policy: correct domain_id match for admin_and_matching_domain_id

Ensure that the 'admin_and_matching_domain_id' rule correct matches to the target.domain_id field, ensuring that domain admins can actually query user and projects within a domain. Change-Id: I4c000363dd7746f401613d99210e8ca12f34b010 Closes-Bug: 1830076
2021-06-15 16:12:02 +01:00 · 2021-06-15 16:12:02 +01:00 · cef78d47fb
parent 839608f381
commit cef78d47fb
5 changed files with 5 additions and 5 deletions
--- a/templates/mitaka/policy.json
+++ b/templates/mitaka/policy.json
@ -10,7 +10,7 @@
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
    "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
-    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
+    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(target.domain_id)s",
    "service_admin_or_owner": "rule:service_or_admin or rule:owner",

    "default": "rule:admin_required",
--- a/templates/newton/policy.json
+++ b/templates/newton/policy.json
@ -10,7 +10,7 @@
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
    "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
-    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
+    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(target.domain_id)s",
    "service_admin_or_owner": "rule:service_or_admin or rule:owner",

    "default": "rule:admin_required",
--- a/templates/ocata/policy.json
+++ b/templates/ocata/policy.json
@ -10,7 +10,7 @@
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
    "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
-    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
+    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(target.domain_id)s",
    "service_admin_or_owner": "rule:service_or_admin or rule:owner",

    "default": "rule:admin_required",
--- a/templates/queens/policy.json
+++ b/templates/queens/policy.json
@ -5,7 +5,7 @@
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
    "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
-    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
+    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(target.domain_id)s",
    "service_admin_or_owner": "rule:service_or_admin or rule:owner",

    "default": "rule:admin_required",
--- a/templates/rocky/policy.json
+++ b/templates/rocky/policy.json
@ -5,7 +5,7 @@
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
    "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
-    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
+    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(target.domain_id)s",
    "service_admin_or_owner": "rule:service_or_admin or rule:owner",

    "default": "rule:admin_required",