Skip to content

Commit

Permalink
Add explicit scope types for all policies
Browse files Browse the repository at this point in the history 
The next release of oslo.policy enables scope check by default. To
adopt to the new release, add scope_types definition to all policy
rules.
  • Loading branch information
@kajinamit @tobias-urdin
kajinamit authored and tobias-urdin committed Aug 16, 2024
1 parent 3e84ca5 commit e9b9966
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 2 deletions.
6 changes: 4 additions & 2 deletions gnocchi/rest/auth_helper.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,8 @@ def get_auth_info(self, request):
roles.append("admin")
return {
"user": user,
"roles": roles
"roles": roles,
"system": 'all',
}

@staticmethod
Expand Down Expand Up @@ -176,7 +177,8 @@ def get_auth_info(self, request):
roles.append("admin")
return {
"user": user,
"roles": roles
"roles": roles,
"system": 'all',
}

@staticmethod
Expand Down
30 changes: 30 additions & 0 deletions gnocchi/rest/policies.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@
policy.DocumentedRuleDefault(
name="get status",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Get status of Gnocchi service.',
operations=[
{
Expand All @@ -66,6 +67,7 @@
policy.DocumentedRuleDefault(
name="create resource",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='Create a new resource.',
operations=[
{
Expand All @@ -77,6 +79,7 @@
policy.DocumentedRuleDefault(
name="get resource",
check_str=RULE_ADMIN_OR_CREATOR_OR_RESOURCE_OWNER,
scope_types=['system', 'domain', 'project'],
description='Get a resource.',
operations=[
{
Expand All @@ -88,6 +91,7 @@
policy.DocumentedRuleDefault(
name="update resource",
check_str=RULE_ADMIN_OR_CREATOR,
scope_types=['system', 'domain', 'project'],
description='Update a resource.',
operations=[
{
Expand All @@ -99,6 +103,7 @@
policy.DocumentedRuleDefault(
name="delete resource",
check_str=RULE_ADMIN_OR_CREATOR,
scope_types=['system', 'domain', 'project'],
description='Delete a resource.',
operations=[
{
Expand All @@ -110,6 +115,7 @@
policy.DocumentedRuleDefault(
name="delete resources",
check_str=RULE_ADMIN_OR_CREATOR,
scope_types=['system', 'domain', 'project'],
description='Delete multiple resources.',
operations=[
{
Expand All @@ -121,6 +127,7 @@
policy.DocumentedRuleDefault(
name="list resource",
check_str=RULE_ADMIN_OR_CREATOR_OR_RESOURCE_OWNER,
scope_types=['system', 'domain', 'project'],
description='List all resources.',
operations=[
{
Expand All @@ -132,6 +139,7 @@
policy.DocumentedRuleDefault(
name="search resource",
check_str=RULE_ADMIN_OR_CREATOR_OR_RESOURCE_OWNER,
scope_types=['system', 'domain', 'project'],
description='Search resources.',
operations=[
{
Expand All @@ -146,6 +154,7 @@
policy.DocumentedRuleDefault(
name="create resource type",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Create a new resource type.',
operations=[
{
Expand All @@ -157,6 +166,7 @@
policy.DocumentedRuleDefault(
name="get resource type",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='Get a resource type.',
operations=[
{
Expand All @@ -168,6 +178,7 @@
policy.DocumentedRuleDefault(
name="update resource type",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Update a resource type.',
operations=[
{
Expand All @@ -179,6 +190,7 @@
policy.DocumentedRuleDefault(
name="delete resource type",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Delete a resource type.',
operations=[
{
Expand All @@ -190,6 +202,7 @@
policy.DocumentedRuleDefault(
name="list resource type",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='List all resource types.',
operations=[
{
Expand All @@ -204,6 +217,7 @@
policy.DocumentedRuleDefault(
name="create archive policy",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Create a new archive policy',
operations=[
{
Expand All @@ -215,6 +229,7 @@
policy.DocumentedRuleDefault(
name="get archive policy",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='Get an archive policy',
operations=[
{
Expand All @@ -226,6 +241,7 @@
policy.DocumentedRuleDefault(
name="update archive policy",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Update an archive policy',
operations=[
{
Expand All @@ -237,6 +253,7 @@
policy.DocumentedRuleDefault(
name="delete archive policy",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Delete an archive policy',
operations=[
{
Expand All @@ -248,6 +265,7 @@
policy.DocumentedRuleDefault(
name="list archive policy",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='List all archive policies',
operations=[
{
Expand All @@ -262,6 +280,7 @@
policy.DocumentedRuleDefault(
name="create archive policy rule",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Create a new archive policy rule',
operations=[
{
Expand All @@ -273,6 +292,7 @@
policy.DocumentedRuleDefault(
name="get archive policy rule",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='Get an archive policy rule',
operations=[
{
Expand All @@ -284,6 +304,7 @@
policy.DocumentedRuleDefault(
name="update archive policy rule",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Update an archive policy rule',
operations=[
{
Expand All @@ -295,6 +316,7 @@
policy.DocumentedRuleDefault(
name="delete archive policy rule",
check_str=ADMIN,
scope_types=['system', 'domain', 'project'],
description='Delete an archive policy rule',
operations=[
{
Expand All @@ -306,6 +328,7 @@
policy.DocumentedRuleDefault(
name="list archive policy rule",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='List all archive policy rules',
operations=[
{
Expand All @@ -320,6 +343,7 @@
policy.DocumentedRuleDefault(
name="create metric",
check_str=UNPROTECTED,
scope_types=['system', 'domain', 'project'],
description='Create a new metric',
operations=[
{
Expand All @@ -331,6 +355,7 @@
policy.DocumentedRuleDefault(
name="get metric",
check_str=RULE_ADMIN_OR_CREATOR_OR_METRIC_OWNER,
scope_types=['system', 'domain', 'project'],
description='Get a metric',
operations=[
{
Expand All @@ -342,6 +367,7 @@
policy.DocumentedRuleDefault(
name="delete metric",
check_str=RULE_ADMIN_OR_CREATOR,
scope_types=['system', 'domain', 'project'],
description='Delete a metric',
operations=[
{
Expand All @@ -353,6 +379,7 @@
policy.DocumentedRuleDefault(
name="list metric",
check_str=RULE_ADMIN_OR_CREATOR_OR_METRIC_OWNER,
scope_types=['system', 'domain', 'project'],
description='List all metrics',
operations=[
{
Expand All @@ -364,6 +391,7 @@
policy.DocumentedRuleDefault(
name="search metric",
check_str=RULE_ADMIN_OR_CREATOR_OR_METRIC_OWNER,
scope_types=['system', 'domain', 'project'],
description='Search metrics',
operations=[
{
Expand All @@ -378,6 +406,7 @@
policy.DocumentedRuleDefault(
name="post measures",
check_str=RULE_ADMIN_OR_CREATOR,
scope_types=['system', 'domain', 'project'],
description='Post measures',
operations=[
{
Expand All @@ -397,6 +426,7 @@
policy.DocumentedRuleDefault(
name="get measures",
check_str=RULE_ADMIN_OR_CREATOR_OR_METRIC_OWNER,
scope_types=['system', 'domain', 'project'],
description='Get measures',
operations=[
{
Expand Down

0 comments on commit e9b9966

Please sign in to comment.