Fix policy for adding a secret to a container

This patch fixes the policies for adding and removing secrets from a
secret container.

Story: 2009297
Task: 43724
Change-Id: I821b4f5998be5b40327311039979f5e00ea9cefc
(cherry picked from commit 6c841b23af)
This commit is contained in:
Douglas Mendizábal 2021-10-15 11:51:10 -05:00
parent b30cb63d3a
commit a8226fcf33
2 changed files with 11 additions and 2 deletions

View File

@ -92,6 +92,9 @@ rules = [
name='container_project_creator',
check_str="rule:creator and rule:container_project_match and " +
"rule:container_creator_user"),
policy.RuleDefault(
name='container_project_creator_role',
check_str="rule:creator and rule:container_project_match"),
]

View File

@ -80,7 +80,10 @@ rules = [
),
policy.DocumentedRuleDefault(
name='container_secret:post',
check_str='rule:admin or ' +
check_str='rule:container_project_admin or ' +
'rule:container_project_creator or ' +
'rule:container_project_creator_role and ' +
'rule:container_non_private_read or ' +
f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'],
@ -94,7 +97,10 @@ rules = [
),
policy.DocumentedRuleDefault(
name='container_secret:delete',
check_str='rule:admin or ' +
check_str='rule:container_project_admin or ' +
'rule:container_project_creator or ' +
'rule:container_project_creator_role and ' +
'rule:container_non_private_read or ' +
f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'],