From 70ab3f9dd56a638cdff516ca85baa5ebd64c888b Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleen.murphy@suse.de>
Date: Wed, 21 Aug 2019 17:38:29 -0700
Subject: Add support for app cred access rules

This commit introduces the --access-rules option for 'application
credential create' as well as new 'access rule' commands for listing,
showing, and deleting access rules.

bp whitelist-extension-for-app-creds

Change-Id: I04834b2874ec2a70da456a380b5bef03a392effa
---
 doc/source/cli/command-objects/access-rules.rst    | 61 ++++++++++++++++++++++
 .../command-objects/application-credentials.rst    |  7 +++
 2 files changed, 68 insertions(+)
 create mode 100644 doc/source/cli/command-objects/access-rules.rst

(limited to 'doc/source/cli/command-objects')

diff --git a/doc/source/cli/command-objects/access-rules.rst b/doc/source/cli/command-objects/access-rules.rst
new file mode 100644
index 00000000..bc845828
--- /dev/null
+++ b/doc/source/cli/command-objects/access-rules.rst
@@ -0,0 +1,61 @@
+===========
+access rule
+===========
+
+Identity v3
+
+Access rules are fine-grained permissions for application credentials. An access
+rule comprises of a service type, a request path, and a request method. Access
+rules may only be created as attributes of application credentials, but they may
+be viewed and deleted independently.
+
+
+access rule delete
+------------------
+
+Delete access rule(s)
+
+.. program:: access rule delete
+.. code:: bash
+
+    openstack access rule delete <access-rule> [<access-rule> ...]
+
+.. describe:: <access-rule>
+
+    Access rule(s) to delete (ID)
+
+access rule list
+----------------
+
+List access rules
+
+.. program:: access rule list
+.. code:: bash
+
+    openstack access rule list
+        [--user <user>]
+        [--user-domain <user-domain>]
+
+.. option:: --user
+
+    User whose access rules to list (name or ID). If not provided, looks up the
+    current user's access rules.
+
+.. option:: --user-domain
+
+    Domain the user belongs to (name or ID). This can be
+    used in case collisions between user names exist.
+
+access rule show
+---------------------------
+
+Display access rule details
+
+.. program:: access rule show
+.. code:: bash
+
+    openstack access rule show <access-rule>
+
+.. describe:: <access-rule>
+
+    Access rule to display (ID)
diff --git a/doc/source/cli/command-objects/application-credentials.rst b/doc/source/cli/command-objects/application-credentials.rst
index 2a1fbff2..047f5ab6 100644
--- a/doc/source/cli/command-objects/application-credentials.rst
+++ b/doc/source/cli/command-objects/application-credentials.rst
@@ -22,6 +22,7 @@ Create new application credential
         [--expiration <expiration>]
         [--description <description>]
         [--restricted|--unrestricted]
+        [--access-rules <access-rules>]
         <name>
 
 .. option:: --secret <secret>
@@ -52,6 +53,12 @@ Create new application credential
     Prohibit application credential from creating and deleting other
     application credentials and trusts (this is the default behavior)
 
+.. option:: --access-rules
+
+   Either a string or file path containing a JSON-formatted list of access
+   rules, each containing a request method, path, and service, for example
+   '[{"method": "GET", "path": "/v2.1/servers", "service": "compute"}]'
+
 .. describe:: <name>
 
     Name of the application credential
-- 
cgit v1.2.1