Fix policy for adding a secret to a container
This patch fixes the policies for adding and removing secrets from a
secret container.
Story: 2009297
Task: 43724
Change-Id: I821b4f5998be5b40327311039979f5e00ea9cefc
(cherry picked from commit 6c841b23af
)
This commit is contained in:
parent
b30cb63d3a
commit
a8226fcf33
@ -92,6 +92,9 @@ rules = [
|
||||
name='container_project_creator',
|
||||
check_str="rule:creator and rule:container_project_match and " +
|
||||
"rule:container_creator_user"),
|
||||
policy.RuleDefault(
|
||||
name='container_project_creator_role',
|
||||
check_str="rule:creator and rule:container_project_match"),
|
||||
]
|
||||
|
||||
|
||||
|
@ -80,7 +80,10 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='container_secret:post',
|
||||
check_str='rule:admin or ' +
|
||||
check_str='rule:container_project_admin or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_creator_role and ' +
|
||||
'rule:container_non_private_read or ' +
|
||||
f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
|
||||
scope_types=['project'],
|
||||
@ -94,7 +97,10 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='container_secret:delete',
|
||||
check_str='rule:admin or ' +
|
||||
check_str='rule:container_project_admin or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_creator_role and ' +
|
||||
'rule:container_non_private_read or ' +
|
||||
f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
|
||||
scope_types=['project'],
|
||||
|
Loading…
Reference in New Issue
Block a user