedRule( | 23 | deprecated_add_endpoint_to_project = policy.DeprecatedRule( |
3499 | 34 | name=base.IDENTITY % 'add_endpoint_to_project', | 24 | name=base.IDENTITY % 'add_endpoint_to_project', |
3500 | 35 | check_str=base.RULE_ADMIN_REQUIRED, | 25 | check_str=base.RULE_ADMIN_REQUIRED, |
3501 | 36 | deprecated_reason=DEPRECATED_REASON, | ||
3502 | 37 | deprecated_since=versionutils.deprecated.TRAIN | ||
3503 | 38 | ) | 26 | ) |
3504 | 39 | 27 | ||
3505 | 40 | deprecated_check_endpoint_in_project = policy.DeprecatedRule( | 28 | deprecated_check_endpoint_in_project = policy.DeprecatedRule( |
3506 | 41 | name=base.IDENTITY % 'check_endpoint_in_project', | 29 | name=base.IDENTITY % 'check_endpoint_in_project', |
3507 | 42 | check_str=base.RULE_ADMIN_REQUIRED, | 30 | check_str=base.RULE_ADMIN_REQUIRED, |
3508 | 43 | deprecated_reason=DEPRECATED_REASON, | ||
3509 | 44 | deprecated_since=versionutils.deprecated.TRAIN | ||
3510 | 45 | ) | 31 | ) |
3511 | 46 | 32 | ||
3512 | 47 | deprecated_list_endpoints_for_project = policy.DeprecatedRule( | 33 | deprecated_list_endpoints_for_project = policy.DeprecatedRule( |
3513 | 48 | name=base.IDENTITY % 'list_endpoints_for_project', | 34 | name=base.IDENTITY % 'list_endpoints_for_project', |
3514 | 49 | check_str=base.RULE_ADMIN_REQUIRED, | 35 | check_str=base.RULE_ADMIN_REQUIRED, |
3515 | 50 | deprecated_reason=DEPRECATED_REASON, | ||
3516 | 51 | deprecated_since=versionutils.deprecated.TRAIN | ||
3517 | 52 | ) | 36 | ) |
3518 | 53 | 37 | ||
3519 | 54 | deprecated_remove_endpoint_from_project = policy.DeprecatedRule( | 38 | deprecated_remove_endpoint_from_project = policy.DeprecatedRule( |
3520 | 55 | name=base.IDENTITY % 'remove_endpoint_from_project', | 39 | name=base.IDENTITY % 'remove_endpoint_from_project', |
3521 | 56 | check_str=base.RULE_ADMIN_REQUIRED, | 40 | check_str=base.RULE_ADMIN_REQUIRED, |
3522 | 57 | deprecated_reason=DEPRECATED_REASON, | ||
3523 | 58 | deprecated_since=versionutils.deprecated.TRAIN | ||
3524 | 59 | ) | 41 | ) |
3525 | 60 | 42 | ||
3526 | 43 | DEPRECATED_REASON = """ | ||
3527 | 44 | As of the Train release, the project endpoint API now understands default | ||
3528 | 45 | roles and system-scoped tokens, making the API more granular by default without | ||
3529 | 46 | compromising security. The new policy defaults account for these changes | ||
3530 | 47 | automatically. Be sure to take these new defaults into consideration if you are | ||
3531 | 48 | relying on overrides in your deployment for the project endpoint API. | ||
3532 | 49 | """ | ||
3533 | 50 | |||
3534 | 61 | 51 | ||
3535 | 62 | project_endpoint_policies = [ | 52 | project_endpoint_policies = [ |
3536 | 63 | 53 | ||
3537 | @@ -73,7 +63,9 @@ project_endpoint_policies = [ | |||
3538 | 73 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/' | 63 | operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/' |
3539 | 74 | 'projects'), | 64 | 'projects'), |
3540 | 75 | 'method': 'GET'}], | 65 | 'method': 'GET'}], |
3542 | 76 | deprecated_rule=deprecated_list_projects_for_endpoint), | 66 | deprecated_rule=deprecated_list_projects_for_endpoint, |
3543 | 67 | deprecated_reason=DEPRECATED_REASON, | ||
3544 | 68 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3545 | 77 | policy.DocumentedRuleDefault( | 69 | policy.DocumentedRuleDefault( |
3546 | 78 | name=base.IDENTITY % 'add_endpoint_to_project', | 70 | name=base.IDENTITY % 'add_endpoint_to_project', |
3547 | 79 | check_str=base.SYSTEM_ADMIN, | 71 | check_str=base.SYSTEM_ADMIN, |
3548 | @@ -82,7 +74,9 @@ project_endpoint_policies = [ | |||
3549 | 82 | operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' | 74 | operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' |
3550 | 83 | 'endpoints/{endpoint_id}'), | 75 | 'endpoints/{endpoint_id}'), |
3551 | 84 | 'method': 'PUT'}], | 76 | 'method': 'PUT'}], |
3553 | 85 | deprecated_rule=deprecated_add_endpoint_to_project), | 77 | deprecated_rule=deprecated_add_endpoint_to_project, |
3554 | 78 | deprecated_reason=DEPRECATED_REASON, | ||
3555 | 79 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3556 | 86 | policy.DocumentedRuleDefault( | 80 | policy.DocumentedRuleDefault( |
3557 | 87 | name=base.IDENTITY % 'check_endpoint_in_project', | 81 | name=base.IDENTITY % 'check_endpoint_in_project', |
3558 | 88 | check_str=base.SYSTEM_READER, | 82 | check_str=base.SYSTEM_READER, |
3559 | @@ -94,7 +88,9 @@ project_endpoint_policies = [ | |||
3560 | 94 | {'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' | 88 | {'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' |
3561 | 95 | 'endpoints/{endpoint_id}'), | 89 | 'endpoints/{endpoint_id}'), |
3562 | 96 | 'method': 'HEAD'}], | 90 | 'method': 'HEAD'}], |
3564 | 97 | deprecated_rule=deprecated_check_endpoint_in_project), | 91 | deprecated_rule=deprecated_check_endpoint_in_project, |
3565 | 92 | deprecated_reason=DEPRECATED_REASON, | ||
3566 | 93 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3567 | 98 | policy.DocumentedRuleDefault( | 94 | policy.DocumentedRuleDefault( |
3568 | 99 | name=base.IDENTITY % 'list_endpoints_for_project', | 95 | name=base.IDENTITY % 'list_endpoints_for_project', |
3569 | 100 | check_str=base.SYSTEM_READER, | 96 | check_str=base.SYSTEM_READER, |
3570 | @@ -103,7 +99,9 @@ project_endpoint_policies = [ | |||
3571 | 103 | operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' | 99 | operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' |
3572 | 104 | 'endpoints'), | 100 | 'endpoints'), |
3573 | 105 | 'method': 'GET'}], | 101 | 'method': 'GET'}], |
3575 | 106 | deprecated_rule=deprecated_list_endpoints_for_project), | 102 | deprecated_rule=deprecated_list_endpoints_for_project, |
3576 | 103 | deprecated_reason=DEPRECATED_REASON, | ||
3577 | 104 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3578 | 107 | policy.DocumentedRuleDefault( | 105 | policy.DocumentedRuleDefault( |
3579 | 108 | name=base.IDENTITY % 'remove_endpoint_from_project', | 106 | name=base.IDENTITY % 'remove_endpoint_from_project', |
3580 | 109 | check_str=base.SYSTEM_ADMIN, | 107 | check_str=base.SYSTEM_ADMIN, |
3581 | @@ -113,7 +111,9 @@ project_endpoint_policies = [ | |||
3582 | 113 | operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' | 111 | operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/' |
3583 | 114 | 'endpoints/{endpoint_id}'), | 112 | 'endpoints/{endpoint_id}'), |
3584 | 115 | 'method': 'DELETE'}], | 113 | 'method': 'DELETE'}], |
3586 | 116 | deprecated_rule=deprecated_remove_endpoint_from_project), | 114 | deprecated_rule=deprecated_remove_endpoint_from_project, |
3587 | 115 | deprecated_reason=DEPRECATED_REASON, | ||
3588 | 116 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3589 | 117 | ] | 117 | ] |
3590 | 118 | 118 | ||
3591 | 119 | 119 | ||
3592 | diff --git a/keystone/common/policies/protocol.py b/keystone/common/policies/protocol.py | |||
3593 | index 887fc70..de2a729 100644 | |||
3594 | --- a/keystone/common/policies/protocol.py | |||
3595 | +++ b/keystone/common/policies/protocol.py | |||
3596 | @@ -15,42 +15,31 @@ from oslo_policy import policy | |||
3597 | 15 | 15 | ||
3598 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
3599 | 17 | 17 | ||
3600 | 18 | DEPRECATED_REASON = ( | ||
3601 | 19 | "The federated protocol API is now aware of system scope and default " | ||
3602 | 20 | "roles." | ||
3603 | 21 | ) | ||
3604 | 22 | |||
3605 | 23 | deprecated_get_protocol = policy.DeprecatedRule( | 18 | deprecated_get_protocol = policy.DeprecatedRule( |
3606 | 24 | name=base.IDENTITY % 'get_protocol', | 19 | name=base.IDENTITY % 'get_protocol', |
3610 | 25 | check_str=base.RULE_ADMIN_REQUIRED, | 20 | check_str=base.RULE_ADMIN_REQUIRED |
3608 | 26 | deprecated_reason=DEPRECATED_REASON, | ||
3609 | 27 | deprecated_since=versionutils.deprecated.STEIN | ||
3611 | 28 | ) | 21 | ) |
3612 | 29 | deprecated_list_protocols = policy.DeprecatedRule( | 22 | deprecated_list_protocols = policy.DeprecatedRule( |
3613 | 30 | name=base.IDENTITY % 'list_protocols', | 23 | name=base.IDENTITY % 'list_protocols', |
3617 | 31 | check_str=base.RULE_ADMIN_REQUIRED, | 24 | check_str=base.RULE_ADMIN_REQUIRED |
3615 | 32 | deprecated_reason=DEPRECATED_REASON, | ||
3616 | 33 | deprecated_since=versionutils.deprecated.STEIN | ||
3618 | 34 | ) | 25 | ) |
3619 | 35 | deprecated_update_protocol = policy.DeprecatedRule( | 26 | deprecated_update_protocol = policy.DeprecatedRule( |
3620 | 36 | name=base.IDENTITY % 'update_protocol', | 27 | name=base.IDENTITY % 'update_protocol', |
3624 | 37 | check_str=base.RULE_ADMIN_REQUIRED, | 28 | check_str=base.RULE_ADMIN_REQUIRED |
3622 | 38 | deprecated_reason=DEPRECATED_REASON, | ||
3623 | 39 | deprecated_since=versionutils.deprecated.STEIN | ||
3625 | 40 | ) | 29 | ) |
3626 | 41 | deprecated_create_protocol = policy.DeprecatedRule( | 30 | deprecated_create_protocol = policy.DeprecatedRule( |
3627 | 42 | name=base.IDENTITY % 'create_protocol', | 31 | name=base.IDENTITY % 'create_protocol', |
3631 | 43 | check_str=base.RULE_ADMIN_REQUIRED, | 32 | check_str=base.RULE_ADMIN_REQUIRED |
3629 | 44 | deprecated_reason=DEPRECATED_REASON, | ||
3630 | 45 | deprecated_since=versionutils.deprecated.STEIN | ||
3632 | 46 | ) | 33 | ) |
3633 | 47 | deprecated_delete_protocol = policy.DeprecatedRule( | 34 | deprecated_delete_protocol = policy.DeprecatedRule( |
3634 | 48 | name=base.IDENTITY % 'delete_protocol', | 35 | name=base.IDENTITY % 'delete_protocol', |
3638 | 49 | check_str=base.RULE_ADMIN_REQUIRED, | 36 | check_str=base.RULE_ADMIN_REQUIRED |
3636 | 50 | deprecated_reason=DEPRECATED_REASON, | ||
3637 | 51 | deprecated_since=versionutils.deprecated.STEIN | ||
3639 | 52 | ) | 37 | ) |
3640 | 53 | 38 | ||
3641 | 39 | DEPRECATED_REASON = ( | ||
3642 | 40 | "The federated protocol API is now aware of system scope and default " | ||
3643 | 41 | "roles." | ||
3644 | 42 | ) | ||
3645 | 54 | 43 | ||
3646 | 55 | protocol_policies = [ | 44 | protocol_policies = [ |
3647 | 56 | policy.DocumentedRuleDefault( | 45 | policy.DocumentedRuleDefault( |
3648 | @@ -64,7 +53,9 @@ protocol_policies = [ | |||
3649 | 64 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' | 53 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' |
3650 | 65 | 'protocols/{protocol_id}'), | 54 | 'protocols/{protocol_id}'), |
3651 | 66 | 'method': 'PUT'}], | 55 | 'method': 'PUT'}], |
3653 | 67 | deprecated_rule=deprecated_create_protocol), | 56 | deprecated_rule=deprecated_create_protocol, |
3654 | 57 | deprecated_reason=DEPRECATED_REASON, | ||
3655 | 58 | deprecated_since=versionutils.deprecated.STEIN), | ||
3656 | 68 | policy.DocumentedRuleDefault( | 59 | policy.DocumentedRuleDefault( |
3657 | 69 | name=base.IDENTITY % 'update_protocol', | 60 | name=base.IDENTITY % 'update_protocol', |
3658 | 70 | check_str=base.SYSTEM_ADMIN, | 61 | check_str=base.SYSTEM_ADMIN, |
3659 | @@ -73,7 +64,9 @@ protocol_policies = [ | |||
3660 | 73 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' | 64 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' |
3661 | 74 | 'protocols/{protocol_id}'), | 65 | 'protocols/{protocol_id}'), |
3662 | 75 | 'method': 'PATCH'}], | 66 | 'method': 'PATCH'}], |
3664 | 76 | deprecated_rule=deprecated_update_protocol), | 67 | deprecated_rule=deprecated_update_protocol, |
3665 | 68 | deprecated_reason=DEPRECATED_REASON, | ||
3666 | 69 | deprecated_since=versionutils.deprecated.STEIN), | ||
3667 | 77 | policy.DocumentedRuleDefault( | 70 | policy.DocumentedRuleDefault( |
3668 | 78 | name=base.IDENTITY % 'get_protocol', | 71 | name=base.IDENTITY % 'get_protocol', |
3669 | 79 | check_str=base.SYSTEM_READER, | 72 | check_str=base.SYSTEM_READER, |
3670 | @@ -82,7 +75,9 @@ protocol_policies = [ | |||
3671 | 82 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' | 75 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' |
3672 | 83 | 'protocols/{protocol_id}'), | 76 | 'protocols/{protocol_id}'), |
3673 | 84 | 'method': 'GET'}], | 77 | 'method': 'GET'}], |
3675 | 85 | deprecated_rule=deprecated_get_protocol), | 78 | deprecated_rule=deprecated_get_protocol, |
3676 | 79 | deprecated_reason=DEPRECATED_REASON, | ||
3677 | 80 | deprecated_since=versionutils.deprecated.STEIN), | ||
3678 | 86 | policy.DocumentedRuleDefault( | 81 | policy.DocumentedRuleDefault( |
3679 | 87 | name=base.IDENTITY % 'list_protocols', | 82 | name=base.IDENTITY % 'list_protocols', |
