Merge "Allow users with "creator" role to edit ACLs" into stable/train

barbican/common/policies/acls.py

@@ -33,7 +33,9 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='secret_acls:delete',
-        check_str='rule:secret_project_admin or rule:secret_project_creator',
+        check_str='rule:secret_project_admin or rule:secret_project_creator ' +
+                  'or (rule:secret_project_creator_role and ' +
+                  'rule:secret_non_private_read)',
         scope_types=[],
         description='Delete the ACL settings for a given secret.',
         operations=[
@@ -45,7 +47,9 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='secret_acls:put_patch',
-        check_str='rule:secret_project_admin or rule:secret_project_creator',
+        check_str='rule:secret_project_admin or rule:secret_project_creator ' +
+                  'or (rule:secret_project_creator_role and ' +
+                  'rule:secret_non_private_read)',
         scope_types=[],
         description='Create new, replaces, or updates existing ACL for a ' +
                     'given secret.',
@@ -75,7 +79,9 @@ rules = [
     policy.DocumentedRuleDefault(
         name='container_acls:delete',
         check_str='rule:container_project_admin or ' +
-                  'rule:container_project_creator',
+                  'rule:container_project_creator or ' +
+                  '(rule:container_project_creator_role and' +
+                  ' rule:container_non_private_read)',
         scope_types=[],
         description='Delete ACL for a given container. No content is returned '
                     'in the case of successful deletion.',
@@ -89,7 +95,9 @@ rules = [
     policy.DocumentedRuleDefault(
         name='container_acls:put_patch',
         check_str='rule:container_project_admin or ' +
-                  'rule:container_project_creator',
+                  'rule:container_project_creator or ' +
+                  '(rule:container_project_creator_role and' +
+                  ' rule:container_non_private_read)',
         scope_types=[],
         description='Create new or replaces existing ACL for a given '
                     'container.',

barbican/tests/api/controllers/test_acls.py

@@ -111,8 +111,8 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
         resp = self._set_acls_with_context(
             self.app, entity_type='secrets', op_type='create',
             entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
-            expect_errors=True)
-        self.assertEqual(403, resp.status_int)
+            expect_errors=False)
+        self.assertEqual(200, resp.status_int)
 
         resp = self._set_acls_with_context(
             self.app, entity_type='secrets', op_type='create',
@@ -379,8 +379,8 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
         resp = self._set_acls_with_context(
             self.app, entity_type='secrets', op_type='update',
             entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
-            expect_errors=True)
-        self.assertEqual(403, resp.status_int)
+            expect_errors=False)
+        self.assertEqual(200, resp.status_int)
 
         resp = self._set_acls_with_context(
             self.app, entity_type='secrets', op_type='update',
@@ -460,9 +460,9 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
         resp = self._set_acls_with_context(
             self.app, entity_type='secrets', op_type='delete',
             entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
-            expect_errors=True)
+            expect_errors=False)
 
-        self.assertEqual(403, resp.status_int)
+        self.assertEqual(200, resp.status_int)
 
         resp = self._set_acls_with_context(
             self.app, entity_type='secrets', op_type='delete',
@@ -567,8 +567,8 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
         resp = self._set_acls_with_context(
             self.app, entity_type='containers', op_type='create',
             entity_id=container_id, roles=['creator'],
-            user='NotContainerCreator', expect_errors=True)
-        self.assertEqual(403, resp.status_int)
+            user='NotContainerCreator', expect_errors=False)
+        self.assertEqual(200, resp.status_int)
 
         resp = self._set_acls_with_context(
             self.app, entity_type='containers', op_type='create',
@@ -871,8 +871,8 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
         resp = self._set_acls_with_context(
             self.app, entity_type='containers', op_type='update',
             entity_id=container_id, roles=['creator'], user='NotCreator',
-            expect_errors=True)
-        self.assertEqual(403, resp.status_int)
+            expect_errors=False)
+        self.assertEqual(200, resp.status_int)
 
         resp = self._set_acls_with_context(
             self.app, entity_type='containers', op_type='update',
@@ -931,9 +931,9 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
         resp = self._set_acls_with_context(
             self.app, entity_type='containers', op_type='delete',
             entity_id=container_id, roles=['creator'], user='NotCreator',
-            expect_errors=True)
+            expect_errors=False)
 
-        self.assertEqual(403, resp.status_int)
+        self.assertEqual(200, resp.status_int)
 
         resp = self._set_acls_with_context(
             self.app, entity_type='containers', op_type='delete',