e03501dee1
When determining if a user is an admin the default neutron policy file only checks if a user has the 'admin' role. It does not check what that role is applied to. The problem is illustrated by the following scenario: A cloud admin creates a new domain, then creates a new project within that domain. The cloud admin wants to delegate the maintenance of the new project to userA so she grants them admin on the new project. UserA is now a cloud admin from Neutrons pov. To fix this issue a policy override file is added which checks that the user is admin either against the admin project (as defined by keystone) or the service project. Change-Id: If4c5b0c1ab7bf2c75e911e77531d442d417a1231 Closes-Bug: 1830536 |
||
---|---|---|
.. | ||
00-admin.json | ||
ml2_conf.ini | ||
neutron.conf |