3680 | 88 | check_str=base.SYSTEM_READER, | 83 | check_str=base.SYSTEM_READER, |
3681 | @@ -91,7 +86,9 @@ protocol_policies = [ | |||
3682 | 91 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' | 86 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' |
3683 | 92 | 'protocols'), | 87 | 'protocols'), |
3684 | 93 | 'method': 'GET'}], | 88 | 'method': 'GET'}], |
3686 | 94 | deprecated_rule=deprecated_list_protocols), | 89 | deprecated_rule=deprecated_list_protocols, |
3687 | 90 | deprecated_reason=DEPRECATED_REASON, | ||
3688 | 91 | deprecated_since=versionutils.deprecated.STEIN), | ||
3689 | 95 | policy.DocumentedRuleDefault( | 92 | policy.DocumentedRuleDefault( |
3690 | 96 | name=base.IDENTITY % 'delete_protocol', | 93 | name=base.IDENTITY % 'delete_protocol', |
3691 | 97 | check_str=base.SYSTEM_ADMIN, | 94 | check_str=base.SYSTEM_ADMIN, |
3692 | @@ -100,7 +97,9 @@ protocol_policies = [ | |||
3693 | 100 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' | 97 | operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/' |
3694 | 101 | 'protocols/{protocol_id}'), | 98 | 'protocols/{protocol_id}'), |
3695 | 102 | 'method': 'DELETE'}], | 99 | 'method': 'DELETE'}], |
3697 | 103 | deprecated_rule=deprecated_delete_protocol) | 100 | deprecated_rule=deprecated_delete_protocol, |
3698 | 101 | deprecated_reason=DEPRECATED_REASON, | ||
3699 | 102 | deprecated_since=versionutils.deprecated.STEIN) | ||
3700 | 104 | ] | 103 | ] |
3701 | 105 | 104 | ||
3702 | 106 | 105 | ||
3703 | diff --git a/keystone/common/policies/region.py b/keystone/common/policies/region.py | |||
3704 | index f13299d..bf60f8f 100644 | |||
3705 | --- a/keystone/common/policies/region.py | |||
3706 | +++ b/keystone/common/policies/region.py | |||
3707 | @@ -15,29 +15,22 @@ from oslo_policy import policy | |||
3708 | 15 | 15 | ||
3709 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
3710 | 17 | 17 | ||
3711 | 18 | DEPRECATED_REASON = ( | ||
3712 | 19 | "The region API is now aware of system scope and default roles." | ||
3713 | 20 | ) | ||
3714 | 21 | |||
3715 | 22 | deprecated_create_region = policy.DeprecatedRule( | 18 | deprecated_create_region = policy.DeprecatedRule( |
3716 | 23 | name=base.IDENTITY % 'create_region', | 19 | name=base.IDENTITY % 'create_region', |
3720 | 24 | check_str=base.RULE_ADMIN_REQUIRED, | 20 | check_str=base.RULE_ADMIN_REQUIRED |
3718 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
3719 | 26 | deprecated_since=versionutils.deprecated.STEIN | ||
3721 | 27 | ) | 21 | ) |
3722 | 28 | deprecated_update_region = policy.DeprecatedRule( | 22 | deprecated_update_region = policy.DeprecatedRule( |
3723 | 29 | name=base.IDENTITY % 'update_region', | 23 | name=base.IDENTITY % 'update_region', |
3727 | 30 | check_str=base.RULE_ADMIN_REQUIRED, | 24 | check_str=base.RULE_ADMIN_REQUIRED |
3725 | 31 | deprecated_reason=DEPRECATED_REASON, | ||
3726 | 32 | deprecated_since=versionutils.deprecated.STEIN | ||
3728 | 33 | ) | 25 | ) |
3729 | 34 | deprecated_delete_region = policy.DeprecatedRule( | 26 | deprecated_delete_region = policy.DeprecatedRule( |
3730 | 35 | name=base.IDENTITY % 'delete_region', | 27 | name=base.IDENTITY % 'delete_region', |
3734 | 36 | check_str=base.RULE_ADMIN_REQUIRED, | 28 | check_str=base.RULE_ADMIN_REQUIRED |
3732 | 37 | deprecated_reason=DEPRECATED_REASON, | ||
3733 | 38 | deprecated_since=versionutils.deprecated.STEIN | ||
3735 | 39 | ) | 29 | ) |
3736 | 40 | 30 | ||
3737 | 31 | DEPRECATED_REASON = ( | ||
3738 | 32 | "The region API is now aware of system scope and default roles." | ||
3739 | 33 | ) | ||
3740 | 41 | 34 | ||
3741 | 42 | region_policies = [ | 35 | region_policies = [ |
3742 | 43 | policy.DocumentedRuleDefault( | 36 | policy.DocumentedRuleDefault( |
3743 | @@ -73,7 +66,9 @@ region_policies = [ | |||
3744 | 73 | 'method': 'POST'}, | 66 | 'method': 'POST'}, |
3745 | 74 | {'path': '/v3/regions/{region_id}', | 67 | {'path': '/v3/regions/{region_id}', |
3746 | 75 | 'method': 'PUT'}], | 68 | 'method': 'PUT'}], |
3748 | 76 | deprecated_rule=deprecated_create_region), | 69 | deprecated_rule=deprecated_create_region, |
3749 | 70 | deprecated_reason=DEPRECATED_REASON, | ||
3750 | 71 | deprecated_since=versionutils.deprecated.STEIN), | ||
3751 | 77 | policy.DocumentedRuleDefault( | 72 | policy.DocumentedRuleDefault( |
3752 | 78 | name=base.IDENTITY % 'update_region', | 73 | name=base.IDENTITY % 'update_region', |
3753 | 79 | check_str=base.SYSTEM_ADMIN, | 74 | check_str=base.SYSTEM_ADMIN, |
3754 | @@ -81,7 +76,9 @@ region_policies = [ | |||
3755 | 81 | description='Update region.', | 76 | description='Update region.', |
3756 | 82 | operations=[{'path': '/v3/regions/{region_id}', | 77 | operations=[{'path': '/v3/regions/{region_id}', |
3757 | 83 | 'method': 'PATCH'}], | 78 | 'method': 'PATCH'}], |
3759 | 84 | deprecated_rule=deprecated_update_region), | 79 | deprecated_rule=deprecated_update_region, |
3760 | 80 | deprecated_reason=DEPRECATED_REASON, | ||
3761 | 81 | deprecated_since=versionutils.deprecated.STEIN), | ||
3762 | 85 | policy.DocumentedRuleDefault( | 82 | policy.DocumentedRuleDefault( |
3763 | 86 | name=base.IDENTITY % 'delete_region', | 83 | name=base.IDENTITY % 'delete_region', |
3764 | 87 | check_str=base.SYSTEM_ADMIN, | 84 | check_str=base.SYSTEM_ADMIN, |
3765 | @@ -89,7 +86,9 @@ region_policies = [ | |||
3766 | 89 | description='Delete region.', | 86 | description='Delete region.', |
3767 | 90 | operations=[{'path': '/v3/regions/{region_id}', | 87 | operations=[{'path': '/v3/regions/{region_id}', |
3768 | 91 | 'method': 'DELETE'}], | 88 | 'method': 'DELETE'}], |
3770 | 92 | deprecated_rule=deprecated_delete_region), | 89 | deprecated_rule=deprecated_delete_region, |
3771 | 90 | deprecated_reason=DEPRECATED_REASON, | ||
3772 | 91 | deprecated_since=versionutils.deprecated.STEIN), | ||
3773 | 93 | ] | 92 | ] |
3774 | 94 | 93 | ||
3775 | 95 | 94 | ||
3776 | diff --git a/keystone/common/policies/role.py b/keystone/common/policies/role.py | |||
3777 | index b372efb..7d6a38e 100644 | |||
3778 | --- a/keystone/common/policies/role.py | |||
3779 | +++ b/keystone/common/policies/role.py | |||
3780 | @@ -15,71 +15,50 @@ from oslo_policy import policy | |||
3781 | 15 | 15 | ||
3782 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
3783 | 17 | 17 | ||
3784 | 18 | DEPRECATED_REASON = ( | ||
3785 | 19 | "The role API is now aware of system scope and default roles." | ||
3786 | 20 | ) | ||
3787 | 21 | |||
3788 | 22 | deprecated_get_role = policy.DeprecatedRule( | 18 | deprecated_get_role = policy.DeprecatedRule( |
3789 | 23 | name=base.IDENTITY % 'get_role', | 19 | name=base.IDENTITY % 'get_role', |
3793 | 24 | check_str=base.RULE_ADMIN_REQUIRED, | 20 | check_str=base.RULE_ADMIN_REQUIRED |
3791 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
3792 | 26 | deprecated_since=versionutils.deprecated.STEIN | ||
3794 | 27 | ) | 21 | ) |
3795 | 28 | deprecated_list_role = policy.DeprecatedRule( | 22 | deprecated_list_role = policy.DeprecatedRule( |
3796 | 29 | name=base.IDENTITY % 'list_roles', | 23 | name=base.IDENTITY % 'list_roles', |
3800 | 30 | check_str=base.RULE_ADMIN_REQUIRED, | 24 | check_str=base.RULE_ADMIN_REQUIRED |
3798 | 31 | deprecated_reason=DEPRECATED_REASON, | ||
3799 | 32 | deprecated_since=versionutils.deprecated.STEIN | ||
3801 | 33 | ) | 25 | ) |
3802 | 34 | deprecated_update_role = policy.DeprecatedRule( | 26 | deprecated_update_role = policy.DeprecatedRule( |
3803 | 35 | name=base.IDENTITY % 'update_role', | 27 | name=base.IDENTITY % 'update_role', |
3807 | 36 | check_str=base.RULE_ADMIN_REQUIRED, | 28 | check_str=base.RULE_ADMIN_REQUIRED |
3805 | 37 | deprecated_reason=DEPRECATED_REASON, | ||
3806 | 38 | deprecated_since=versionutils.deprecated.STEIN | ||
3808 | 39 | ) | 29 | ) |
3809 | 40 | deprecated_create_role = policy.DeprecatedRule( | 30 | deprecated_create_role = policy.DeprecatedRule( |
3810 | 41 | name=base.IDENTITY % 'create_role', | 31 | name=base.IDENTITY % 'create_role', |
3814 | 42 | check_str=base.RULE_ADMIN_REQUIRED, | 32 | check_str=base.RULE_ADMIN_REQUIRED |
3812 | 43 | deprecated_reason=DEPRECATED_REASON, | ||
3813 | 44 | deprecated_since=versionutils.deprecated.STEIN | ||
3815 | 45 | ) | 33 | ) |
3816 | 46 | deprecated_delete_role = policy.DeprecatedRule( | 34 | deprecated_delete_role = policy.DeprecatedRule( |
3817 | 47 | name=base.IDENTITY % 'delete_role', | 35 | name=base.IDENTITY % 'delete_role', |
3821 | 48 | check_str=base.RULE_ADMIN_REQUIRED, | 36 | check_str=base.RULE_ADMIN_REQUIRED |
3819 | 49 | deprecated_reason=DEPRECATED_REASON, | ||
3820 | 50 | deprecated_since=versionutils.deprecated.STEIN | ||
3822 | 51 | ) | 37 | ) |
3823 | 52 | deprecated_get_domain_role = policy.DeprecatedRule( | 38 | deprecated_get_domain_role = policy.DeprecatedRule( |
3824 | 53 | name=base.IDENTITY % 'get_domain_role', | 39 | name=base.IDENTITY % 'get_domain_role', |
3828 | 54 | check_str=base.RULE_ADMIN_REQUIRED, | 40 | check_str=base.RULE_ADMIN_REQUIRED |
3826 | 55 | deprecated_reason=DEPRECATED_REASON, | ||
3827 | 56 | deprecated_since=versionutils.deprecated.TRAIN | ||
3829 | 57 | ) | 41 | ) |
3830 | 58 | deprecated_list_domain_roles = policy.DeprecatedRule( | 42 | deprecated_list_domain_roles = policy.DeprecatedRule( |
3831 | 59 | name=base.IDENTITY % 'list_domain_roles', | 43 | name=base.IDENTITY % 'list_domain_roles', |
3835 | 60 | check_str=base.RULE_ADMIN_REQUIRED, | 44 | check_str=base.RULE_ADMIN_REQUIRED |
3833 | 61 | deprecated_reason=DEPRECATED_REASON, | ||
3834 | 62 | deprecated_since=versionutils.deprecated.TRAIN | ||
3836 | 63 | ) | 45 | ) |
3837 | 64 | deprecated_update_domain_role = policy.DeprecatedRule( | 46 | deprecated_update_domain_role = policy.DeprecatedRule( |
3838 | 65 | name=base.IDENTITY % 'update_domain_role', | 47 | name=base.IDENTITY % 'update_domain_role', |
3842 | 66 | check_str=base.RULE_ADMIN_REQUIRED, | 48 | check_str=base.RULE_ADMIN_REQUIRED |
3840 | 67 | deprecated_reason=DEPRECATED_REASON, | ||
3841 | 68 | deprecated_since=versionutils.deprecated.TRAIN | ||
3843 | 69 | ) | 49 | ) |
3844 | 70 | deprecated_create_domain_role = policy.DeprecatedRule( | 50 | deprecated_create_domain_role = policy.DeprecatedRule( |
3845 | 71 | name=base.IDENTITY % 'create_domain_role', | 51 | name=base.IDENTITY % 'create_domain_role', |
3849 | 72 | check_str=base.RULE_ADMIN_REQUIRED, | 52 | check_str=base.RULE_ADMIN_REQUIRED |
3847 | 73 | deprecated_reason=DEPRECATED_REASON, | ||
3848 | 74 | deprecated_since=versionutils.deprecated.TRAIN | ||
3850 | 75 | ) | 53 | ) |
3851 | 76 | deprecated_delete_domain_role = policy.DeprecatedRule( | 54 | deprecated_delete_domain_role = policy.DeprecatedRule( |
3852 | 77 | name=base.IDENTITY % 'delete_domain_role', | 55 | name=base.IDENTITY % 'delete_domain_role', |
3856 | 78 | check_str=base.RULE_ADMIN_REQUIRED, | 56 | check_str=base.RULE_ADMIN_REQUIRED |
3854 | 79 | deprecated_reason=DEPRECATED_REASON, | ||
3855 | 80 | deprecated_since=versionutils.deprecated.TRAIN | ||
3857 | 81 | ) | 57 | ) |
3858 | 82 | 58 | ||
3859 | 59 | DEPRECATED_REASON = ( | ||
3860 | 60 | "The role API is now aware of system scope and default roles." | ||
3861 | 61 | ) | ||
3862 | 83 | 62 | ||
3863 | 84 | role_policies = [ | 63 | role_policies = [ |
3864 | 85 | policy.DocumentedRuleDefault( | 64 | policy.DocumentedRuleDefault( |
3865 | @@ -96,7 +75,9 @@ role_policies = [ | |||
3866 | 96 | 'method': 'GET'}, | 75 | 'method': 'GET'}, |
3867 | 97 | {'path': '/v3/roles/{role_id}', | 76 | {'path': '/v3/roles/{role_id}', |
3868 | 98 | 'method': 'HEAD'}], | 77 | 'method': 'HEAD'}], |
3870 | 99 | deprecated_rule=deprecated_get_role), | 78 | deprecated_rule=deprecated_get_role, |
3871 | 79 | deprecated_reason=DEPRECATED_REASON, | ||
3872 | 80 | deprecated_since=versionutils.deprecated.STEIN), | ||
3873 | 100 | policy.DocumentedRuleDefault( | 81 | policy.DocumentedRuleDefault( |
3874 | 101 | name=base.IDENTITY % 'list_roles', | 82 | name=base.IDENTITY % 'list_roles', |
3875 | 102 | check_str=base.SYSTEM_READER, | 83 | check_str=base.SYSTEM_READER, |
3876 | @@ -106,7 +87,9 @@ role_policies = [ | |||
3877 | 106 | 'method': 'GET'}, | 87 | 'method': 'GET'}, |
3878 | 107 | {'path': '/v3/roles', | 88 | {'path': '/v3/roles', |
3879 | 108 | 'method': 'HEAD'}], | 89 | 'method': 'HEAD'}], |
