Allow users with "creator" role to edit ACLs
This patch updates the default policy to allow users with the "creator" role to edit Secret and Container ACLs. Secrets that have an ACL set to private will only be able to be edited by the user who owns the secret. Change-Id: I0dc603a3e3a894fee774483a70285d47b57abdf8
This commit is contained in:
parent
09d184de7f
commit
486e60723f
|
@ -46,8 +46,10 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secret_acls:delete',
|
||||
check_str='rule:secret_project_admin or rule:secret_project_creator' +
|
||||
f" or ({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
|
||||
check_str='rule:secret_project_admin or rule:secret_project_creator ' +
|
||||
'or (rule:secret_project_creator_role and ' +
|
||||
'rule:secret_non_private_read) or ' +
|
||||
f"({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
|
||||
f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
|
||||
scope_types=['project'],
|
||||
description='Delete the ACL settings for a given secret.',
|
||||
|
@ -60,8 +62,10 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secret_acls:put_patch',
|
||||
check_str='rule:secret_project_admin or rule:secret_project_creator' +
|
||||
f" or ({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
|
||||
check_str='rule:secret_project_admin or rule:secret_project_creator ' +
|
||||
'or (rule:secret_project_creator_role and ' +
|
||||
'rule:secret_non_private_read) or ' +
|
||||
f"({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
|
||||
f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
|
||||
scope_types=['project'],
|
||||
description='Create new, replaces, or updates existing ACL for a ' +
|
||||
|
@ -95,6 +99,8 @@ rules = [
|
|||
name='container_acls:delete',
|
||||
check_str='rule:container_project_admin or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'(rule:container_project_creator_role and' +
|
||||
' rule:container_non_private_read) or ' +
|
||||
f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
|
||||
scope_types=['project'],
|
||||
|
@ -111,6 +117,8 @@ rules = [
|
|||
name='container_acls:put_patch',
|
||||
check_str='rule:container_project_admin or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'(rule:container_project_creator_role and' +
|
||||
' rule:container_non_private_read) or ' +
|
||||
f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
|
||||
scope_types=['project'],
|
||||
|
|
|
@ -111,8 +111,8 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
|
|||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='secrets', op_type='create',
|
||||
entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
|
||||
expect_errors=True)
|
||||
self.assertEqual(403, resp.status_int)
|
||||
expect_errors=False)
|
||||
self.assertEqual(200, resp.status_int)
|
||||
|
||||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='secrets', op_type='create',
|
||||
|
@ -379,8 +379,8 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
|
|||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='secrets', op_type='update',
|
||||
entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
|
||||
expect_errors=True)
|
||||
self.assertEqual(403, resp.status_int)
|
||||
expect_errors=False)
|
||||
self.assertEqual(200, resp.status_int)
|
||||
|
||||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='secrets', op_type='update',
|
||||
|
@ -460,9 +460,9 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
|
|||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='secrets', op_type='delete',
|
||||
entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
|
||||
expect_errors=True)
|
||||
expect_errors=False)
|
||||
|
||||
self.assertEqual(403, resp.status_int)
|
||||
self.assertEqual(200, resp.status_int)
|
||||
|
||||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='secrets', op_type='delete',
|
||||
|
@ -567,8 +567,8 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
|
|||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='containers', op_type='create',
|
||||
entity_id=container_id, roles=['creator'],
|
||||
user='NotContainerCreator', expect_errors=True)
|
||||
self.assertEqual(403, resp.status_int)
|
||||
user='NotContainerCreator', expect_errors=False)
|
||||
self.assertEqual(200, resp.status_int)
|
||||
|
||||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='containers', op_type='create',
|
||||
|
@ -871,8 +871,8 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
|
|||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='containers', op_type='update',
|
||||
entity_id=container_id, roles=['creator'], user='NotCreator',
|
||||
expect_errors=True)
|
||||
self.assertEqual(403, resp.status_int)
|
||||
expect_errors=False)
|
||||
self.assertEqual(200, resp.status_int)
|
||||
|
||||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='containers', op_type='update',
|
||||
|
@ -931,9 +931,9 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
|
|||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='containers', op_type='delete',
|
||||
entity_id=container_id, roles=['creator'], user='NotCreator',
|
||||
expect_errors=True)
|
||||
expect_errors=False)
|
||||
|
||||
self.assertEqual(403, resp.status_int)
|
||||
self.assertEqual(200, resp.status_int)
|
||||
|
||||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='containers', op_type='delete',
|
||||
|
|
Loading…
Reference in New Issue