Merge "Allow users with "creator" role to edit ACLs"
This commit is contained in:
commit
4bb724c50e
|
@ -46,8 +46,10 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secret_acls:delete',
|
||||
check_str='rule:secret_project_admin or rule:secret_project_creator' +
|
||||
f" or ({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
|
||||
check_str='rule:secret_project_admin or rule:secret_project_creator ' +
|
||||
'or (rule:secret_project_creator_role and ' +
|
||||
'rule:secret_non_private_read) or ' +
|
||||
f"({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
|
||||
f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
|
||||
scope_types=['project'],
|
||||
description='Delete the ACL settings for a given secret.',
|
||||
|
@ -60,8 +62,10 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secret_acls:put_patch',
|
||||
check_str='rule:secret_project_admin or rule:secret_project_creator' +
|
||||
f" or ({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
|
||||
check_str='rule:secret_project_admin or rule:secret_project_creator ' +
|
||||
'or (rule:secret_project_creator_role and ' +
|
||||
'rule:secret_non_private_read) or ' +
|
||||
f"({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
|
||||
f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
|
||||
scope_types=['project'],
|
||||
description='Create new, replaces, or updates existing ACL for a ' +
|
||||
|
@ -95,6 +99,8 @@ rules = [
|
|||
name='container_acls:delete',
|
||||
check_str='rule:container_project_admin or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'(rule:container_project_creator_role and' +
|
||||
' rule:container_non_private_read) or ' +
|
||||
f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
|
||||
scope_types=['project'],
|
||||
|
@ -111,6 +117,8 @@ rules = [
|
|||
name='container_acls:put_patch',
|
||||
check_str='rule:container_project_admin or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'(rule:container_project_creator_role and' +
|
||||
' rule:container_non_private_read) or ' +
|
||||
f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
|
||||
scope_types=['project'],
|
||||
|
|
|
@ -111,8 +111,8 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
|
|||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='secrets', op_type='create',
|
||||
entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
|
||||
expect_errors=True)
|
||||
self.assertEqual(403, resp.status_int)
|
||||
expect_errors=False)
|
||||
self.assertEqual(200, resp.status_int)
|
||||
|
||||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='secrets', op_type='create',
|
||||
|
@ -379,8 +379,8 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
|
|||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='secrets', op_type='update',
|
||||
entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
|
||||
expect_errors=True)
|
||||
self.assertEqual(403, resp.status_int)
|
||||
expect_errors=False)
|
||||
self.assertEqual(200, resp.status_int)
|
||||
|
||||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='secrets', op_type='update',
|
||||
|
@ -460,9 +460,9 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
|
|||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='secrets', op_type='delete',
|
||||
entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
|
||||
expect_errors=True)
|
||||
expect_errors=False)
|
||||
|
||||
self.assertEqual(403, resp.status_int)
|
||||
self.assertEqual(200, resp.status_int)
|
||||
|
||||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='secrets', op_type='delete',
|
||||
|
@ -567,8 +567,8 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
|
|||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='containers', op_type='create',
|
||||
entity_id=container_id, roles=['creator'],
|
||||
user='NotContainerCreator', expect_errors=True)
|
||||
self.assertEqual(403, resp.status_int)
|
||||
user='NotContainerCreator', expect_errors=False)
|
||||
self.assertEqual(200, resp.status_int)
|
||||
|
||||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='containers', op_type='create',
|
||||
|
@ -871,8 +871,8 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
|
|||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='containers', op_type='update',
|
||||
entity_id=container_id, roles=['creator'], user='NotCreator',
|
||||
expect_errors=True)
|
||||
self.assertEqual(403, resp.status_int)
|
||||
expect_errors=False)
|
||||
self.assertEqual(200, resp.status_int)
|
||||
|
||||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='containers', op_type='update',
|
||||
|
@ -931,9 +931,9 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
|
|||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='containers', op_type='delete',
|
||||
entity_id=container_id, roles=['creator'], user='NotCreator',
|
||||
expect_errors=True)
|
||||
expect_errors=False)
|
||||
|
||||
self.assertEqual(403, resp.status_int)
|
||||
self.assertEqual(200, resp.status_int)
|
||||
|
||||
resp = self._set_acls_with_context(
|
||||
self.app, entity_type='containers', op_type='delete',
|
||||
|
|
Loading…
Reference in New Issue