3881 | 109 | deprecated_rule=deprecated_list_role), | 90 | deprecated_rule=deprecated_list_role, |
3882 | 91 | deprecated_reason=DEPRECATED_REASON, | ||
3883 | 92 | deprecated_since=versionutils.deprecated.STEIN), | ||
3884 | 110 | policy.DocumentedRuleDefault( | 93 | policy.DocumentedRuleDefault( |
3885 | 111 | name=base.IDENTITY % 'create_role', | 94 | name=base.IDENTITY % 'create_role', |
3886 | 112 | check_str=base.SYSTEM_ADMIN, | 95 | check_str=base.SYSTEM_ADMIN, |
3887 | @@ -114,7 +97,9 @@ role_policies = [ | |||
3888 | 114 | description='Create role.', | 97 | description='Create role.', |
3889 | 115 | operations=[{'path': '/v3/roles', | 98 | operations=[{'path': '/v3/roles', |
3890 | 116 | 'method': 'POST'}], | 99 | 'method': 'POST'}], |
3892 | 117 | deprecated_rule=deprecated_create_role), | 100 | deprecated_rule=deprecated_create_role, |
3893 | 101 | deprecated_reason=DEPRECATED_REASON, | ||
3894 | 102 | deprecated_since=versionutils.deprecated.STEIN), | ||
3895 | 118 | policy.DocumentedRuleDefault( | 103 | policy.DocumentedRuleDefault( |
3896 | 119 | name=base.IDENTITY % 'update_role', | 104 | name=base.IDENTITY % 'update_role', |
3897 | 120 | check_str=base.SYSTEM_ADMIN, | 105 | check_str=base.SYSTEM_ADMIN, |
3898 | @@ -122,7 +107,9 @@ role_policies = [ | |||
3899 | 122 | description='Update role.', | 107 | description='Update role.', |
3900 | 123 | operations=[{'path': '/v3/roles/{role_id}', | 108 | operations=[{'path': '/v3/roles/{role_id}', |
3901 | 124 | 'method': 'PATCH'}], | 109 | 'method': 'PATCH'}], |
3903 | 125 | deprecated_rule=deprecated_update_role), | 110 | deprecated_rule=deprecated_update_role, |
3904 | 111 | deprecated_reason=DEPRECATED_REASON, | ||
3905 | 112 | deprecated_since=versionutils.deprecated.STEIN), | ||
3906 | 126 | policy.DocumentedRuleDefault( | 113 | policy.DocumentedRuleDefault( |
3907 | 127 | name=base.IDENTITY % 'delete_role', | 114 | name=base.IDENTITY % 'delete_role', |
3908 | 128 | check_str=base.SYSTEM_ADMIN, | 115 | check_str=base.SYSTEM_ADMIN, |
3909 | @@ -130,7 +117,9 @@ role_policies = [ | |||
3910 | 130 | description='Delete role.', | 117 | description='Delete role.', |
3911 | 131 | operations=[{'path': '/v3/roles/{role_id}', | 118 | operations=[{'path': '/v3/roles/{role_id}', |
3912 | 132 | 'method': 'DELETE'}], | 119 | 'method': 'DELETE'}], |
3914 | 133 | deprecated_rule=deprecated_delete_role), | 120 | deprecated_rule=deprecated_delete_role, |
3915 | 121 | deprecated_reason=DEPRECATED_REASON, | ||
3916 | 122 | deprecated_since=versionutils.deprecated.STEIN), | ||
3917 | 134 | policy.DocumentedRuleDefault( | 123 | policy.DocumentedRuleDefault( |
3918 | 135 | name=base.IDENTITY % 'get_domain_role', | 124 | name=base.IDENTITY % 'get_domain_role', |
3919 | 136 | check_str=base.SYSTEM_READER, | 125 | check_str=base.SYSTEM_READER, |
3920 | @@ -145,7 +134,9 @@ role_policies = [ | |||
3921 | 145 | 'method': 'GET'}, | 134 | 'method': 'GET'}, |
3922 | 146 | {'path': '/v3/roles/{role_id}', | 135 | {'path': '/v3/roles/{role_id}', |
3923 | 147 | 'method': 'HEAD'}], | 136 | 'method': 'HEAD'}], |
3925 | 148 | deprecated_rule=deprecated_get_domain_role), | 137 | deprecated_rule=deprecated_get_domain_role, |
3926 | 138 | deprecated_reason=DEPRECATED_REASON, | ||
3927 | 139 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3928 | 149 | policy.DocumentedRuleDefault( | 140 | policy.DocumentedRuleDefault( |
3929 | 150 | name=base.IDENTITY % 'list_domain_roles', | 141 | name=base.IDENTITY % 'list_domain_roles', |
3930 | 151 | check_str=base.SYSTEM_READER, | 142 | check_str=base.SYSTEM_READER, |
3931 | @@ -155,7 +146,9 @@ role_policies = [ | |||
3932 | 155 | 'method': 'GET'}, | 146 | 'method': 'GET'}, |
3933 | 156 | {'path': '/v3/roles?domain_id={domain_id}', | 147 | {'path': '/v3/roles?domain_id={domain_id}', |
3934 | 157 | 'method': 'HEAD'}], | 148 | 'method': 'HEAD'}], |
3936 | 158 | deprecated_rule=deprecated_list_domain_roles), | 149 | deprecated_rule=deprecated_list_domain_roles, |
3937 | 150 | deprecated_reason=DEPRECATED_REASON, | ||
3938 | 151 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3939 | 159 | policy.DocumentedRuleDefault( | 152 | policy.DocumentedRuleDefault( |
3940 | 160 | name=base.IDENTITY % 'create_domain_role', | 153 | name=base.IDENTITY % 'create_domain_role', |
3941 | 161 | check_str=base.SYSTEM_ADMIN, | 154 | check_str=base.SYSTEM_ADMIN, |
3942 | @@ -163,7 +156,9 @@ role_policies = [ | |||
3943 | 163 | scope_types=['system'], | 156 | scope_types=['system'], |
3944 | 164 | operations=[{'path': '/v3/roles', | 157 | operations=[{'path': '/v3/roles', |
3945 | 165 | 'method': 'POST'}], | 158 | 'method': 'POST'}], |
3947 | 166 | deprecated_rule=deprecated_create_domain_role), | 159 | deprecated_rule=deprecated_create_domain_role, |
3948 | 160 | deprecated_reason=DEPRECATED_REASON, | ||
3949 | 161 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3950 | 167 | policy.DocumentedRuleDefault( | 162 | policy.DocumentedRuleDefault( |
3951 | 168 | name=base.IDENTITY % 'update_domain_role', | 163 | name=base.IDENTITY % 'update_domain_role', |
3952 | 169 | check_str=base.SYSTEM_ADMIN, | 164 | check_str=base.SYSTEM_ADMIN, |
3953 | @@ -171,7 +166,9 @@ role_policies = [ | |||
3954 | 171 | scope_types=['system'], | 166 | scope_types=['system'], |
3955 | 172 | operations=[{'path': '/v3/roles/{role_id}', | 167 | operations=[{'path': '/v3/roles/{role_id}', |
3956 | 173 | 'method': 'PATCH'}], | 168 | 'method': 'PATCH'}], |
3958 | 174 | deprecated_rule=deprecated_update_domain_role), | 169 | deprecated_rule=deprecated_update_domain_role, |
3959 | 170 | deprecated_reason=DEPRECATED_REASON, | ||
3960 | 171 | deprecated_since=versionutils.deprecated.TRAIN), | ||
3961 | 175 | policy.DocumentedRuleDefault( | 172 | policy.DocumentedRuleDefault( |
3962 | 176 | name=base.IDENTITY % 'delete_domain_role', | 173 | name=base.IDENTITY % 'delete_domain_role', |
3963 | 177 | check_str=base.SYSTEM_ADMIN, | 174 | check_str=base.SYSTEM_ADMIN, |
3964 | @@ -179,7 +176,9 @@ role_policies = [ | |||
3965 | 179 | scope_types=['system'], | 176 | scope_types=['system'], |
3966 | 180 | operations=[{'path': '/v3/roles/{role_id}', | 177 | operations=[{'path': '/v3/roles/{role_id}', |
3967 | 181 | 'method': 'DELETE'}], | 178 | 'method': 'DELETE'}], |
3969 | 182 | deprecated_rule=deprecated_delete_domain_role) | 179 | deprecated_rule=deprecated_delete_domain_role, |
3970 | 180 | deprecated_reason=DEPRECATED_REASON, | ||
3971 | 181 | deprecated_since=versionutils.deprecated.TRAIN) | ||
3972 | 183 | ] | 182 | ] |
3973 | 184 | 183 | ||
3974 | 185 | 184 | ||
3975 | diff --git a/keystone/common/policies/role_assignment.py b/keystone/common/policies/role_assignment.py | |||
3976 | index 5dea3dc..c70f292 100644 | |||
3977 | --- a/keystone/common/policies/role_assignment.py | |||
3978 | +++ b/keystone/common/policies/role_assignment.py | |||
3979 | @@ -25,23 +25,18 @@ SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN = ( | |||
3980 | 25 | '(role:admin and project_id:%(target.project.id)s)' | 25 | '(role:admin and project_id:%(target.project.id)s)' |
3981 | 26 | ) | 26 | ) |
3982 | 27 | 27 | ||
3983 | 28 | DEPRECATED_REASON = ( | ||
3984 | 29 | "The assignment API is now aware of system scope and default roles." | ||
3985 | 30 | ) | ||
3986 | 31 | |||
3987 | 32 | deprecated_list_role_assignments = policy.DeprecatedRule( | 28 | deprecated_list_role_assignments = policy.DeprecatedRule( |
3988 | 33 | name=base.IDENTITY % 'list_role_assignments', | 29 | name=base.IDENTITY % 'list_role_assignments', |
3992 | 34 | check_str=base.RULE_ADMIN_REQUIRED, | 30 | check_str=base.RULE_ADMIN_REQUIRED |
3990 | 35 | deprecated_reason=DEPRECATED_REASON, | ||
3991 | 36 | deprecated_since=versionutils.deprecated.STEIN | ||
3993 | 37 | ) | 31 | ) |
3994 | 38 | deprecated_list_role_assignments_for_tree = policy.DeprecatedRule( | 32 | deprecated_list_role_assignments_for_tree = policy.DeprecatedRule( |
3995 | 39 | name=base.IDENTITY % 'list_role_assignments_for_tree', | 33 | name=base.IDENTITY % 'list_role_assignments_for_tree', |
3999 | 40 | check_str=base.RULE_ADMIN_REQUIRED, | 34 | check_str=base.RULE_ADMIN_REQUIRED |
3997 | 41 | deprecated_reason=DEPRECATED_REASON, | ||
3998 | 42 | deprecated_since=versionutils.deprecated.TRAIN | ||
4000 | 43 | ) | 35 | ) |
4001 | 44 | 36 | ||
4002 | 37 | DEPRECATED_REASON = ( | ||
4003 | 38 | "The assignment API is now aware of system scope and default roles." | ||
4004 | 39 | ) | ||
4005 | 45 | 40 | ||
4006 | 46 | role_assignment_policies = [ | 41 | role_assignment_policies = [ |
4007 | 47 | policy.DocumentedRuleDefault( | 42 | policy.DocumentedRuleDefault( |
4008 | @@ -53,7 +48,9 @@ role_assignment_policies = [ | |||
4009 | 53 | 'method': 'GET'}, | 48 | 'method': 'GET'}, |
4010 | 54 | {'path': '/v3/role_assignments', | 49 | {'path': '/v3/role_assignments', |
4011 | 55 | 'method': 'HEAD'}], | 50 | 'method': 'HEAD'}], |
4013 | 56 | deprecated_rule=deprecated_list_role_assignments), | 51 | deprecated_rule=deprecated_list_role_assignments, |
4014 | 52 | deprecated_reason=DEPRECATED_REASON, | ||
4015 | 53 | deprecated_since=versionutils.deprecated.STEIN), | ||
4016 | 57 | policy.DocumentedRuleDefault( | 54 | policy.DocumentedRuleDefault( |
4017 | 58 | name=base.IDENTITY % 'list_role_assignments_for_tree', | 55 | name=base.IDENTITY % 'list_role_assignments_for_tree', |
4018 | 59 | check_str=SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN, | 56 | check_str=SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN, |
4019 | @@ -64,7 +61,9 @@ role_assignment_policies = [ | |||
4020 | 64 | 'method': 'GET'}, | 61 | 'method': 'GET'}, |
4021 | 65 | {'path': '/v3/role_assignments?include_subtree', | 62 | {'path': '/v3/role_assignments?include_subtree', |
4022 | 66 | 'method': 'HEAD'}], | 63 | 'method': 'HEAD'}], |
4024 | 67 | deprecated_rule=deprecated_list_role_assignments_for_tree), | 64 | deprecated_rule=deprecated_list_role_assignments_for_tree, |
4025 | 65 | deprecated_reason=DEPRECATED_REASON, | ||
4026 | 66 | deprecated_since=versionutils.deprecated.TRAIN), | ||
4027 | 68 | 67 | ||
4028 | 69 | ] | 68 | ] |
4029 | 70 | 69 | ||
4030 | diff --git a/keystone/common/policies/service.py b/keystone/common/policies/service.py | |||
4031 | index 0287076..66d3aaa 100644 | |||
4032 | --- a/keystone/common/policies/service.py | |||
4033 | +++ b/keystone/common/policies/service.py | |||
4034 | @@ -15,41 +15,30 @@ from oslo_policy import policy | |||
4035 | 15 | 15 | ||
4036 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
4037 | 17 | 17 | ||
4038 | 18 | DEPRECATED_REASON = ( | ||
4039 | 19 | "The service API is now aware of system scope and default roles." | ||
4040 | 20 | ) | ||
4041 | 21 | |||
4042 | 22 | deprecated_get_service = policy.DeprecatedRule( | 18 | deprecated_get_service = policy.DeprecatedRule( |
4043 | 23 | name=base.IDENTITY % 'get_service', | 19 | name=base.IDENTITY % 'get_service', |
4047 | 24 | check_str=base.RULE_ADMIN_REQUIRED, | 20 | check_str=base.RULE_ADMIN_REQUIRED |
4045 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
4046 | 26 | deprecated_since=versionutils.deprecated.STEIN | ||
4048 | 27 | ) | 21 | ) |
4049 | 28 | deprecated_list_service = policy.DeprecatedRule( | 22 | deprecated_list_service = policy.DeprecatedRule( |
4050 | 29 | name=base.IDENTITY % 'list_services', | 23 | name=base.IDENTITY % 'list_services', |
4054 | 30 | check_str=base.RULE_ADMIN_REQUIRED, | 24 | check_str=base.RULE_ADMIN_REQUIRED |
4052 | 31 | deprecated_reason=DEPRECATED_REASON, | ||
4053 | 32 | deprecated_since=versionutils.deprecated.STEIN | ||
4055 | 33 | ) | 25 | ) |
4056 | 34 | deprecated_update_service = policy.DeprecatedRule( | 26 | deprecated_update_service = policy.DeprecatedRule( |
4057 | 35 | name=base.IDENTITY % 'update_service', | 27 | name=base.IDENTITY % 'update_service', |
4061 | 36 | check_str=base.RULE_ADMIN_REQUIRED, | 28 | check_str=base.RULE_ADMIN_REQUIRED |
4059 | 37 | deprecated_reason=DEPRECATED_REASON, | ||
4060 | 38 | deprecated_since=versionutils.deprecated.STEIN | ||
4062 | 39 | ) | 29 | ) |
4063 | 40 | deprecated_create_service = policy.DeprecatedRule( | 30 | deprecated_create_service = policy.DeprecatedRule( |
4064 | 41 | name=base.IDENTITY % 'create_service', | 31 | name=base.IDENTITY % 'create_service', |
4068 | 42 | check_str=base.RULE_ADMIN_REQUIRED, | 32 | check_str=base.RULE_ADMIN_REQUIRED |
