Skip to content

Commit

Permalink
Merge pull request #1391 from kajinamit/scope-types
Browse files Browse the repository at this point in the history 
Add explicit scope types for all policies
  • Loading branch information
@tobias-urdin
tobias-urdin authored Aug 16, 2024
2 parents 3e84ca5 + e9b9966 commit 66e4e07
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 2 deletions.
6 changes: 4 additions & 2 deletions gnocchi/rest/auth_helper.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,8 @@ def get_auth_info(self, request):
roles.append("admin")
return {
"user": user,
"roles": roles
"roles": roles,
"system": 'all',
}

@staticmethod
Expand Down Expand Up @@ -176,7 +177,8 @@ def get_auth_info(self, request):
roles.append("admin")
return {
"user": user,
"roles": roles
"roles": roles,
"system": 'all',
}

@staticmethod
Expand Down
30 changes: 30 additions & 0 deletions gnocchi/rest/policies.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@
policy.DocumentedRuleDefault(
name="get status",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Get status of Gnocchi service.',
operations=[
{
Expand All @@ -66,6 +67,7 @@
policy.DocumentedRuleDefault(
name="create resource",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='Create a new resource.',
operations=[
{
Expand All @@ -77,6 +79,7 @@
policy.DocumentedRuleDefault(
name="get resource",
check_str=RULE_ADMIN_OR_CREATOR_OR_RESOURCE_OWNER,
scope_types=['system', 'domain', 'project'],
description='Get a resource.',
operations=[
{
Expand All @@ -88,6 +91,7 @@
policy.DocumentedRuleDefault(
name="update resource",
check_str=RULE_ADMIN_OR_CREATOR,
scope_types=['system', 'domain', 'project'],
description='Update a resource.',
operations=[
{
Expand All @@ -99,6 +103,7 @@
policy.DocumentedRuleDefault(
name="delete resource",
check_str=RULE_ADMIN_OR_CREATOR,
scope_types=['system', 'domain', 'project'],
description='Delete a resource.',
operations=[
{
Expand All @@ -110,6 +115,7 @@
policy.DocumentedRuleDefault(
name="delete resources",
check_str=RULE_ADMIN_OR_CREATOR,
scope_types=['system', 'domain', 'project'],
description='Delete multiple resources.',
operations=[
{
Expand All @@ -121,6 +127,7 @@
policy.DocumentedRuleDefault(
name="list resource",
check_str=RULE_ADMIN_OR_CREATOR_OR_RESOURCE_OWNER,
scope_types=['system', 'domain', 'project'],
description='List all resources.',
operations=[
{
Expand All @@ -132,6 +139,7 @@
policy.DocumentedRuleDefault(
name="search resource",
check_str=RULE_ADMIN_OR_CREATOR_OR_RESOURCE_OWNER,
scope_types=['system', 'domain', 'project'],
description='Search resources.',
operations=[
{
Expand All @@ -146,6 +154,7 @@
policy.DocumentedRuleDefault(
name="create resource type",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Create a new resource type.',
operations=[
{
Expand All @@ -157,6 +166,7 @@
policy.DocumentedRuleDefault(
name="get resource type",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='Get a resource type.',
operations=[
{
Expand All @@ -168,6 +178,7 @@
policy.DocumentedRuleDefault(
name="update resource type",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Update a resource type.',
operations=[
{
Expand All @@ -179,6 +190,7 @@
policy.DocumentedRuleDefault(
name="delete resource type",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Delete a resource type.',
operations=[
{
Expand All @@ -190,6 +202,7 @@
policy.DocumentedRuleDefault(
name="list resource type",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='List all resource types.',
operations=[
{
Expand All @@ -204,6 +217,7 @@
policy.DocumentedRuleDefault(
name="create archive policy",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Create a new archive policy',
operations=[
{
Expand All @@ -215,6 +229,7 @@
policy.DocumentedRuleDefault(
name="get archive policy",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='Get an archive policy',
operations=[
{
Expand All @@ -226,6 +241,7 @@
policy.DocumentedRuleDefault(
name="update archive policy",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Update an archive policy',
operations=[
{
Expand All @@ -237,6 +253,7 @@
policy.DocumentedRuleDefault(
name="delete archive policy",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Delete an archive policy',
operations=[
{
Expand All @@ -248,6 +265,7 @@
policy.DocumentedRuleDefault(
name="list archive policy",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='List all archive policies',
operations=[
{
Expand All @@ -262,6 +280,7 @@
policy.DocumentedRuleDefault(
name="create archive policy rule",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Create a new archive policy rule',
operations=[
{
Expand All @@ -273,6 +292,7 @@
policy.DocumentedRuleDefault(
name="get archive policy rule",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='Get an archive policy rule',
operations=[
{
Expand All @@ -284,6 +304,7 @@
policy.DocumentedRuleDefault(
name="update archive policy rule",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Update an archive policy rule',
operations=[
{
Expand All @@ -295,6 +316,7 @@
policy.DocumentedRuleDefault(
name="delete archive policy rule",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Delete an archive policy rule',
operations=[
{
Expand All @@ -306,6 +328,7 @@
policy.DocumentedRuleDefault(
name="list archive policy rule",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='List all archive policy rules',
operations=[
{
Expand All @@ -320,6 +343,7 @@
policy.DocumentedRuleDefault(
name="create metric",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='Create a new metric',
operations=[
{
Expand All @@ -331,6 +355,7 @@
policy.DocumentedRuleDefault(
name="get metric",
check_str=RULE_ADMIN_OR_CREATOR_OR_METRIC_OWNER,
scope_types=['system', 'domain', 'project'],
description='Get a metric',
operations=[
{
Expand All @@ -342,6 +367,7 @@
policy.DocumentedRuleDefault(
name="delete metric",
check_str=RULE_ADMIN_OR_CREATOR,
scope_types=['system', 'domain', 'project'],
description='Delete a metric',
operations=[
{
Expand All @@ -353,6 +379,7 @@
policy.DocumentedRuleDefault(
name="list metric",
check_str=RULE_ADMIN_OR_CREATOR_OR_METRIC_OWNER,
scope_types=['system', 'domain', 'project'],
description='List all metrics',
operations=[
{
Expand All @@ -364,6 +391,7 @@
policy.DocumentedRuleDefault(
name="search metric",
check_str=RULE_ADMIN_OR_CREATOR_OR_METRIC_OWNER,
scope_types=['system', 'domain', 'project'],
description='Search metrics',
operations=[
{
Expand All @@ -378,6 +406,7 @@
policy.DocumentedRuleDefault(
name="post measures",
check_str=RULE_ADMIN_OR_CREATOR,
scope_types=['system', 'domain', 'project'],
description='Post measures',
operations=[
{
Expand All @@ -397,6 +426,7 @@
policy.DocumentedRuleDefault(
name="get measures",
check_str=RULE_ADMIN_OR_CREATOR_OR_METRIC_OWNER,
scope_types=['system', 'domain', 'project'],
description='Get measures',
operations=[
{
Expand Down

0 comments on commit 66e4e07

Please sign in to comment.