diff options
| author | Lance Bragstad <lbragstad@gmail.com> | 2018-12-10 18:18:42 +0000 |
|---|---|---|
| committer | Lance Bragstad <lbragstad@gmail.com> | 2019-01-07 18:05:47 +0000 |
| commit | b35928d5dcd8615d11c199c68c512aaa1dca4ec9 (patch) | |
| tree | acddb07cca614b6c31f922f4ed42a9a0077915b3 /keystone/api/projects.py | |
| parent | 45005afe923e496e50833530b0c747ff5260e7cc (diff) | |
| download | keystone-b35928d5dcd8615d11c199c68c512aaa1dca4ec9.tar.gz | |
Implement system reader role for projects
This commit introduces the system reader role to the project API, making
it easier for administrators to delegate subsets of responsibilities
to the API by default.
Subsequent patches will incorporate:
- system member test coverage
- system admin functionality
- domain reader functionality
- domain member test coverage
- domain admin functionality
- project user test coverage
Change-Id: I089ada1e314688e60f9041095138bc53cd465fa0
Related-Bug: 1805403
Related-Bug: 1750660
Related-Bug: 1806762
Diffstat (limited to 'keystone/api/projects.py')
| -rw-r--r-- | keystone/api/projects.py | 32 |
1 files changed, 27 insertions, 5 deletions
diff --git a/keystone/api/projects.py b/keystone/api/projects.py index 95900d80c..e3173c743 100644 --- a/keystone/api/projects.py +++ b/keystone/api/projects.py @@ -32,6 +32,20 @@ ENFORCER = rbac_enforcer.RBACEnforcer PROVIDERS = provider_api.ProviderAPIs +def _build_project_target_enforcement(): + target = {} + try: + target['project'] = PROVIDERS.resource_api.get_project( + flask.request.view_args.get('project_id') + ) + except exception.NotFound: # nosec + # Defer existence in the event the project doesn't exist, we'll + # check this later anyway. + pass + + return target + + class ProjectResource(ks_flask.ResourceBase): collection_key = 'projects' member_key = 'project' @@ -86,7 +100,10 @@ class ProjectResource(ks_flask.ResourceBase): GET/HEAD /v3/projects/{project_id} """ - ENFORCER.enforce_call(action='identity:get_project') + ENFORCER.enforce_call( + action='identity:get_project', + build_target=_build_project_target_enforcement + ) project = PROVIDERS.resource_api.get_project(project_id) self._expand_project_ref(project) return self.wrap_member(project) @@ -97,8 +114,7 @@ class ProjectResource(ks_flask.ResourceBase): GET/HEAD /v3/projects """ filters = ('domain_id', 'enabled', 'name', 'parent_id', 'is_domain') - ENFORCER.enforce_call(action='identity:list_projects', - filters=filters) + ENFORCER.enforce_call(action='identity:list_projects', filters=filters) hints = self.build_driver_hints(filters) # If 'is_domain' has not been included as a query, we default it to @@ -155,7 +171,10 @@ class ProjectResource(ks_flask.ResourceBase): PATCH /v3/projects/{project_id} """ - ENFORCER.enforce_call(action='identity:update_project') + ENFORCER.enforce_call( + action='identity:update_project', + build_target=_build_project_target_enforcement + ) project = self.request_body_json.get('project', {}) validation.lazy_validate(schema.project_update, project) self._require_matching_id(project) @@ -170,7 +189,10 @@ class ProjectResource(ks_flask.ResourceBase): DELETE /v3/projects/{project_id} """ - ENFORCER.enforce_call(action='identity:delete_project') + ENFORCER.enforce_call( + action='identity:delete_project', + build_target=_build_project_target_enforcement + ) PROVIDERS.resource_api.delete_project( project_id, initiator=self.audit_initiator) |