4066 | 43 | deprecated_reason=DEPRECATED_REASON, | ||
4067 | 44 | deprecated_since=versionutils.deprecated.STEIN | ||
4069 | 45 | ) | 33 | ) |
4070 | 46 | deprecated_delete_service = policy.DeprecatedRule( | 34 | deprecated_delete_service = policy.DeprecatedRule( |
4071 | 47 | name=base.IDENTITY % 'delete_service', | 35 | name=base.IDENTITY % 'delete_service', |
4075 | 48 | check_str=base.RULE_ADMIN_REQUIRED, | 36 | check_str=base.RULE_ADMIN_REQUIRED |
4073 | 49 | deprecated_reason=DEPRECATED_REASON, | ||
4074 | 50 | deprecated_since=versionutils.deprecated.STEIN | ||
4076 | 51 | ) | 37 | ) |
4077 | 52 | 38 | ||
4078 | 39 | DEPRECATED_REASON = ( | ||
4079 | 40 | "The service API is now aware of system scope and default roles." | ||
4080 | 41 | ) | ||
4081 | 53 | 42 | ||
4082 | 54 | service_policies = [ | 43 | service_policies = [ |
4083 | 55 | policy.DocumentedRuleDefault( | 44 | policy.DocumentedRuleDefault( |
4084 | @@ -59,7 +48,9 @@ service_policies = [ | |||
4085 | 59 | description='Show service details.', | 48 | description='Show service details.', |
4086 | 60 | operations=[{'path': '/v3/services/{service_id}', | 49 | operations=[{'path': '/v3/services/{service_id}', |
4087 | 61 | 'method': 'GET'}], | 50 | 'method': 'GET'}], |
4089 | 62 | deprecated_rule=deprecated_get_service), | 51 | deprecated_rule=deprecated_get_service, |
4090 | 52 | deprecated_reason=DEPRECATED_REASON, | ||
4091 | 53 | deprecated_since=versionutils.deprecated.STEIN), | ||
4092 | 63 | policy.DocumentedRuleDefault( | 54 | policy.DocumentedRuleDefault( |
4093 | 64 | name=base.IDENTITY % 'list_services', | 55 | name=base.IDENTITY % 'list_services', |
4094 | 65 | check_str=base.SYSTEM_READER, | 56 | check_str=base.SYSTEM_READER, |
4095 | @@ -67,7 +58,9 @@ service_policies = [ | |||
4096 | 67 | description='List services.', | 58 | description='List services.', |
4097 | 68 | operations=[{'path': '/v3/services', | 59 | operations=[{'path': '/v3/services', |
4098 | 69 | 'method': 'GET'}], | 60 | 'method': 'GET'}], |
4100 | 70 | deprecated_rule=deprecated_list_service), | 61 | deprecated_rule=deprecated_list_service, |
4101 | 62 | deprecated_reason=DEPRECATED_REASON, | ||
4102 | 63 | deprecated_since=versionutils.deprecated.STEIN), | ||
4103 | 71 | policy.DocumentedRuleDefault( | 64 | policy.DocumentedRuleDefault( |
4104 | 72 | name=base.IDENTITY % 'create_service', | 65 | name=base.IDENTITY % 'create_service', |
4105 | 73 | check_str=base.SYSTEM_ADMIN, | 66 | check_str=base.SYSTEM_ADMIN, |
4106 | @@ -75,7 +68,9 @@ service_policies = [ | |||
4107 | 75 | description='Create service.', | 68 | description='Create service.', |
4108 | 76 | operations=[{'path': '/v3/services', | 69 | operations=[{'path': '/v3/services', |
4109 | 77 | 'method': 'POST'}], | 70 | 'method': 'POST'}], |
4111 | 78 | deprecated_rule=deprecated_create_service), | 71 | deprecated_rule=deprecated_create_service, |
4112 | 72 | deprecated_reason=DEPRECATED_REASON, | ||
4113 | 73 | deprecated_since=versionutils.deprecated.STEIN), | ||
4114 | 79 | policy.DocumentedRuleDefault( | 74 | policy.DocumentedRuleDefault( |
4115 | 80 | name=base.IDENTITY % 'update_service', | 75 | name=base.IDENTITY % 'update_service', |
4116 | 81 | check_str=base.SYSTEM_ADMIN, | 76 | check_str=base.SYSTEM_ADMIN, |
4117 | @@ -83,7 +78,9 @@ service_policies = [ | |||
4118 | 83 | description='Update service.', | 78 | description='Update service.', |
4119 | 84 | operations=[{'path': '/v3/services/{service_id}', | 79 | operations=[{'path': '/v3/services/{service_id}', |
4120 | 85 | 'method': 'PATCH'}], | 80 | 'method': 'PATCH'}], |
4122 | 86 | deprecated_rule=deprecated_update_service), | 81 | deprecated_rule=deprecated_update_service, |
4123 | 82 | deprecated_reason=DEPRECATED_REASON, | ||
4124 | 83 | deprecated_since=versionutils.deprecated.STEIN), | ||
4125 | 87 | policy.DocumentedRuleDefault( | 84 | policy.DocumentedRuleDefault( |
4126 | 88 | name=base.IDENTITY % 'delete_service', | 85 | name=base.IDENTITY % 'delete_service', |
4127 | 89 | check_str=base.SYSTEM_ADMIN, | 86 | check_str=base.SYSTEM_ADMIN, |
4128 | @@ -91,7 +88,9 @@ service_policies = [ | |||
4129 | 91 | description='Delete service.', | 88 | description='Delete service.', |
4130 | 92 | operations=[{'path': '/v3/services/{service_id}', | 89 | operations=[{'path': '/v3/services/{service_id}', |
4131 | 93 | 'method': 'DELETE'}], | 90 | 'method': 'DELETE'}], |
4133 | 94 | deprecated_rule=deprecated_delete_service) | 91 | deprecated_rule=deprecated_delete_service, |
4134 | 92 | deprecated_reason=DEPRECATED_REASON, | ||
4135 | 93 | deprecated_since=versionutils.deprecated.STEIN) | ||
4136 | 95 | ] | 94 | ] |
4137 | 96 | 95 | ||
4138 | 97 | 96 | ||
4139 | diff --git a/keystone/common/policies/service_provider.py b/keystone/common/policies/service_provider.py | |||
4140 | index 657368a..4d0e3cb 100644 | |||
4141 | --- a/keystone/common/policies/service_provider.py | |||
4142 | +++ b/keystone/common/policies/service_provider.py | |||
4143 | @@ -15,41 +15,30 @@ from oslo_policy import policy | |||
4144 | 15 | 15 | ||
4145 | 16 | from keystone.common.policies import base | 16 | from keystone.common.policies import base |
4146 | 17 | 17 | ||
4147 | 18 | DEPRECATED_REASON = ( | ||
4148 | 19 | "The service provider API is now aware of system scope and default roles." | ||
4149 | 20 | ) | ||
4150 | 21 | |||
4151 | 22 | deprecated_get_sp = policy.DeprecatedRule( | 18 | deprecated_get_sp = policy.DeprecatedRule( |
4152 | 23 | name=base.IDENTITY % 'get_service_provider', | 19 | name=base.IDENTITY % 'get_service_provider', |
4156 | 24 | check_str=base.RULE_ADMIN_REQUIRED, | 20 | check_str=base.RULE_ADMIN_REQUIRED |
4154 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
4155 | 26 | deprecated_since=versionutils.deprecated.STEIN | ||
4157 | 27 | ) | 21 | ) |
4158 | 28 | deprecated_list_sp = policy.DeprecatedRule( | 22 | deprecated_list_sp = policy.DeprecatedRule( |
4159 | 29 | name=base.IDENTITY % 'list_service_providers', | 23 | name=base.IDENTITY % 'list_service_providers', |
4163 | 30 | check_str=base.RULE_ADMIN_REQUIRED, | 24 | check_str=base.RULE_ADMIN_REQUIRED |
4161 | 31 | deprecated_reason=DEPRECATED_REASON, | ||
4162 | 32 | deprecated_since=versionutils.deprecated.STEIN | ||
4164 | 33 | ) | 25 | ) |
4165 | 34 | deprecated_update_sp = policy.DeprecatedRule( | 26 | deprecated_update_sp = policy.DeprecatedRule( |
4166 | 35 | name=base.IDENTITY % 'update_service_provider', | 27 | name=base.IDENTITY % 'update_service_provider', |
4170 | 36 | check_str=base.RULE_ADMIN_REQUIRED, | 28 | check_str=base.RULE_ADMIN_REQUIRED |
4168 | 37 | deprecated_reason=DEPRECATED_REASON, | ||
4169 | 38 | deprecated_since=versionutils.deprecated.STEIN | ||
4171 | 39 | ) | 29 | ) |
4172 | 40 | deprecated_create_sp = policy.DeprecatedRule( | 30 | deprecated_create_sp = policy.DeprecatedRule( |
4173 | 41 | name=base.IDENTITY % 'create_service_provider', | 31 | name=base.IDENTITY % 'create_service_provider', |
4177 | 42 | check_str=base.RULE_ADMIN_REQUIRED, | 32 | check_str=base.RULE_ADMIN_REQUIRED |
4175 | 43 | deprecated_reason=DEPRECATED_REASON, | ||
4176 | 44 | deprecated_since=versionutils.deprecated.STEIN | ||
4178 | 45 | ) | 33 | ) |
4179 | 46 | deprecated_delete_sp = policy.DeprecatedRule( | 34 | deprecated_delete_sp = policy.DeprecatedRule( |
4180 | 47 | name=base.IDENTITY % 'delete_service_provider', | 35 | name=base.IDENTITY % 'delete_service_provider', |
4184 | 48 | check_str=base.RULE_ADMIN_REQUIRED, | 36 | check_str=base.RULE_ADMIN_REQUIRED |
4182 | 49 | deprecated_reason=DEPRECATED_REASON, | ||
4183 | 50 | deprecated_since=versionutils.deprecated.STEIN | ||
4185 | 51 | ) | 37 | ) |
4186 | 52 | 38 | ||
4187 | 39 | DEPRECATED_REASON = ( | ||
4188 | 40 | "The service provider API is now aware of system scope and default roles." | ||
4189 | 41 | ) | ||
4190 | 53 | 42 | ||
4191 | 54 | service_provider_policies = [ | 43 | service_provider_policies = [ |
4192 | 55 | policy.DocumentedRuleDefault( | 44 | policy.DocumentedRuleDefault( |
4193 | @@ -66,7 +55,9 @@ service_provider_policies = [ | |||
4194 | 66 | operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' | 55 | operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' |
4195 | 67 | '{service_provider_id}'), | 56 | '{service_provider_id}'), |
4196 | 68 | 'method': 'PUT'}], | 57 | 'method': 'PUT'}], |
4198 | 69 | deprecated_rule=deprecated_create_sp), | 58 | deprecated_rule=deprecated_create_sp, |
4199 | 59 | deprecated_reason=DEPRECATED_REASON, | ||
4200 | 60 | deprecated_since=versionutils.deprecated.STEIN), | ||
4201 | 70 | policy.DocumentedRuleDefault( | 61 | policy.DocumentedRuleDefault( |
4202 | 71 | name=base.IDENTITY % 'list_service_providers', | 62 | name=base.IDENTITY % 'list_service_providers', |
4203 | 72 | check_str=base.SYSTEM_READER, | 63 | check_str=base.SYSTEM_READER, |
4204 | @@ -82,7 +73,9 @@ service_provider_policies = [ | |||
4205 | 82 | 'method': 'HEAD' | 73 | 'method': 'HEAD' |
4206 | 83 | } | 74 | } |
4207 | 84 | ], | 75 | ], |
4209 | 85 | deprecated_rule=deprecated_list_sp | 76 | deprecated_rule=deprecated_list_sp, |
4210 | 77 | deprecated_reason=DEPRECATED_REASON, | ||
4211 | 78 | deprecated_since=versionutils.deprecated.STEIN | ||
4212 | 86 | ), | 79 | ), |
4213 | 87 | policy.DocumentedRuleDefault( | 80 | policy.DocumentedRuleDefault( |
4214 | 88 | name=base.IDENTITY % 'get_service_provider', | 81 | name=base.IDENTITY % 'get_service_provider', |
4215 | @@ -101,7 +94,9 @@ service_provider_policies = [ | |||
4216 | 101 | 'method': 'HEAD' | 94 | 'method': 'HEAD' |
4217 | 102 | } | 95 | } |
4218 | 103 | ], | 96 | ], |
4220 | 104 | deprecated_rule=deprecated_get_sp | 97 | deprecated_rule=deprecated_get_sp, |
4221 | 98 | deprecated_reason=DEPRECATED_REASON, | ||
4222 | 99 | deprecated_since=versionutils.deprecated.STEIN | ||
4223 | 105 | ), | 100 | ), |
4224 | 106 | policy.DocumentedRuleDefault( | 101 | policy.DocumentedRuleDefault( |
4225 | 107 | name=base.IDENTITY % 'update_service_provider', | 102 | name=base.IDENTITY % 'update_service_provider', |
4226 | @@ -111,7 +106,9 @@ service_provider_policies = [ | |||
4227 | 111 | operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' | 106 | operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' |
4228 | 112 | '{service_provider_id}'), | 107 | '{service_provider_id}'), |
4229 | 113 | 'method': 'PATCH'}], | 108 | 'method': 'PATCH'}], |
4231 | 114 | deprecated_rule=deprecated_update_sp), | 109 | deprecated_rule=deprecated_update_sp, |
4232 | 110 | deprecated_reason=DEPRECATED_REASON, | ||
4233 | 111 | deprecated_since=versionutils.deprecated.STEIN), | ||
4234 | 115 | policy.DocumentedRuleDefault( | 112 | policy.DocumentedRuleDefault( |
4235 | 116 | name=base.IDENTITY % 'delete_service_provider', | 113 | name=base.IDENTITY % 'delete_service_provider', |
4236 | 117 | check_str=base.SYSTEM_ADMIN, | 114 | check_str=base.SYSTEM_ADMIN, |
4237 | @@ -120,7 +117,9 @@ service_provider_policies = [ | |||
4238 | 120 | operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' | 117 | operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' |
4239 | 121 | '{service_provider_id}'), | 118 | '{service_provider_id}'), |
4240 | 122 | 'method': 'DELETE'}], | 119 | 'method': 'DELETE'}], |
4242 | 123 | deprecated_rule=deprecated_delete_sp) | 120 | deprecated_rule=deprecated_delete_sp, |
4243 | 121 | deprecated_reason=DEPRECATED_REASON, | ||
4244 | 122 | deprecated_since=versionutils.deprecated.STEIN) | ||
4245 | 124 | ] | 123 | ] |
4246 | 125 | 124 | ||
4247 | 126 | 125 | ||
4248 | diff --git a/keystone/common/policies/token.py b/keystone/common/policies/token.py | |||
4249 | index cb321b0..9fa3c52 100644 | |||
4250 | --- a/keystone/common/policies/token.py | |||
4251 | +++ b/keystone/common/policies/token.py | |||
4252 | @@ -21,21 +21,15 @@ DEPRECATED_REASON = ( | |||
4253 | 21 | 21 | ||
4254 | 22 | deprecated_check_token = policy.DeprecatedRule( | 22 | deprecated_check_token = policy.DeprecatedRule( |
4255 | 23 | name=base.IDENTITY % 'check_token', | 23 | name=base.IDENTITY % 'check_token', |
4259 | 24 | check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT, | 24 | check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT |
4257 | 25 | deprecated_reason=DEPRECATED_REASON, | ||
4258 | 26 | deprecated_since=versionutils.deprecated.TRAIN | ||
4260 | 27 | ) | 25 | ) |
4261 | 28 | deprecated_validate_token = policy.DeprecatedRule( | 26 | deprecated_validate_token = policy.DeprecatedRule( |
4262 | 29 | name=base.IDENTITY % 'validate_token', | 27 | name=base.IDENTITY % 'validate_token', |
4266 | 30 | check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT, | 28 | check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT |
4264 | 31 | deprecated_reason=DEPRECATED_REASON, | ||
4265 | 32 | deprecated_since=versionutils.deprecated.TRAIN | ||
4267 | 33 | ) | 29 | ) |
4268 | 34 | deprecated_revoke_token = policy.DeprecatedRule( | 30 | deprecated_revoke_token = policy.DeprecatedRule( |
4269 | 35 | name=base.IDENTITY % 'revoke_token', | 31 | name=base.IDENTITY % 'revoke_token', |
4273 | 36 | check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT, | 32 | check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT |
4271 | 37 | deprecated_reason=DEPRECATED_REASON, | ||
4272 | 38 | deprecated_since=versionutils.deprecated.TRAIN | ||
4274 | 39 | ) | 33 | ) |
4275 | 40 | 34 | ||
4276 | 41 | SYSTEM_ADMIN_OR_TOKEN_SUBJECT = ( | 35 | SYSTEM_ADMIN_OR_TOKEN_SUBJECT = ( |
4277 | @@ -58,7 +52,9 @@ token_policies = [ | |||
4278 | 58 | description='Check a token.', | 52 | description='Check a token.', |
4279 | 59 | operations=[{'path': '/v3/auth/tokens', | 53 | operations=[{'path': '/v3/auth/tokens', |
4280 | 60 | 'method': 'HEAD'}], | 54 | 'method': 'HEAD'}], |
4282 | 61 | deprecated_rule=deprecated_check_token), | 55 | deprecated_rule=deprecated_check_token, |
4283 | 56 | deprecated_reason=DEPRECATED_REASON, | ||
4284 | 57 | deprecated_since=versionutils.deprecated.TRAIN), | ||
4285 | 62 | policy.DocumentedRuleDefault( | 58 | policy.DocumentedRuleDefault( |
4286 | 63 | name=base.IDENTITY % 'validate_token', | 59 | name=base.IDENTITY % 'validate_token', |
4287 | 64 | check_str=SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT, | 60 | check_str=SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT, |
4288 | @@ -66,7 +62,9 @@ token_policies = [ | |||
4289 | 66 | description='Validate a token.', | 62 | description='Validate a token.', |
4290 | 67 | operations=[{'path': '/v3/auth/tokens', | 63 | operations=[{'path': '/v3/auth/tokens', |
4291 | 68 | 'method': 'GET'}], | 64 | 'method': 'GET'}], |
4293 | 69 | deprecated_rule=deprecated_validate_token), | 65 | deprecated_rule=deprecated_validate_token, |
4294 | 66 | deprecated_reason=DEPRECATED_REASON, | ||
4295 | 67 | deprecated_since=versionutils.deprecated.TRAIN), | ||
4296 | 70 | policy.DocumentedRuleDefault( | 68 | policy.DocumentedRuleDefault( |
4297 | 71 | name=base.IDENTITY % 'revoke_token', | 69 | name=base.IDENTITY % 'revoke_token', |
4298 | 72 | check_str=SYSTEM_ADMIN_OR_TOKEN_SUBJECT, | 70 | check_str=SYSTEM_ADMIN_OR_TOKEN_SUBJECT, |
4299 | @@ -74,7 +72,9 @@ token_policies = [ | |||
4300 | 74 | description='Revoke a token.', | 72 | description='Revoke a token.', |
4301 | 75 | operations=[{'path': '/v3/auth/tokens', | 73 | operations=[{'path': '/v3/auth/tokens', |
4302 | 76 | 'method': 'DELETE'}], | 74 | 'method': 'DELETE'}], |
4304 | 77 | deprecated_rule=deprecated_revoke_token) | 75 | deprecated_rule=deprecated_revoke_token, |
4305 | 76 | deprecated_reason=DEPRECATED_REASON, | ||
4306 | 77 | deprecated_since=versionutils.deprecated.TRAIN) | ||
4307 | 78 | ] | 78 | ] |
4308 | 79 | 79 | ||
4309 | 80 | 80 | ||
4310 | diff --git a/keystone/common/policies/trust.py b/keystone/common/policies/trust.py | |||
4311 | index 7678106..82acb0a 100644 | |||
4312 | --- a/keystone/common/policies/trust.py | |||
4313 | +++ b/keystone/common/policies/trust.py | |||
4314 | @@ -24,39 +24,29 @@ SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR | |||
4315 | 24 | SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE | 24 | SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE |
4316 | 25 | SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR | 25 | SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR |
4317 | 26 | 26 | ||
4318 | 27 | DEPRECATED_REASON = ( | ||
4319 | 28 | "The trust API is now aware of system scope and default roles." | ||
4320 | 29 | ) | ||
4321 | 30 | |||
4322 | 31 | deprecated_list_trusts = policy.DeprecatedRule( | 27 | deprecated_list_trusts = policy.DeprecatedRule( |
4323 | 32 | name=base.IDENTITY % 'list_trusts', | 28 | name=base.IDENTITY % 'list_trusts', |
4327 | 33 | check_str=base.RULE_ADMIN_REQUIRED, | 29 | check_str=base.RULE_ADMIN_REQUIRED |
4325 | 34 | deprecated_reason=DEPRECATED_REASON, | ||
4326 | 35 | deprecated_since=versionutils.deprecated.TRAIN | ||
4328 | 36 | ) | 30 | ) |
4329 | 37 | deprecated_list_roles_for_trust = policy.DeprecatedRule( | 31 | deprecated_list_roles_for_trust = policy.DeprecatedRule( |
4330 | 38 | name=base.IDENTITY % 'list_roles_for_trust', | 32 | name=base.IDENTITY % 'list_roles_for_trust', |
4334 | 39 | check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE, | 33 | check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE |
4332 | 40 | deprecated_reason=DEPRECATED_REASON, | ||
4333 | 41 | deprecated_since=versionutils.deprecated.TRAIN | ||
4335 | 42 | ) | 34 | ) |
4336 | 43 | deprecated_get_role_for_trust = policy.DeprecatedRule( | 35 | deprecated_get_role_for_trust = policy.DeprecatedRule( |
4337 | 44 | name=base.IDENTITY % 'get_role_for_trust', | 36 | name=base.IDENTITY % 'get_role_for_trust', |
4341 | 45 | check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE, | 37 | check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE |
4339 | 46 | deprecated_reason=DEPRECATED_REASON, | ||
4340 | 47 | deprecated_since=versionutils.deprecated.TRAIN | ||
4342 | 48 | ) | 38 | ) |
4343 | 49 | deprecated_delete_trust = policy.DeprecatedRule( | 39 | deprecated_delete_trust = policy.DeprecatedRule( |
4344 | 50 | name=base.IDENTITY % 'delete_trust', | 40 | name=base.IDENTITY % 'delete_trust', |
4348 | 51 | check_str=RULE_TRUSTOR, | 41 | check_str=RULE_TRUSTOR |
4346 | 52 | deprecated_reason=DEPRECATED_REASON, | ||
4347 | 53 | deprecated_since=versionutils.deprecated.TRAIN | ||
4349 | 54 | ) | 42 | ) |
4350 | 55 | deprecated_get_trust = policy.DeprecatedRule( | 43 | deprecated_get_trust = policy.DeprecatedRule( |
4351 | 56 | name=base.IDENTITY % 'get_trust', | 44 | name=base.IDENTITY % 'get_trust', |
4355 | 57 | check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE, | 45 | check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE |
4356 | 58 | deprecated_reason=DEPRECATED_REASON, | 46 | ) |
4357 | 59 | deprecated_since=versionutils.deprecated.TRAIN | 47 | |
4358 | 48 | DEPRECATED_REASON = ( | ||
4359 | 49 | "The trust API is now aware of system scope and default roles." | ||
4360 | 60 | ) | 50 | ) |
4361 | 61 | 51 | ||
4362 | 62 | trust_policies = [ | 52 | trust_policies = [ |
4363 | @@ -79,7 +69,9 @@ trust_policies = [ | |||
4364 | 79 | 'method': 'GET'}, | 69 | 'method': 'GET'}, |
4365 | 80 | {'path': '/v3/OS-TRUST/trusts', | 70 | {'path': '/v3/OS-TRUST/trusts', |
4366 | 81 | 'method': 'HEAD'}], | 71 | 'method': 'HEAD'}], |
4368 | 82 | deprecated_rule=deprecated_list_trusts), | 72 | deprecated_rule=deprecated_list_trusts, |
4369 | 73 | deprecated_reason=DEPRECATED_REASON, | ||
4370 | 74 | deprecated_since=versionutils.deprecated.TRAIN), | ||
4371 | 83 | policy.DocumentedRuleDefault( | 75 | policy.DocumentedRuleDefault( |
4372 | 84 | name=base.IDENTITY % 'list_trusts_for_trustor', | 76 | name=base.IDENTITY % 'list_trusts_for_trustor', |
4373 | 85 | check_str=SYSTEM_READER_OR_TRUSTOR, | 77 | check_str=SYSTEM_READER_OR_TRUSTOR, |
4374 | @@ -111,7 +103,9 @@ trust_policies = [ | |||
4375 | 111 | 'method': 'GET'}, | 103 | 'method': 'GET'}, |
4376 | 112 | {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles', | 104 | {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles', |
4377 | 113 | 'method': 'HEAD'}], | 105 | 'method': 'HEAD'}], |
4379 | 114 | deprecated_rule=deprecated_list_roles_for_trust), | 106 | deprecated_rule=deprecated_list_roles_for_trust, |
4380 | 107 | deprecated_reason=DEPRECATED_REASON, | ||
4381 | 108 | deprecated_since=versionutils.deprecated.TRAIN), | ||
4382 | 115 | policy.DocumentedRuleDefault( | 109 | policy.DocumentedRuleDefault( |
4383 | 116 | name=base.IDENTITY % 'get_role_for_trust', | 110 | name=base.IDENTITY % 'get_role_for_trust', |
4384 | 117 | check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE, | 111 | check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE, |
4385 | @@ -121,7 +115,9 @@ trust_policies = [ | |||
4386 | 121 | 'method': 'GET'}, | 115 | 'method': 'GET'}, |
4387 | 122 | {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}', | 116 | {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}', |
4388 | 123 | 'method': 'HEAD'}], | 117 | 'method': 'HEAD'}], |
4390 | 124 | deprecated_rule=deprecated_get_role_for_trust), | 118 | deprecated_rule=deprecated_get_role_for_trust, |
4391 | 119 | deprecated_reason=DEPRECATED_REASON, | ||
4392 | 120 | deprecated_since=versionutils.deprecated.TRAIN), | ||
4393 | 125 | policy.DocumentedRuleDefault( | 121 | policy.DocumentedRuleDefault( |
4394 | 126 | name=base.IDENTITY % 'delete_trust', | 122 | name=base.IDENTITY % 'delete_trust', |
4395 | 127 | check_str=SYSTEM_ADMIN_OR_TRUSTOR, | 123 | check_str=SYSTEM_ADMIN_OR_TRUSTOR, |
4396 | @@ -129,7 +125,9 @@ trust_policies = [ | |||
4397 | 129 | description='Revoke trust.', | 125 | description='Revoke trust.', |
4398 | 130 | operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}', | 126 | operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}', |
4399 | 131 | 'method': 'DELETE'}], | 127 | 'method': 'DELETE'}], |
4401 | 132 | deprecated_rule=deprecated_delete_trust), | 128 | deprecated_rule=deprecated_delete_trust, |
4402 | 129 | deprecated_reason=DEPRECATED_REASON, | ||
4403 | 130 | deprecated_since=versionutils.deprecated.TRAIN), | ||
4404 | 133 | policy.DocumentedRuleDefault( | 131 | policy.DocumentedRuleDefault( |
4405 | 134 | name=base.IDENTITY % 'get_trust', | 132 | name=base.IDENTITY % 'get_trust', |
4406 | 135 | check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE, | 133 | check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE, |
4407 | @@ -139,7 +137,9 @@ trust_policies = [ | |||
4408 | 139 | 'method': 'GET'}, | 137 | 'method': 'GET'}, |
4409 | 140 | {'path': '/v3/OS-TRUST/trusts/{trust_id}', | 138 | {'path': '/v3/OS-TRUST/trusts/{trust_id}', |
4410 | 141 | 'method': 'HEAD'}], | 139 | 'method': 'HEAD'}], |
4412 | 142 | deprecated_rule=deprecated_get_trust) | 140 | deprecated_rule=deprecated_get_trust, |
4413 | 141 | deprecated_reason=DEPRECATED_REASON, | ||
4414 | 142 | deprecated_since=versionutils.deprecated.TRAIN) | ||
4415 | 143 | ] | 143 | ] |
4416 | 144 | 144 | ||
4417 | 145 | 145 | ||
4418 | diff --git a/keystone/common/policies/user.py b/keystone/common/policies/user.py | |||
4419 | index 0534f70..75a0062 100644 | |||
4420 | --- a/keystone/common/policies/user.py | |||
4421 | +++ b/keystone/common/policies/user.py | |||
4422 | @@ -36,33 +36,23 @@ DEPRECATED_REASON = ( | |||
4423 | 36 | 36 | ||
4424 | 37 | deprecated_get_user = policy.DeprecatedRule( | 37 | deprecated_get_user = policy.DeprecatedRule( |
4425 | 38 | name=base.IDENTITY % 'get_user', | 38 | name=base.IDENTITY % 'get_user', |
4429 | 39 | check_str=base.RULE_ADMIN_OR_OWNER, | 39 | check_str=base.RULE_ADMIN_OR_OWNER |
4427 | 40 | deprecated_reason=DEPRECATED_REASON, | ||
4428 | 41 | deprecated_since=versionutils.deprecated.STEIN | ||
4430 | 42 | ) | 40 | ) |
4431 | 43 | deprecated_list_users = policy.DeprecatedRule( | 41 | deprecated_list_users = policy.DeprecatedRule( |
4432 | 44 | name=base.IDENTITY % 'list_users', | 42 | name=base.IDENTITY % 'list_users', |
4436 | 45 | check_str=base.RULE_ADMIN_REQUIRED, | 43 | check_str=base.RULE_ADMIN_REQUIRED |
4434 | 46 | deprecated_reason=DEPRECATED_REASON, | ||
4435 | 47 | deprecated_since=versionutils.deprecated.STEIN | ||
4437 | 48 | ) | 44 | ) |
4438 | 49 | deprecated_create_user = policy.DeprecatedRule( | 45 | deprecated_create_user = policy.DeprecatedRule( |
4439 | 50 | name=base.IDENTITY % 'create_user', | 46 | name=base.IDENTITY % 'create_user', |
4443 | 51 | check_str=base.RULE_ADMIN_REQUIRED, | 47 | check_str=base.RULE_ADMIN_REQUIRED |
4441 | 52 | deprecated_reason=DEPRECATED_REASON, | ||
4442 | 53 | deprecated_since=versionutils.deprecated.STEIN | ||
4444 | 54 | ) | 48 | ) |
4445 | 55 | deprecated_update_user = policy.DeprecatedRule( | 49 | deprecated_update_user = policy.DeprecatedRule( |
4446 | 56 | name=base.IDENTITY % 'update_user', | 50 | name=base.IDENTITY % 'update_user', |
4450 | 57 | check_str=base.RULE_ADMIN_REQUIRED, | 51 | check_str=base.RULE_ADMIN_REQUIRED |
4448 | 58 | deprecated_reason=DEPRECATED_REASON, | ||
4449 | 59 | deprecated_since=versionutils.deprecated.STEIN | ||
4451 | 60 | ) | 52 | ) |
4452 | 61 | deprecated_delete_user = policy.DeprecatedRule( | 53 | deprecated_delete_user = policy.DeprecatedRule( |
4453 | 62 | name=base.IDENTITY % 'delete_user', | 54 | name=base.IDENTITY % 'delete_user', |
4457 | 63 | check_str=base.RULE_ADMIN_REQUIRED, | 55 | check_str=base.RULE_ADMIN_REQUIRED |
4455 | 64 | deprecated_reason=DEPRECATED_REASON, | ||
4456 | 65 | deprecated_since=versionutils.deprecated.STEIN | ||
4458 | 66 | ) | 56 | ) |
4459 | 67 | 57 | ||
4460 | 68 | user_policies = [ | 58 | user_policies = [ |
4461 | @@ -75,7 +65,9 @@ user_policies = [ | |||
4462 | 75 | 'method': 'GET'}, | 65 | 'method': 'GET'}, |
4463 | 76 | {'path': '/v3/users/{user_id}', | 66 | {'path': '/v3/users/{user_id}', |
4464 | 77 | 'method': 'HEAD'}], | 67 | 'method': 'HEAD'}], |
4466 | 78 | deprecated_rule=deprecated_get_user), | 68 | deprecated_rule=deprecated_get_user, |
4467 | 69 | deprecated_reason=DEPRECATED_REASON, | ||
4468 | 70 | deprecated_since=versionutils.deprecated.STEIN), | ||
4469 | 79 | policy.DocumentedRuleDefault( | 71 | policy.DocumentedRuleDefault( |
4470 | 80 | name=base.IDENTITY % 'list_users', | 72 | name=base.IDENTITY % 'list_users', |
4471 | 81 | check_str=SYSTEM_READER_OR_DOMAIN_READER, | 73 | check_str=SYSTEM_READER_OR_DOMAIN_READER, |
4472 | @@ -85,7 +77,9 @@ user_policies = [ | |||
4473 | 85 | 'method': 'GET'}, | 77 | 'method': 'GET'}, |
4474 | 86 | {'path': '/v3/users', | 78 | {'path': '/v3/users', |
4475 | 87 | 'method': 'HEAD'}], | 79 | 'method': 'HEAD'}], |
4477 | 88 | deprecated_rule=deprecated_list_users), | 80 | deprecated_rule=deprecated_list_users, |
4478 | 81 | deprecated_reason=DEPRECATED_REASON, | ||
4479 | 82 | deprecated_since=versionutils.deprecated.STEIN), | ||
4480 | 89 | policy.DocumentedRuleDefault( | 83 | policy.DocumentedRuleDefault( |
4481 | 90 | name=base.IDENTITY % 'list_projects_for_user', | 84 | name=base.IDENTITY % 'list_projects_for_user', |
4482 | 91 | check_str='', | 85 | check_str='', |
4483 | @@ -117,7 +111,9 @@ user_policies = [ | |||
4484 | 117 | description='Create a user.', | 111 | description='Create a user.', |
4485 | 118 | operations=[{'path': '/v3/users', | 112 | operations=[{'path': '/v3/users', |
4486 | 119 | 'method': 'POST'}], | 113 | 'method': 'POST'}], |
4488 | 120 | deprecated_rule=deprecated_create_user), | 114 | deprecated_rule=deprecated_create_user, |
4489 | 115 | deprecated_reason=DEPRECATED_REASON, | ||
4490 | 116 | deprecated_since=versionutils.deprecated.STEIN), | ||
4491 | 121 | policy.DocumentedRuleDefault( | 117 | policy.DocumentedRuleDefault( |
4492 | 122 | name=base.IDENTITY % 'update_user', | 118 | name=base.IDENTITY % 'update_user', |
4493 | 123 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, | 119 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
4494 | @@ -125,7 +121,9 @@ user_policies = [ | |||
4495 | 125 | description='Update a user, including administrative password resets.', | 121 | description='Update a user, including administrative password resets.', |
4496 | 126 | operations=[{'path': '/v3/users/{user_id}', | 122 | operations=[{'path': '/v3/users/{user_id}', |
4497 | 127 | 'method': 'PATCH'}], | 123 | 'method': 'PATCH'}], |
4499 | 128 | deprecated_rule=deprecated_update_user), | 124 | deprecated_rule=deprecated_update_user, |
4500 | 125 | deprecated_reason=DEPRECATED_REASON, | ||
4501 | 126 | deprecated_since=versionutils.deprecated.STEIN), | ||
4502 | 129 | policy.DocumentedRuleDefault( | 127 | policy.DocumentedRuleDefault( |
4503 | 130 | name=base.IDENTITY % 'delete_user', | 128 | name=base.IDENTITY % 'delete_user', |
4504 | 131 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, | 129 | check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN, |
4505 | @@ -133,7 +131,9 @@ user_policies = [ | |||
4506 | 133 | description='Delete a user.', | 131 | description='Delete a user.', |
4507 | 134 | operations=[{'path': '/v3/users/{user_id}', | 132 | operations=[{'path': '/v3/users/{user_id}', |
4508 | 135 | 'method': 'DELETE'}], | 133 | 'method': 'DELETE'}], |
4510 | 136 | deprecated_rule=deprecated_delete_user) | 134 | deprecated_rule=deprecated_delete_user, |
4511 | 135 | deprecated_reason=DEPRECATED_REASON, | ||
4512 | 136 | deprecated_since=versionutils.deprecated.STEIN) | ||
4513 | 137 | ] | 137 | ] |
4514 | 138 | 138 | ||
4515 | 139 | 139 | ||
4516 | diff --git a/keystone/common/rbac_enforcer/enforcer.py b/keystone/common/rbac_enforcer/enforcer.py | |||
4517 | index 7add048..ca6a8e7 100644 | |||
4518 | --- a/keystone/common/rbac_enforcer/enforcer.py | |||
4519 | +++ b/keystone/common/rbac_enforcer/enforcer.py | |||
4520 | @@ -14,7 +14,6 @@ import functools | |||
4521 | 14 | 14 | ||
4522 | 15 | import flask | 15 | import flask |
4523 | 16 | from oslo_log import log | 16 | from oslo_log import log |
4524 | 17 | from oslo_policy import opts | ||
4525 | 18 | from oslo_policy import policy as common_policy | 17 | from oslo_policy import policy as common_policy |
4526 | 19 | from oslo_utils import strutils | 18 | from oslo_utils import strutils |
4527 | 20 | 19 | ||
4528 | @@ -40,13 +39,6 @@ _POSSIBLE_TARGET_ACTIONS = frozenset([ | |||
4529 | 40 | _ENFORCEMENT_CHECK_ATTR = 'keystone:RBAC:enforcement_called' | 39 | _ENFORCEMENT_CHECK_ATTR = 'keystone:RBAC:enforcement_called' |
4530 | 41 | 40 | ||
4531 | 42 | 41 | ||
4532 | 43 | # TODO(gmann): Remove setting the default value of config policy_file | ||
4533 | 44 | # once oslo_policy change the default value to 'policy.yaml'. | ||
4534 | 45 | # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 | ||
4535 | 46 | DEFAULT_POLICY_FILE = 'policy.yaml' | ||
4536 | 47 | opts.set_defaults(CONF, DEFAULT_POLICY_FILE) | ||
4537 | 48 | |||
4538 | 49 | |||
4539 | 50 | class RBACEnforcer(object): | 42 | class RBACEnforcer(object): |
4540 | 51 | """Enforce RBAC on API calls.""" | 43 | """Enforce RBAC on API calls.""" |
4541 | 52 | 44 | ||
4542 | diff --git a/keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py b/keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py | |||
4543 | 53 | deleted file mode 100644 | 45 | deleted file mode 100644 |
4544 | index 2b09cbc..0000000 | |||
4545 | --- a/keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py | |||
4546 | +++ /dev/null | |||
4547 | @@ -1,18 +0,0 @@ | |||
4548 | 1 | # Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
4549 | 2 | # not use this file except in compliance with the License. You may obtain | ||
4550 | 3 | # a copy of the License at | ||
4551 | 4 | # | ||
4552 | 5 | # http://www.apache.org/licenses/LICENSE-2.0 | ||
4553 | 6 | # | ||
4554 | 7 | # Unless required by applicable law or agreed to in writing, software | ||
4555 | 8 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
4556 | 9 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
4557 | 10 | # License for the specific language governing permissions and limitations | ||
4558 | 11 | # under the License. | ||
4559 | 12 | |||
4560 | 13 | # This is a placeholder for Ussuri backports. Do not use this number for new | ||
4561 | 14 | # Victoria work. New Victoria work starts after all the placeholders. | ||
4562 | 15 | |||
4563 | 16 | |||
4564 | 17 | def upgrade(migrate_engine): | ||
4565 | 18 | pass | ||
4566 | diff --git a/keystone/common/sql/core.py b/keystone/common/sql/core.py | |||
4567 | index 7670c47..ed84e58 100644 | |||
4568 | --- a/keystone/common/sql/core.py | |||
4569 | +++ b/keystone/common/sql/core.py | |||
4570 | @@ -119,11 +119,6 @@ ModelBase.__init__ = initialize_decorator(ModelBase.__init__) | |||
4571 | 119 | class JsonBlob(sql_types.TypeDecorator): | 119 | class JsonBlob(sql_types.TypeDecorator): |
4572 | 120 | 120 | ||
4573 | 121 | impl = sql.Text | 121 | impl = sql.Text |
4574 | 122 | # NOTE(ralonsoh): set to True as any other TypeDecorator in SQLAlchemy | ||
4575 | 123 | # https://docs.sqlalchemy.org/en/14/core/custom_types.html# \ | ||
4576 | 124 | # sqlalchemy.types.TypeDecorator.cache_ok | ||
4577 | 125 | cache_ok = True | ||
4578 | 126 | """This type is safe to cache.""" | ||
4579 | 127 | 122 | ||
4580 | 128 | def process_bind_param(self, value, dialect): | 123 | def process_bind_param(self, value, dialect): |
4581 | 129 | return jsonutils.dumps(value) | 124 | return jsonutils.dumps(value) |
4582 | @@ -149,11 +144,6 @@ class DateTimeInt(sql_types.TypeDecorator): | |||
4583 | 149 | 144 | ||
4584 | 150 | impl = sql.BigInteger | 145 | impl = sql.BigInteger |
4585 | 151 | epoch = datetime.datetime.fromtimestamp(0, tz=pytz.UTC) | 146 | epoch = datetime.datetime.fromtimestamp(0, tz=pytz.UTC) |
4586 | 152 | # NOTE(ralonsoh): set to True as any other TypeDecorator in SQLAlchemy | ||
4587 | 153 | # https://docs.sqlalchemy.org/en/14/core/custom_types.html# \ | ||
4588 | 154 | # sqlalchemy.types.TypeDecorator.cache_ok | ||
4589 | 155 | cache_ok = True | ||
4590 | 156 | """This type is safe to cache.""" | ||
4591 | 157 | 147 | ||
4592 | 158 | def process_bind_param(self, value, dialect): | 148 | def process_bind_param(self, value, dialect): |
4593 | 159 | if value is None: | 149 | if value is None: |
4594 | diff --git a/keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py b/keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py | |||
4595 | 160 | deleted file mode 100644 | 150 | deleted file mode 100644 |
4596 | index 2b09cbc..0000000 | |||
4597 | --- a/keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py | |||
4598 | +++ /dev/null | |||
4599 | @@ -1,18 +0,0 @@ | |||
4600 | 1 | # Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
4601 | 2 | # not use this file except in compliance with the License. You may obtain | ||
4602 | 3 | # a copy of the License at | ||
4603 | 4 | # | ||
4604 | 5 | # http://www.apache.org/licenses/LICENSE-2.0 | ||
4605 | 6 | # | ||
4606 | 7 | # Unless required by applicable law or agreed to in writing, software | ||
4607 | 8 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
4608 | 9 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
4609 | 10 | # License for the specific language governing permissions and limitations | ||
4610 | 11 | # under the License. | ||
4611 | 12 | |||
4612 | 13 | # This is a placeholder for Ussuri backports. Do not use this number for new | ||
4613 | 14 | # Victoria work. New Victoria work starts after all the placeholders. | ||
4614 | 15 | |||
4615 | 16 | |||
4616 | 17 | def upgrade(migrate_engine): | ||
4617 | 18 | pass | ||
4618 | diff --git a/keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py b/keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py | |||
4619 | 19 | deleted file mode 100644 | 0 | deleted file mode 100644 |
4620 | index 20db838..0000000 | |||
4621 | --- a/keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py | |||
4622 | +++ /dev/null | |||
4623 | @@ -1,24 +0,0 @@ | |||
4624 | 1 | # Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
4625 | 2 | # not use this file except in compliance with the License. You may obtain | ||
4626 | 3 | # a copy of the License at | ||
4627 | 4 | # | ||
4628 | 5 | # http://www.apache.org/licenses/LICENSE-2.0 | ||
4629 | 6 | # | ||
4630 | 7 | # Unless required by applicable law or agreed to in writing, software | ||
4631 | 8 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
4632 | 9 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
4633 | 10 | # License for the specific language governing permissions and limitations | ||
4634 | 11 | # under the License. | ||
4635 | 12 | |||
4636 | 13 | import sqlalchemy as sql | ||
4637 | 14 | |||
4638 | 15 | |||
4639 | 16 | def upgrade(migrate_engine): | ||
4640 | 17 | |||
4641 | 18 | meta = sql.MetaData() | ||
4642 | 19 | meta.bind = migrate_engine | ||
4643 | 20 | |||
4644 | 21 | id_mapping_table = sql.Table( | ||
4645 | 22 | 'id_mapping', meta, autoload=True | ||
4646 | 23 | ) | ||
4647 | 24 | id_mapping_table.c.local_id.alter(type=sql.String(255)) | ||
4648 | diff --git a/keystone/common/utils.py b/keystone/common/utils.py | |||
4649 | index 7c3e7ae..1314085 100644 | |||
4650 | --- a/keystone/common/utils.py | |||
4651 | +++ b/keystone/common/utils.py | |||
4652 | @@ -16,7 +16,7 @@ | |||
4653 | 16 | # License for the specific language governing permissions and limitations | 16 | # License for the specific language governing permissions and limitations |
4654 | 17 | # under the License. | 17 | # under the License. |
4655 | 18 | 18 | ||
4657 | 19 | import collections.abc | 19 | import collections |
4658 | 20 | import grp | 20 | import grp |
4659 | 21 | import hashlib | 21 | import hashlib |
4660 | 22 | import itertools | 22 | import itertools |
4661 | @@ -81,7 +81,7 @@ def flatten_dict(d, parent_key=''): | |||
4662 | 81 | items = [] | 81 | items = [] |
4663 | 82 | for k, v in d.items(): | 82 | for k, v in d.items(): |
4664 | 83 | new_key = parent_key + '.' + k if parent_key else k | 83 | new_key = parent_key + '.' + k if parent_key else k |
4666 | 84 | if isinstance(v, collections.abc.MutableMapping): | 84 | if isinstance(v, collections.MutableMapping): |
4667 | 85 | items.extend(list(flatten_dict(v, new_key).items())) | 85 | items.extend(list(flatten_dict(v, new_key).items())) |
4668 | 86 | else: | 86 | else: |
4669 | 87 | items.append((new_key, v)) | 87 | items.append((new_key, v)) |
4670 | diff --git a/keystone/conf/__init__.py b/keystone/conf/__init__.py | |||
4671 | index 5de0ec1..77c26a1 100644 | |||
4672 | --- a/keystone/conf/__init__.py | |||
4673 | +++ b/keystone/conf/__init__.py | |||
4674 | @@ -18,7 +18,6 @@ from oslo_log import log | |||
4675 | 18 | from oslo_log import versionutils | 18 | from oslo_log import versionutils |
4676 | 19 | import oslo_messaging | 19 | import oslo_messaging |
4677 | 20 | from oslo_middleware import cors | 20 | from oslo_middleware import cors |
4678 | 21 | from oslo_policy import opts as policy_opts | ||
4679 | 22 | from osprofiler import opts as profiler | 21 | from osprofiler import opts as profiler |
4680 | 23 | 22 | ||
4681 | 24 | from keystone.conf import application_credential | 23 | from keystone.conf import application_credential |
4682 | @@ -186,12 +185,6 @@ def set_external_opts_defaults(): | |||
4683 | 186 | # configure OSprofiler options | 185 | # configure OSprofiler options |
4684 | 187 | profiler.set_defaults(CONF, enabled=False, trace_sqlalchemy=False) | 186 | profiler.set_defaults(CONF, enabled=False, trace_sqlalchemy=False) |
4685 | 188 | 187 | ||
4686 | 189 | # TODO(gmann): Remove setting the default value of config policy_file | ||
4687 | 190 | # once oslo_policy change the default value to 'policy.yaml'. | ||
4688 | 191 | # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 | ||
4689 | 192 | DEFAULT_POLICY_FILE = 'policy.yaml' | ||
4690 | 193 | policy_opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE) | ||
4691 | 194 | |||
4692 | 195 | # Oslo.cache is always enabled by default for request-local caching | 188 | # Oslo.cache is always enabled by default for request-local caching |
4693 | 196 | # TODO(morganfainberg): Fix this to not use internal interface when | 189 | # TODO(morganfainberg): Fix this to not use internal interface when |
4694 | 197 | # oslo.cache has proper interface to set defaults added. This is | 190 | # oslo.cache has proper interface to set defaults added. This is |
4695 | diff --git a/keystone/conf/memcache.py b/keystone/conf/memcache.py | |||
4696 | index b4b8c8b..97dc2c9 100644 | |||
4697 | --- a/keystone/conf/memcache.py | |||
4698 | +++ b/keystone/conf/memcache.py | |||
4699 | @@ -19,12 +19,6 @@ from keystone.conf import utils | |||
4700 | 19 | dead_retry = cfg.IntOpt( | 19 | dead_retry = cfg.IntOpt( |
4701 | 20 | 'dead_retry', | 20 | 'dead_retry', |
4702 | 21 | default=5 * 60, | 21 | default=5 * 60, |
4703 | 22 | deprecated_for_removal=True, | ||
4704 | 23 | deprecated_reason='This option has no effect. ' | ||
4705 | 24 | 'Configure ``keystone.conf [cache] ' | ||
4706 | 25 | 'memcache_dead_retry`` option to set the ' | ||
4707 | 26 | 'dead_retry of memcached instead. ', | ||
4708 | 27 | deprecated_since='Y', | ||
4709 | 28 | help=utils.fmt(""" | 22 | help=utils.fmt(""" |
4710 | 29 | Number of seconds memcached server is considered dead before it is tried again. | 23 | Number of seconds memcached server is considered dead before it is tried again. |
4711 | 30 | This is used by the key value store system. | 24 | This is used by the key value store system. |
4712 | @@ -34,7 +28,7 @@ socket_timeout = cfg.IntOpt( | |||
4713 | 34 | 'socket_timeout', | 28 | 'socket_timeout', |
4714 | 35 | default=3, | 29 | default=3, |
4715 | 36 | deprecated_for_removal=True, | 30 | deprecated_for_removal=True, |
4717 | 37 | deprecated_reason='This option has no effect. ' | 31 | deprecated_reason='This option is duplicated with oslo.cache. ' |
4718 | 38 | 'Configure ``keystone.conf [cache] ' | 32 | 'Configure ``keystone.conf [cache] ' |
4719 | 39 | 'memcache_socket_timeout`` option to set the ' | 33 | 'memcache_socket_timeout`` option to set the ' |
4720 | 40 | 'socket_timeout of memcached instead. ', | 34 | 'socket_timeout of memcached instead. ', |
4721 | @@ -47,12 +41,6 @@ store system. | |||
4722 | 47 | pool_maxsize = cfg.IntOpt( | 41 | pool_maxsize = cfg.IntOpt( |
4723 | 48 | 'pool_maxsize', | 42 | 'pool_maxsize', |
4724 | 49 | default=10, | 43 | default=10, |
4725 | 50 | deprecated_for_removal=True, | ||
4726 | 51 | deprecated_reason='This option has no effect. ' | ||
4727 | 52 | 'Configure ``keystone.conf [cache] ' | ||
4728 | 53 | 'memcache_pool_maxsize`` option to set the ' | ||
4729 | 54 | 'pool_maxsize of memcached instead. ', | ||
4730 | 55 | deprecated_since='Y', | ||
4731 | 56 | help=utils.fmt(""" | 44 | help=utils.fmt(""" |
4732 | 57 | Max total number of open connections to every memcached server. This is used by | 45 | Max total number of open connections to every memcached server. This is used by |
4733 | 58 | the key value store system. | 46 | the key value store system. |
4734 | @@ -61,12 +49,6 @@ the key value store system. | |||
4735 | 61 | pool_unused_timeout = cfg.IntOpt( | 49 | pool_unused_timeout = cfg.IntOpt( |
4736 | 62 | 'pool_unused_timeout', | 50 | 'pool_unused_timeout', |
4737 | 63 | default=60, | 51 | default=60, |
4738 | 64 | deprecated_for_removal=True, | ||
4739 | 65 | deprecated_reason='This option has no effect. ' | ||
4740 | 66 | 'Configure ``keystone.conf [cache] ' | ||
4741 | 67 | 'memcache_pool_unused_timeout`` option to set the ' | ||
4742 | 68 | 'pool_unused_timeout of memcached instead. ', | ||
4743 | 69 | deprecated_since='Y', | ||
4744 | 70 | help=utils.fmt(""" | 52 | help=utils.fmt(""" |
4745 | 71 | Number of seconds a connection to memcached is held unused in the pool before | 53 | Number of seconds a connection to memcached is held unused in the pool before |
4746 | 72 | it is closed. This is used by the key value store system. | 54 | it is closed. This is used by the key value store system. |
4747 | @@ -75,12 +57,6 @@ it is closed. This is used by the key value store system. | |||
4748 | 75 | pool_connection_get_timeout = cfg.IntOpt( | 57 | pool_connection_get_timeout = cfg.IntOpt( |
4749 | 76 | 'pool_connection_get_timeout', | 58 | 'pool_connection_get_timeout', |
4750 | 77 | default=10, | 59 | default=10, |
4751 | 78 | deprecated_for_removal=True, | ||
4752 | 79 | deprecated_reason='This option has no effect. ' | ||
4753 | 80 | 'Configure ``keystone.conf [cache] ' | ||
4754 | 81 | 'memcache_pool_connection_get_timeout`` option to set ' | ||
4755 | 82 | 'the connection_get_timeout of memcached instead. ', | ||
4756 | 83 | deprecated_since='Y', | ||
4757 | 84 | help=utils.fmt(""" | 60 | help=utils.fmt(""" |
4758 | 85 | Number of seconds that an operation will wait to get a memcache client | 61 | Number of seconds that an operation will wait to get a memcache client |
4759 | 86 | connection. This is used by the key value store system. | 62 | connection. This is used by the key value store system. |
4760 | diff --git a/keystone/federation/idp.py b/keystone/federation/idp.py | |||
4761 | index 2f1a4fe..fd464f5 100644 | |||
4762 | --- a/keystone/federation/idp.py | |||
4763 | +++ b/keystone/federation/idp.py | |||
4764 | @@ -366,11 +366,7 @@ class SAMLGenerator(object): | |||
4765 | 366 | 366 | ||
4766 | 367 | """ | 367 | """ |
4767 | 368 | canonicalization_method = xmldsig.CanonicalizationMethod() | 368 | canonicalization_method = xmldsig.CanonicalizationMethod() |
4773 | 369 | # TODO(stephenfin): Drop when we remove support for pysaml < 7.1.0 | 369 | canonicalization_method.algorithm = xmldsig.ALG_EXC_C14N |
4769 | 370 | if hasattr(xmldsig, 'TRANSFORM_C14N'): # >= 7.1.0 | ||
4770 | 371 | canonicalization_method.algorithm = xmldsig.TRANSFORM_C14N | ||
4771 | 372 | else: # < 7.1.0 | ||
4772 | 373 | canonicalization_method.algorithm = xmldsig.ALG_EXC_C14N | ||
4774 | 374 | signature_method = xmldsig.SignatureMethod( | 370 | signature_method = xmldsig.SignatureMethod( |
4775 | 375 | algorithm=xmldsig.SIG_RSA_SHA1) | 371 | algorithm=xmldsig.SIG_RSA_SHA1) |
4776 | 376 | 372 | ||
4777 | @@ -378,11 +374,7 @@ class SAMLGenerator(object): | |||
4778 | 378 | envelope_transform = xmldsig.Transform( | 374 | envelope_transform = xmldsig.Transform( |
4779 | 379 | algorithm=xmldsig.TRANSFORM_ENVELOPED) | 375 | algorithm=xmldsig.TRANSFORM_ENVELOPED) |
4780 | 380 | 376 | ||
4786 | 381 | # TODO(stephenfin): Drop when we remove support for pysaml < 7.1.0 | 377 | c14_transform = xmldsig.Transform(algorithm=xmldsig.ALG_EXC_C14N) |
4782 | 382 | if hasattr(xmldsig, 'TRANSFORM_C14N'): # >= 7.1.0 | ||
4783 | 383 | c14_transform = xmldsig.Transform(algorithm=xmldsig.TRANSFORM_C14N) | ||
4784 | 384 | else: # < 7.1.0 | ||
4785 | 385 | c14_transform = xmldsig.Transform(algorithm=xmldsig.ALG_EXC_C14N) | ||
4787 | 386 | transforms.transform = [envelope_transform, c14_transform] | 378 | transforms.transform = [envelope_transform, c14_transform] |
4788 | 387 | 379 | ||
4789 | 388 | digest_method = xmldsig.DigestMethod(algorithm=xmldsig.DIGEST_SHA1) | 380 | digest_method = xmldsig.DigestMethod(algorithm=xmldsig.DIGEST_SHA1) |
4790 | diff --git a/keystone/identity/mapping_backends/sql.py b/keystone/identity/mapping_backends/sql.py | |||
4791 | index 6fadd6a..676d144 100644 | |||
4792 | --- a/keystone/identity/mapping_backends/sql.py | |||
4793 | +++ b/keystone/identity/mapping_backends/sql.py | |||
4794 | @@ -21,7 +21,7 @@ class IDMapping(sql.ModelBase, sql.ModelDictMixin): | |||
4795 | 21 | __tablename__ = 'id_mapping' | 21 | __tablename__ = 'id_mapping' |
4796 | 22 | public_id = sql.Column(sql.String(64), primary_key=True) | 22 | public_id = sql.Column(sql.String(64), primary_key=True) |
4797 | 23 | domain_id = sql.Column(sql.String(64), nullable=False) | 23 | domain_id = sql.Column(sql.String(64), nullable=False) |
4799 | 24 | local_id = sql.Column(sql.String(255), nullable=False) | 24 | local_id = sql.Column(sql.String(64), nullable=False) |
4800 | 25 | # NOTE(henry-nash): Postgres requires a name to be defined for an Enum | 25 | # NOTE(henry-nash): Postgres requires a name to be defined for an Enum |
4801 | 26 | entity_type = sql.Column( | 26 | entity_type = sql.Column( |
4802 | 27 | sql.Enum(identity_mapping.EntityType.USER, | 27 | sql.Enum(identity_mapping.EntityType.USER, |
4803 | diff --git a/keystone/identity/shadow_backends/sql.py b/keystone/identity/shadow_backends/sql.py | |||
4804 | index 3e04b33..1d817c0 100644 | |||
4805 | --- a/keystone/identity/shadow_backends/sql.py | |||
4806 | +++ b/keystone/identity/shadow_backends/sql.py | |||
4807 | @@ -98,8 +98,7 @@ class ShadowUsers(base.ShadowUsersDriverBase): | |||
4808 | 98 | x for x in hints.filters if x['name'] not in ('idp_id', | 98 | x for x in hints.filters if x['name'] not in ('idp_id', |
4809 | 99 | 'protocol_id', | 99 | 'protocol_id', |
4810 | 100 | 'unique_id')] | 100 | 'unique_id')] |
4813 | 101 | if statements: | 101 | query = query.filter(sqlalchemy.and_(*statements)) |
4812 | 102 | query = query.filter(sqlalchemy.and_(*statements)) | ||
4814 | 103 | return query | 102 | return query |
4815 | 104 | 103 | ||
4816 | 105 | def get_federated_users(self, hints): | 104 | def get_federated_users(self, hints): |
4817 | diff --git a/keystone/locale/en_GB/LC_MESSAGES/keystone.po b/keystone/locale/en_GB/LC_MESSAGES/keystone.po | |||
4818 | index 191ed55..5e6cdf8 100644 | |||
4819 | --- a/keystone/locale/en_GB/LC_MESSAGES/keystone.po | |||
4820 | +++ b/keystone/locale/en_GB/LC_MESSAGES/keystone.po | |||
4821 | @@ -12,11 +12,11 @@ msgid "" | |||
4822 | 12 | msgstr "" | 12 | msgstr "" |
4823 | 13 | "Project-Id-Version: keystone VERSION\n" | 13 | "Project-Id-Version: keystone VERSION\n" |
4824 | 14 | "Report-Msgid-Bugs-To: https://bugs.launchpad.net/openstack-i18n/\n" | 14 | "Report-Msgid-Bugs-To: https://bugs.launchpad.net/openstack-i18n/\n" |
4826 | 15 | "POT-Creation-Date: 2021-01-08 19:57+0000\n" | 15 | "POT-Creation-Date: 2020-06-18 11:23+0000\n" |
4827 | 16 | "MIME-Version: 1.0\n" | 16 | "MIME-Version: 1.0\n" |
4828 | 17 | "Content-Type: text/plain; charset=UTF-8\n" | 17 | "Content-Type: text/plain; charset=UTF-8\n" |
4829 | 18 | "Content-Transfer-Encoding: 8bit\n" | 18 | "Content-Transfer-Encoding: 8bit\n" |
4831 | 19 | "PO-Revision-Date: 2020-10-28 02:12+0000\n" | 19 | "PO-Revision-Date: 2020-06-15 05:35+0000\n" |
4832 | 20 | "Last-Translator: Andi Chandler <andi@gowling.com>\n" | 20 | "Last-Translator: Andi Chandler <andi@gowling.com>\n" |
4833 | 21 | "Language: en_GB\n" | 21 | "Language: en_GB\n" |
4834 | 22 | "Plural-Forms: nplurals=2; plural=(n != 1);\n" | 22 | "Plural-Forms: nplurals=2; plural=(n != 1);\n" |
4835 | @@ -1384,14 +1384,6 @@ msgstr "" | |||
4836 | 1384 | 1384 | ||
4837 | 1385 | #, python-format | 1385 | #, python-format |
4838 | 1386 | msgid "" | 1386 | msgid "" |
4839 | 1387 | "Unable to create additional credentials, maximum of %(limit)d already " | ||
4840 | 1388 | "exceeded for user." | ||
4841 | 1389 | msgstr "" | ||
4842 | 1390 | "Unable to create additional credentials, maximum of %(limit)d already " | ||
4843 | 1391 | "exceeded for user." | ||
4844 | 1392 | |||
4845 | 1393 | #, python-format | ||
4846 | 1394 | msgid "" | ||
4847 | 1395 | "Unable to delete immutable %(type)s resource: `%(resource_id)s. Set resource " | 1387 | "Unable to delete immutable %(type)s resource: `%(resource_id)s. Set resource " |
4848 | 1396 | "option \"immutable\" to false first." | 1388 | "option \"immutable\" to false first." |
4849 | 1397 | msgstr "" | 1389 | msgstr "" |
4850 | @@ -1500,10 +1492,6 @@ msgstr "" | |||
4851 | 1500 | "%(group_id)s, Project: %(project_id)s, Domain: %(domain_id)s." | 1492 | "%(group_id)s, Project: %(project_id)s, Domain: %(domain_id)s." |
4852 | 1501 | 1493 | ||
4853 | 1502 | #, python-format | 1494 | #, python-format |
4854 | 1503 | msgid "Unexpected evaluation type \"%(eval_type)s\"" | ||
4855 | 1504 | msgstr "Unexpected evaluation type \"%(eval_type)s\"" | ||
4856 | 1505 | |||
4857 | 1506 | #, python-format | ||
4858 | 1507 | msgid "Unexpected status requested for JSON Home response, %s" | 1495 | msgid "Unexpected status requested for JSON Home response, %s" |
4859 | 1508 | msgstr "Unexpected status requested for JSON Home response, %s" | 1496 | msgstr "Unexpected status requested for JSON Home response, %s" |
4860 | 1509 | 1497 | ||
4861 | diff --git a/keystone/models/revoke_model.py b/keystone/models/revoke_model.py | |||
4862 | index 63425f1..6841559 100644 | |||
4863 | --- a/keystone/models/revoke_model.py | |||
4864 | +++ b/keystone/models/revoke_model.py | |||
4865 | @@ -170,7 +170,7 @@ def matches(event, token_values): | |||
4866 | 170 | # rest of the logic. | 170 | # rest of the logic. |
4867 | 171 | 171 | ||
4868 | 172 | # The token has two attributes that can match the domain_id. | 172 | # The token has two attributes that can match the domain_id. |
4870 | 173 | if event.domain_id is not None and event.domain_id not in ( | 173 | if event.domain_id is not None and event.domain_id not in( |
4871 | 174 | token_values['identity_domain_id'], | 174 | token_values['identity_domain_id'], |
4872 | 175 | token_values['assignment_domain_id'],): | 175 | token_values['assignment_domain_id'],): |
4873 | 176 | return False | 176 | return False |
4874 | diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py | |||
4875 | index 4add564..cdf8966 100644 | |||
4876 | --- a/keystone/tests/unit/assignment/test_backends.py | |||
4877 | +++ b/keystone/tests/unit/assignment/test_backends.py | |||
4878 | @@ -3694,9 +3694,9 @@ class ImpliedRoleTests(AssignmentTestHelperMixin): | |||
4879 | 3694 | expected_implied_role_ref = { | 3694 | expected_implied_role_ref = { |
4880 | 3695 | 'prior_role_id': prior_role_ref['id'], | 3695 | 'prior_role_id': prior_role_ref['id'], |
4881 | 3696 | 'implied_role_id': implied_role_ref['id']} | 3696 | 'implied_role_id': implied_role_ref['id']} |
4885 | 3697 | self.assertLessEqual( | 3697 | self.assertDictContainsSubset( |
4886 | 3698 | expected_implied_role_ref.items(), | 3698 | expected_implied_role_ref, |
4887 | 3699 | implied_role.items()) | 3699 | implied_role) |
4888 | 3700 | 3700 | ||
4889 | 3701 | PROVIDERS.role_api.delete_implied_role( | 3701 | PROVIDERS.role_api.delete_implied_role( |
4890 | 3702 | prior_role_ref['id'], | 3702 | prior_role_ref['id'], |
4891 | diff --git a/keystone/tests/unit/catalog/test_backends.py b/keystone/tests/unit/catalog/test_backends.py | |||
4892 | index 513e5c3..b2989de 100644 | |||
4893 | --- a/keystone/tests/unit/catalog/test_backends.py | |||
4894 | +++ b/keystone/tests/unit/catalog/test_backends.py | |||
4895 | @@ -111,23 +111,20 @@ class CatalogTests(object): | |||
4896 | 111 | PROVIDERS.catalog_api.get_region(region_id) | 111 | PROVIDERS.catalog_api.get_region(region_id) |
4897 | 112 | # update the region bypassing catalog_api | 112 | # update the region bypassing catalog_api |
4898 | 113 | PROVIDERS.catalog_api.driver.update_region(region_id, updated_region) | 113 | PROVIDERS.catalog_api.driver.update_region(region_id, updated_region) |
4902 | 114 | self.assertLessEqual( | 114 | self.assertDictContainsSubset( |
4903 | 115 | new_region.items(), | 115 | new_region, PROVIDERS.catalog_api.get_region(region_id) |
4901 | 116 | PROVIDERS.catalog_api.get_region(region_id).items() | ||
4904 | 117 | ) | 116 | ) |
4905 | 118 | PROVIDERS.catalog_api.get_region.invalidate( | 117 | PROVIDERS.catalog_api.get_region.invalidate( |
4906 | 119 | PROVIDERS.catalog_api, region_id | 118 | PROVIDERS.catalog_api, region_id |
4907 | 120 | ) | 119 | ) |
4911 | 121 | self.assertLessEqual( | 120 | self.assertDictContainsSubset( |
4912 | 122 | updated_region.items(), | 121 | updated_region, PROVIDERS.catalog_api.get_region(region_id) |
4910 | 123 | PROVIDERS.catalog_api.get_region(region_id).items() | ||
4913 | 124 | ) | 122 | ) |
4914 | 125 | # delete the region | 123 | # delete the region |
4915 | 126 | PROVIDERS.catalog_api.driver.delete_region(region_id) | 124 | PROVIDERS.catalog_api.driver.delete_region(region_id) |
4916 | 127 | # still get the old region | 125 | # still get the old region |
4920 | 128 | self.assertLessEqual( | 126 | self.assertDictContainsSubset( |
4921 | 129 | updated_region.items(), | 127 | updated_region, PROVIDERS.catalog_api.get_region(region_id) |
4919 | 130 | PROVIDERS.catalog_api.get_region(region_id).items() | ||
4922 | 131 | ) | 128 | ) |
4923 | 132 | PROVIDERS.catalog_api.get_region.invalidate( | 129 | PROVIDERS.catalog_api.get_region.invalidate( |
4924 | 133 | PROVIDERS.catalog_api, region_id | 130 | PROVIDERS.catalog_api, region_id |
4925 | @@ -345,23 +342,20 @@ class CatalogTests(object): | |||
4926 | 345 | PROVIDERS.catalog_api.driver.update_service( | 342 | PROVIDERS.catalog_api.driver.update_service( |
4927 | 346 | service_id, updated_service | 343 | service_id, updated_service |
4928 | 347 | ) | 344 | ) |
4932 | 348 | self.assertLessEqual( | 345 | self.assertDictContainsSubset( |
4933 | 349 | new_service.items(), | 346 | new_service, PROVIDERS.catalog_api.get_service(service_id) |
4931 | 350 | PROVIDERS.catalog_api.get_service(service_id).items() | ||
4934 | 351 | ) | 347 | ) |
4935 | 352 | PROVIDERS.catalog_api.get_service.invalidate( | 348 | PROVIDERS.catalog_api.get_service.invalidate( |
4936 | 353 | PROVIDERS.catalog_api, service_id | 349 | PROVIDERS.catalog_api, service_id |
4937 | 354 | ) | 350 | ) |
4941 | 355 | self.assertLessEqual( | 351 | self.assertDictContainsSubset( |
4942 | 356 | updated_service.items(), | 352 | updated_service, PROVIDERS.catalog_api.get_service(service_id) |
4940 | 357 | PROVIDERS.catalog_api.get_service(service_id).items() | ||
4943 | 358 | ) | 353 | ) |
4944 | 359 | 354 | ||
4945 | 360 | # delete bypassing catalog api | 355 | # delete bypassing catalog api |
4946 | 361 | PROVIDERS.catalog_api.driver.delete_service(service_id) | 356 | PROVIDERS.catalog_api.driver.delete_service(service_id) |
4950 | 362 | self.assertLessEqual( | 357 | self.assertDictContainsSubset( |
4951 | 363 | updated_service.items(), | 358 | updated_service, PROVIDERS.catalog_api.get_service(service_id) |
4949 | 364 | PROVIDERS.catalog_api.get_service(service_id).items() | ||
4952 | 365 | ) | 359 | ) |
4953 | 366 | PROVIDERS.catalog_api.get_service.invalidate( | 360 | PROVIDERS.catalog_api.get_service.invalidate( |
4954 | 367 | PROVIDERS.catalog_api, service_id | 361 | PROVIDERS.catalog_api, service_id |
4955 | @@ -422,12 +416,12 @@ class CatalogTests(object): | |||
4956 | 422 | PROVIDERS.catalog_api.get_endpoint(endpoint['id']) | 416 | PROVIDERS.catalog_api.get_endpoint(endpoint['id']) |
4957 | 423 | # delete the service bypassing catalog api | 417 | # delete the service bypassing catalog api |
4958 | 424 | PROVIDERS.catalog_api.driver.delete_service(service['id']) | 418 | PROVIDERS.catalog_api.driver.delete_service(service['id']) |
4965 | 425 | self.assertLessEqual( | 419 | self.assertDictContainsSubset(endpoint, |
4966 | 426 | endpoint.items(), | 420 | PROVIDERS.catalog_api. |
4967 | 427 | PROVIDERS.catalog_api.get_endpoint(endpoint['id']).items()) | 421 | get_endpoint(endpoint['id'])) |
4968 | 428 | self.assertLessEqual( | 422 | self.assertDictContainsSubset(service, |
4969 | 429 | service.items(), | 423 | PROVIDERS.catalog_api. |
4970 | 430 | PROVIDERS.catalog_api.get_service(service['id']).items()) | 424 | get_service(service['id'])) |
4971 | 431 | PROVIDERS.catalog_api.get_endpoint.invalidate( | 425 | PROVIDERS.catalog_api.get_endpoint.invalidate( |
4972 | 432 | PROVIDERS.catalog_api, endpoint['id'] | 426 | PROVIDERS.catalog_api, endpoint['id'] |
4973 | 433 | ) | 427 | ) |
4974 | diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py | |||
4975 | index 2fa9f26..308cc01 100644 | |||
4976 | --- a/keystone/tests/unit/common/test_notifications.py | |||
4977 | +++ b/keystone/tests/unit/common/test_notifications.py | |||
4978 | @@ -1045,7 +1045,7 @@ class TestEventCallbacks(test_v3.RestfulTestCase): | |||
4979 | 1045 | Foo() | 1045 | Foo() |
4980 | 1046 | project_ref = unit.new_project_ref(domain_id=self.domain_id) | 1046 | project_ref = unit.new_project_ref(domain_id=self.domain_id) |
4981 | 1047 | PROVIDERS.resource_api.create_project(project_ref['id'], project_ref) | 1047 | PROVIDERS.resource_api.create_project(project_ref['id'], project_ref) |
4983 | 1048 | self.assertCountEqual(['cb1', 'cb0'], callback_called) | 1048 | self.assertItemsEqual(['cb1', 'cb0'], callback_called) |
4984 | 1049 | 1049 | ||
4985 | 1050 | def test_invalid_event_callbacks(self): | 1050 | def test_invalid_event_callbacks(self): |
4986 | 1051 | @notifications.listener | 1051 | @notifications.listener |
4987 | diff --git a/keystone/tests/unit/config_files/backend_ldap_sql.conf b/keystone/tests/unit/config_files/backend_ldap_sql.conf | |||
4988 | index c50d8dd..96a0ffa 100644 | |||
4989 | --- a/keystone/tests/unit/config_files/backend_ldap_sql.conf | |||
4990 | +++ b/keystone/tests/unit/config_files/backend_ldap_sql.conf | |||
4991 | @@ -5,7 +5,7 @@ | |||
4992 | 5 | #connection = mysql+pymysql://keystone:keystone@localhost/keystone?charset=utf8 | 5 | #connection = mysql+pymysql://keystone:keystone@localhost/keystone?charset=utf8 |
4993 | 6 | #To Test PostgreSQL: | 6 | #To Test PostgreSQL: |
4994 | 7 | #connection = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8 | 7 | #connection = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8 |
4996 | 8 | connection_recycle_time = 200 | 8 | idle_timeout = 200 |
4997 | 9 | 9 | ||
4998 | 10 | [ldap] | 10 | [ldap] |
4999 | 11 | url = fake://memory | 11 | url = fake://memory |
5000 | diff --git a/keystone/tests/unit/config_files/backend_multi_ldap_sql.conf b/keystone/tests/unit/config_files/backend_multi_ldap_sql.conf |
The diff has been truncated for viewing.